219 lines
8.6 KiB
Properties
219 lines
8.6 KiB
Properties
# Properties that control authentication generally and the behavior of
|
|
# specific methods.
|
|
|
|
# Regular expression matching login flows to enable, e.g. IPAddress|Password
|
|
idp.authn.flows = RemoteUser
|
|
|
|
# Default settings for most authentication methods.
|
|
#idp.authn.defaultLifetime = PT1H
|
|
#idp.authn.defaultTimeout = PT30M
|
|
#idp.authn.proxyRestrictionsEnforced = true
|
|
|
|
# Whether to populate relying party user interface information for display
|
|
# during authentication, consent, terms-of-use.
|
|
#idp.authn.rpui = true
|
|
|
|
# Whether to prioritize "active" results when an SP requests more than
|
|
# one possible matching login method (V2 behavior was to favor them)
|
|
#idp.authn.favorSSO = false
|
|
|
|
# Whether to fail requests when a user identity after authentication
|
|
# doesn't match the identity in a pre-existing session.
|
|
#idp.authn.identitySwitchIsError = false
|
|
|
|
# If using IdP discovery feature, provides a discovery location to use.
|
|
#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html
|
|
|
|
# Properties below override specific method behavior, as an alternative
|
|
# to defining Spring beans in XML. Refer to the documentation for a complete
|
|
# list. Many of the properties below are mentioned only because they are
|
|
# atypical defaults assumed for a given method.
|
|
|
|
# Flow selection among multiple equivalent options can be managed with
|
|
# the order properties, lower will be tried first.
|
|
|
|
#### Password ####
|
|
|
|
#idp.authn.Password.order = 1000
|
|
#idp.authn.Password.passiveAuthenticationSupported = true
|
|
#idp.authn.Password.forcedAuthenticationSupported = true
|
|
# Override this and removeAfterValidation to require all validators to succeed
|
|
#idp.authn.Password.requireAll = false
|
|
# Override to keep the password around
|
|
#idp.authn.Password.removeAfterValidation = true
|
|
# Override to store password in Java Subject
|
|
#idp.authn.Password.retainAsPrivateCredential = false
|
|
# Simple username transforms before validation
|
|
#idp.authn.Password.trim = true
|
|
#idp.authn.Password.lowercase = false
|
|
#idp.authn.Password.uppercase = false
|
|
#idp.authn.Password.matchExpression =
|
|
# Override default form field names
|
|
#idp.authn.Password.usernameFieldName = j_username
|
|
#idp.authn.Password.passwordFieldName = j_password
|
|
#idp.authn.Password.ssoBypassFieldName = donotcache
|
|
# Unset if using customized Principals per validator
|
|
#idp.authn.Password.addDefaultPrincipals = true
|
|
# The Principal collection below is the typical default if not otherwise noted.
|
|
#idp.authn.Password.supportedPrincipals = \
|
|
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
|
|
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
|
|
# saml1/urn:oasis:names:tc:SAML:1.0:am:password
|
|
# Validators are controlled in password-authn-config.xml
|
|
|
|
#### Password Backends ####
|
|
|
|
# See ldap.properties for LDAP authn properties
|
|
# Kerberos settings
|
|
#idp.authn.Krb5.refreshConfig = false
|
|
#idp.authn.Krb5.preserveTicket = false
|
|
# Set next two for KDC verification
|
|
#idp.authn.Krb5.servicePrincipal =
|
|
#idp.authn.Krb5.keytab =
|
|
# JAAS settings
|
|
#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth
|
|
#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config
|
|
|
|
#### External ####
|
|
|
|
#idp.authn.External.order = 1000
|
|
#idp.authn.External.nonBrowserSupported = false
|
|
#idp.authn.External.matchExpression =
|
|
# Unset if you plan to return full Java Subject from external source
|
|
#idp.authn.External.addDefaultPrincipals = true
|
|
# Servlet context-relative path to wherever your implementation lives
|
|
idp.authn.External.externalAuthnPath = contextRelative:external.jsp
|
|
|
|
#### RemoteUser ####
|
|
|
|
#idp.authn.RemoteUser.order = 1000
|
|
#idp.authn.RemoteUser.nonBrowserSupported = false
|
|
#idp.authn.RemoteUser.matchExpression =
|
|
# Unset in most cases only if using the authnMethodHeader or
|
|
# subjectAttribute settings
|
|
#idp.authn.RemoteUser.addDefaultPrincipals = true
|
|
# Most other settings need to be supplied via web.xml to the servlet
|
|
|
|
#### RemoteUserInternal ####
|
|
|
|
#idp.authn.RemoteUserInternal.order = 1000
|
|
#idp.authn.RemoteUserInternal.nonBrowserSupported = true
|
|
# Unset in most cases only if using the authnMethodHeader feature
|
|
#idp.authn.RemoteUserInternal.addDefaultPrincipals = true
|
|
#idp.authn.RemoteUserInternal.checkRemoteUser = true
|
|
# Comma-delimited lists of attributes or headers to pull from
|
|
