summaryrefslogtreecommitdiff
path: root/conf-from-container/conf/authn/general-authn.xml
diff options
context:
space:
mode:
authorHenrik Lund Kramshoej <hlk@kramse.org>2017-07-10 12:27:27 +0200
committerHenrik Lund Kramshoej <hlk@kramse.org>2017-07-10 12:27:27 +0200
commit4f85857c506729174013742149d69eca736fe2de (patch)
tree9d44e4219a5e4bf15ae99bf249b2bc0e7911a4c5 /conf-from-container/conf/authn/general-authn.xml
parent52042bb9bab3e66c16921e682bafc45341ea4a00 (diff)
Messing up the thing
Diffstat (limited to 'conf-from-container/conf/authn/general-authn.xml')
-rw-r--r--conf-from-container/conf/authn/general-authn.xml156
1 files changed, 156 insertions, 0 deletions
diff --git a/conf-from-container/conf/authn/general-authn.xml b/conf-from-container/conf/authn/general-authn.xml
new file mode 100644
index 0000000..ac55bbb
--- /dev/null
+++ b/conf-from-container/conf/authn/general-authn.xml
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+ default-init-method="initialize"
+ default-destroy-method="destroy">
+
+ <!--
+ This file provisions the IdP with information about the configured login mechanisms available for use.
+ The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
+ together with deployer-supplied metadata to describe them to the system.
+
+ You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
+ be used, regardless any other files loaded by the Spring container.
+
+ Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
+ and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
+ expressions for password-based authentication over a secure channel, so anything more exotic requires
+ customization, as the examples below for IP address and SPNEGO authentication illustrate.
+ -->
+
+ <util:list id="shibboleth.AvailableAuthenticationFlows">
+
+ <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
+ p:passiveAuthenticationSupported="true"
+ p:lifetime="PT60S" p:inactivityTimeout="PT60S">
+ <property name="supportedPrincipals">
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
+ </list>
+ </property>
+ </bean>
+
+ <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
+ p:nonBrowserSupported="false">
+ <property name="supportedPrincipals">
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:method="urn:ietf:rfc:1510" />
+ </list>
+ </property>
+ </bean>
+
+ <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
+ p:nonBrowserSupported="false" />
+
+ <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
+ p:nonBrowserSupported="false" />
+
+ <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />
+
+ <bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
+ p:nonBrowserSupported="false">
+ <property name="supportedPrincipals">
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:method="urn:ietf:rfc:2246" />
+ </list>
+ </property>
+ </bean>
+
+ <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
+ <property name="supportedPrincipals">
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:method="urn:ietf:rfc:2246" />
+ </list>
+ </property>
+ </bean>
+
+ <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
+ p:passiveAuthenticationSupported="true"
+ p:forcedAuthenticationSupported="true" />
+
+ <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
+ p:forcedAuthenticationSupported="true"
+ p:nonBrowserSupported="false">
+ <!--
+ The list below should be changed to reflect whatever locally- or
+ community-defined values are appropriate to represent MFA. It is
+ strongly advised that the value not be specific to Duo or any
+ particular technology.
+ -->
+ <property name="supportedPrincipals">
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="http://example.org/ac/classes/mfa" />
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:method="http://example.org/ac/classes/mfa" />
+ </list>
+ </property>
+ </bean>
+
+ <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
+ p:passiveAuthenticationSupported="true"
+ p:forcedAuthenticationSupported="true">
+ <!--
+ The list below almost certainly requires changes, and should generally be the
+ union of any of the separate factors you combine in your particular MFA flow
+ rules. The example corresponds to the example in mfa-authn-config.xml that
+ combines IPAddress with Password.
+ -->
+ <property name="supportedPrincipals">
+ <list>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
+ <bean parent="shibboleth.SAML1AuthenticationMethod"
+ c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
+ </list>
+ </property>
+ </bean>
+
+ </util:list>
+
+ <!--
+ This is a map used to "weight" particular methods above others if the IdP has to randomly select one
+ to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
+ of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
+ assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
+ to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
+ is chosen. Anything not in the map has a weight of zero.
+ -->
+
+ <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
+ <entry>
+ <key>
+ <bean parent="shibboleth.SAML2AuthnContextClassRef"
+ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+ </key>
+ <value>1</value>
+ </entry>
+ </util:map>
+
+</beans>
generated by cgit v1.1 at 2026-03-03 20:41:56 +0000