# Properties that control authentication generally and the behavior of # specific methods. # Regular expression matching login flows to enable, e.g. IPAddress|Password idp.authn.flows = RemoteUser # Default settings for most authentication methods. #idp.authn.defaultLifetime = PT1H #idp.authn.defaultTimeout = PT30M #idp.authn.proxyRestrictionsEnforced = true # Whether to populate relying party user interface information for display # during authentication, consent, terms-of-use. #idp.authn.rpui = true # Whether to prioritize "active" results when an SP requests more than # one possible matching login method (V2 behavior was to favor them) #idp.authn.favorSSO = false # Whether to fail requests when a user identity after authentication # doesn't match the identity in a pre-existing session. #idp.authn.identitySwitchIsError = false # If using IdP discovery feature, provides a discovery location to use. #idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html # Properties below override specific method behavior, as an alternative # to defining Spring beans in XML. Refer to the documentation for a complete # list. Many of the properties below are mentioned only because they are # atypical defaults assumed for a given method. # Flow selection among multiple equivalent options can be managed with # the order properties, lower will be tried first. #### Password #### #idp.authn.Password.order = 1000 #idp.authn.Password.passiveAuthenticationSupported = true #idp.authn.Password.forcedAuthenticationSupported = true # Override this and removeAfterValidation to require all validators to succeed #idp.authn.Password.requireAll = false # Override to keep the password around #idp.authn.Password.removeAfterValidation = true # Override to store password in Java Subject #idp.authn.Password.retainAsPrivateCredential = false # Simple username transforms before validation #idp.authn.Password.trim = true #idp.authn.Password.lowercase = false #idp.authn.Password.uppercase = false #idp.authn.Password.matchExpression = # Override default form field names #idp.authn.Password.usernameFieldName = j_username #idp.authn.Password.passwordFieldName = j_password #idp.authn.Password.ssoBypassFieldName = donotcache # Unset if using customized Principals per validator #idp.authn.Password.addDefaultPrincipals = true # The Principal collection below is the typical default if not otherwise noted. #idp.authn.Password.supportedPrincipals = \ # saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ # saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ # saml1/urn:oasis:names:tc:SAML:1.0:am:password # Validators are controlled in password-authn-config.xml #### Password Backends #### # See ldap.properties for LDAP authn properties # Kerberos settings #idp.authn.Krb5.refreshConfig = false #idp.authn.Krb5.preserveTicket = false # Set next two for KDC verification #idp.authn.Krb5.servicePrincipal = #idp.authn.Krb5.keytab = # JAAS settings #idp.authn.JAAS.loginConfigNames = ShibUserPassAuth #idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config #### External #### #idp.authn.External.order = 1000 #idp.authn.External.nonBrowserSupported = false #idp.authn.External.matchExpression = # Unset if you plan to return full Java Subject from external source #idp.authn.External.addDefaultPrincipals = true # Servlet context-relative path to wherever your implementation lives idp.authn.External.externalAuthnPath = contextRelative:external.jsp #### RemoteUser #### #idp.authn.RemoteUser.order = 1000 #idp.authn.RemoteUser.nonBrowserSupported = false #idp.authn.RemoteUser.matchExpression = # Unset in most cases only if using the authnMethodHeader or # subjectAttribute settings #idp.authn.RemoteUser.addDefaultPrincipals = true # Most other settings need to be supplied via web.xml to the servlet #### RemoteUserInternal #### #idp.authn.RemoteUserInternal.order = 1000 #idp.authn.RemoteUserInternal.nonBrowserSupported = true # Unset in most cases only if using the authnMethodHeader feature #idp.authn.RemoteUserInternal.addDefaultPrincipals = true #idp.authn.RemoteUserInternal.checkRemoteUser = true # Comma-delimited lists of attributes or headers to pull from #idp.authn.RemoteUserInternal.checkAttributes = #idp.authn.RemoteUserInternal.checkHeaders = # Simple transforms to apply #idp.authn.RemoteUserInternal.trim = true #idp.authn.RemoteUserInternal.lowercase = false #idp.authn.RemoteUserInternal.uppercase = false #idp.authn.RemoteUserInternal.matchExpression = #idp.authn.RemoteUserInternal.allowedUsernames = #idp.authn.RemoteUserInternal.deniedUsernames = #### SPNEGO #### #idp.authn.SPNEGO.order = 1000 #idp.authn.SPNEGO.nonBrowserSupported = false #idp.authn.SPNEGO.enforceRun = false #idp.authn.SPNEGO.refreshKrbConfig = false #idp.authn.SPNEGO.matchExpression = idp.authn.SPNEGO.supportedPrincipals = \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \ saml1/urn:ietf:rfc:1510 #### X509 #### #idp.authn.X509.order = 1000 #idp.authn.X509.nonBrowserSupported = false # Servlet context-relative path to wherever your implementation lives #idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp idp.authn.X509.supportedPrincipals = \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ saml1/urn:ietf:rfc:2246 #### X509Internal #### #idp.authn.X509Internal.order = 1000 #idp.authn.X509Internal.nonBrowserSupported = false #idp.authn.X509Internal.saveCertificateToCredentialSet = true idp.authn.X509Internal.supportedPrincipals = \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \ saml1/urn:ietf:rfc:2246 #### IPAddress #### #idp.authn.IPAddress.order = 1000 #idp.authn.IPAddress.passiveAuthenticationSupported = true #idp.authn.IPAddress.lifetime = PT60S #idp.authn.IPAddress.inactivityTimeout = PT60S idp.authn.IPAddress.supportedPrincipals = \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol #### Function #### #idp.authn.Function.order = 1000 #idp.authn.Function.passiveAuthenticationSupported = true # Unset if you plan to return full Java Subject from function #idp.authn.Function.addDefaultPrincipals = true #### Duo #### #idp.authn.Duo.order = 1000 #idp.authn.Duo.nonBrowserSupported = false #idp.authn.Duo.forcedAuthenticationSupported = true # Unset if you have advanced Duo integrations with individualized Principals #idp.authn.Duo.addDefaultPrincipals = true # The list below should be changed to reflect whatever locally- or # community-defined values are appropriate to represent Duo. It is # strongly advised that the value not be specific to Duo or any # particular technology to avoid lock-in. idp.authn.Duo.supportedPrincipals = \ saml2/http://example.org/ac/classes/mfa, \ saml1/http://example.org/ac/classes/mfa # Default Duo integration settings are defined separately # in duo.properties due to the sensitivity of the secret key. #### SAML #### #idp.authn.SAML.order = 1000 #idp.authn.SAML.nonBrowserSupported = false #idp.authn.SAML.passiveAuthenticationSupported = true #idp.authn.SAML.forcedAuthenticationSupported = true #idp.authn.SAML.proxyScopingEnforced = true # Discovery options: # Define shibboleth.authn.SAML.discoveryFunction bean # Set proxyEntityID property # Fall through to discovery via discoveryRequired property #idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth #idp.authn.SAML.discoveryRequired = true # Generally left false with bidirectional mappings in # conf/authn/authn-comparison.xml across the proxy boundary. # Adjust as needed to reflect IdP's capabilities/support. #idp.authn.SAML.addDefaultPrincipals = false #idp.authn.SAML.supportedPrincipals = \ # saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ # saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ # saml1/urn:oasis:names:tc:SAML:1.0:am:password #### MFA #### #idp.authn.MFA.order = 1000 #idp.authn.MFA.passiveAuthenticationSupported = true #idp.authn.MFA.forcedAuthenticationSupported = true #idp.authn.MFA.validateLoginTransitions = true # The list below almost certainly requires changes, and should generally be the # union of any of the separate factors you combine in your particular MFA flow # rules. The example corresponds to the example in mfa-authn-config.xml that # combines IPAddress with Password. idp.authn.MFA.supportedPrincipals = \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \ saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \ saml1/urn:oasis:names:tc:SAML:1.0:am:password # Most actual setup via mfa-authn-config.xml