#idp.authn.RemoteUserInternal.checkAttributes =
|
|
#idp.authn.RemoteUserInternal.checkHeaders =
|
|
# Simple transforms to apply
|
|
#idp.authn.RemoteUserInternal.trim = true
|
|
#idp.authn.RemoteUserInternal.lowercase = false
|
|
#idp.authn.RemoteUserInternal.uppercase = false
|
|
#idp.authn.RemoteUserInternal.matchExpression =
|
|
#idp.authn.RemoteUserInternal.allowedUsernames =
|
|
#idp.authn.RemoteUserInternal.deniedUsernames =
|
|
|
|
#### SPNEGO ####
|
|
|
|
#idp.authn.SPNEGO.order = 1000
|
|
#idp.authn.SPNEGO.nonBrowserSupported = false
|
|
#idp.authn.SPNEGO.enforceRun = false
|
|
#idp.authn.SPNEGO.refreshKrbConfig = false
|
|
#idp.authn.SPNEGO.matchExpression =
|
|
idp.authn.SPNEGO.supportedPrincipals = \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \
|
|
saml1/urn:ietf:rfc:1510
|
|
|
|
#### X509 ####
|
|
|
|
#idp.authn.X509.order = 1000
|
|
#idp.authn.X509.nonBrowserSupported = false
|
|
# Servlet context-relative path to wherever your implementation lives
|
|
#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp
|
|
idp.authn.X509.supportedPrincipals = \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
|
|
saml1/urn:ietf:rfc:2246
|
|
|
|
#### X509Internal ####
|
|
|
|
#idp.authn.X509Internal.order = 1000
|
|
#idp.authn.X509Internal.nonBrowserSupported = false
|
|
#idp.authn.X509Internal.saveCertificateToCredentialSet = true
|
|
idp.authn.X509Internal.supportedPrincipals = \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
|
|
saml1/urn:ietf:rfc:2246
|
|
|
|
#### IPAddress ####
|
|
|
|
#idp.authn.IPAddress.order = 1000
|
|
#idp.authn.IPAddress.passiveAuthenticationSupported = true
|
|
#idp.authn.IPAddress.lifetime = PT60S
|
|
#idp.authn.IPAddress.inactivityTimeout = PT60S
|
|
idp.authn.IPAddress.supportedPrincipals = \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
|
|
|
|
#### Function ####
|
|
|
|
#idp.authn.Function.order = 1000
|
|
#idp.authn.Function.passiveAuthenticationSupported = true
|
|
# Unset if you plan to return full Java Subject from function
|
|
#idp.authn.Function.addDefaultPrincipals = true
|
|
|
|
#### Duo ####
|
|
|
|
#idp.authn.Duo.order = 1000
|
|
#idp.authn.Duo.nonBrowserSupported = false
|
|
#idp.authn.Duo.forcedAuthenticationSupported = true
|
|
# Unset if you have advanced Duo integrations with individualized Principals
|
|
#idp.authn.Duo.addDefaultPrincipals = true
|
|
# The list below should be changed to reflect whatever locally- or
|
|
# community-defined values are appropriate to represent Duo. It is
|
|
# strongly advised that the value not be specific to Duo or any
|
|
# particular technology to avoid lock-in.
|
|
idp.authn.Duo.supportedPrincipals = \
|
|
saml2/http://example.org/ac/classes/mfa, \
|
|
saml1/http://example.org/ac/classes/mfa
|
|
# Default Duo integration settings are defined separately
|
|
# in duo.properties due to the sensitivity of the secret key.
|
|
|
|
|
|
#### SAML ####
|
|
|
|
#idp.authn.SAML.order = 1000
|
|
#idp.authn.SAML.nonBrowserSupported = false
|
|
#idp.authn.SAML.passiveAuthenticationSupported = true
|
|
#idp.authn.SAML.forcedAuthenticationSupported = true
|
|
#idp.authn.SAML.proxyScopingEnforced = true
|
|
# Discovery options:
|
|
# Define shibboleth.authn.SAML.discoveryFunction bean
|
|
# Set proxyEntityID property
|
|
# Fall through to discovery via discoveryRequired property
|
|
#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth
|
|
#idp.authn.SAML.discoveryRequired = true
|
|
# Generally left false with bidirectional mappings in
|
|
# conf/authn/authn-comparison.xml across the proxy boundary.
|
|
# Adjust as needed to reflect IdP's capabilities/support.
|
|
#idp.authn.SAML.addDefaultPrincipals = false
|
|
#idp.authn.SAML.supportedPrincipals = \
|
|
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
|
|
# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
|
|
# saml1/urn:oasis:names:tc:SAML:1.0:am:password
|
|
|
|
#### MFA ####
|
|
|
|
#idp.authn.MFA.order = 1000
|
|
#idp.authn.MFA.passiveAuthenticationSupported = true
|
|
#idp.authn.MFA.forcedAuthenticationSupported = true
|
|
#idp.authn.MFA.validateLoginTransitions = true
|
|
# The list below almost certainly requires changes, and should generally be the
|
|
# union of any of the separate factors you combine in your particular MFA flow
|
|
# rules. The example corresponds to the example in mfa-authn-config.xml that
|
|
# combines IPAddress with Password.
|
|
idp.authn.MFA.supportedPrincipals = \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
|
|
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
|
|
saml1/urn:oasis:names:tc:SAML:1.0:am:password
|
|
# Most actual setup via mfa-authn-config.xml
|