113 lines
4.8 KiB
XML
113 lines
4.8 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
|
xmlns:context="http://www.springframework.org/schema/context"
|
|
xmlns:util="http://www.springframework.org/schema/util"
|
|
xmlns:p="http://www.springframework.org/schema/p"
|
|
xmlns:c="http://www.springframework.org/schema/c"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
|
|
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
|
|
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
|
|
|
|
default-init-method="initialize"
|
|
default-destroy-method="destroy">
|
|
|
|
<!--
|
|
Ordered list of CredentialValidators to apply to a request.
|
|
|
|
The four supplied variants are shown below; the HTPasswd option
|
|
is an OOB default for demo account purposes, and you will
|
|
want to remove it after initial install and testing.
|
|
-->
|
|
<util:list id="shibboleth.authn.Password.Validators">
|
|
<ref bean="shibboleth.LDAPValidator" />
|
|
<!-- <ref bean="shibboleth.KerberosValidator" /> -->
|
|
<!-- <ref bean="shibboleth.JAASValidator" /> -->
|
|
<!-- <bean parent="shibboleth.HTPasswdValidator" p:resource="%{idp.home}/credentials/demo.htpasswd" /> -->
|
|
</util:list>
|
|
|
|
<!-- Apply any regular expression replacement pairs to username before validation. -->
|
|
<util:list id="shibboleth.authn.Password.Transforms">
|
|
<!--
|
|
<bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
|
|
-->
|
|
</util:list>
|
|
|
|
<!-- Uncomment to configure account lockout backed by in-memory storage. -->
|
|
<!--
|
|
<bean id="shibboleth.authn.Password.AccountLockoutManager"
|
|
parent="shibboleth.StorageBackedAccountLockoutManager"
|
|
p:maxAttempts="5"
|
|
p:counterInterval="PT5M"
|
|
p:lockoutDuration="PT5M"
|
|
p:extendLockoutDuration="false" />
|
|
-->
|
|
|
|
<!--
|
|
Define entries here to map error messages detected by validation actions and classify them as particular
|
|
kinds of errors for use in your templates and as events in flows.
|
|
|
|
Keys are events to signal, values are error codes.
|
|
-->
|
|
<util:map id="shibboleth.authn.Password.ClassifiedMessageMap">
|
|
<entry key="UnknownUsername">
|
|
<list>
|
|
<value>NoCredentials</value>
|
|
<value>UnknownUsername</value>
|
|
<value>CLIENT_NOT_FOUND</value>
|
|
<value>Client not found</value>
|
|
<value>Cannot get kdc for realm</value>
|
|
<value>Client not found in Kerberos database</value>
|
|
<value>DN_RESOLUTION_FAILURE</value>
|
|
<value>Cannot authenticate dn, invalid dn</value>
|
|
<value>Cannot authenticate dn, invalid credential</value>
|
|
<value>AcceptSecurityContext error, data 525</value>
|
|
</list>
|
|
</entry>
|
|
<entry key="InvalidPassword">
|
|
<list>
|
|
<value>InvalidCredentials</value>
|
|
<value>PREAUTH_FAILED</value>
|
|
<value>INVALID_CREDENTIALS</value>
|
|
<value>Checksum failed</value>
|
|
<value>Integrity check on decrypted field failed</value>
|
|
<value>Pre-authentication information was invalid</value>
|
|
<value>Key bytes cannot be null</value>
|
|
<value>AcceptSecurityContext error, data 52e</value>
|
|
</list>
|
|
</entry>
|
|
<entry key="AccountLocked">
|
|
<list>
|
|
<value>AccountLocked</value>
|
|
<value>Clients credentials have been revoked</value>
|
|
<value>AcceptSecurityContext error, data 775</value>
|
|
</list>
|
|
</entry>
|
|
<entry key="AccountDisabled">
|
|
<list>
|
|
<value>AcceptSecurityContext error, data 533</value>
|
|
</list>
|
|
</entry>
|
|
<entry key="ExpiredPassword">
|
|
<list>
|
|
<value>PASSWORD_EXPIRED</value>
|
|
<value>CLIENT KEY EXPIRED</value>
|
|
<value>AcceptSecurityContext error, data 532</value>
|
|
<value>AcceptSecurityContext error, data 773</value>
|
|
<value>AcceptSecurityContext error, data 701</value>
|
|
</list>
|
|
</entry>
|
|
<entry key="ExpiringPassword">
|
|
<list>
|
|
<value>ACCOUNT_WARNING</value>
|
|
</list>
|
|
</entry>
|
|
<entry key="RequestUnsupported">
|
|
<list>
|
|
<value>RequestUnsupported</value>
|
|
</list>
|
|
</entry>
|
|
</util:map>
|
|
|
|
</beans>
|