diff options
Diffstat (limited to 'conf-from-container/conf/authn/authn-comparison.xml')
| -rw-r--r-- | conf-from-container/conf/authn/authn-comparison.xml | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/conf-from-container/conf/authn/authn-comparison.xml b/conf-from-container/conf/authn/authn-comparison.xml new file mode 100644 index 0000000..f167b7a --- /dev/null +++ b/conf-from-container/conf/authn/authn-comparison.xml @@ -0,0 +1,77 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + These beans can be used in the AuthnComparisonRules map below instead of the defaults to + support more advanced matching rules. The top example shows how to configure a matching rule, + in this case a rule that the two listed classes are "better" than the password class. + + To use these beans, configure the matchingRules map as desired, and then reference the bean id in the + desired value-ref slot in the AuthnComparisonRules map. + --> + + <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory"> + <!-- + <property name="matchingRules"> + <map> + <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password"> + <list> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value> + </list> + </entry> + </map> + </property> + --> + </bean> + + <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. --> + <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" /> + + + <!-- Registry of matching rules. --> + + <util:map id="shibboleth.AuthnComparisonRules"> + + <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. --> + <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. --> + <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. --> + <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/> + + <!-- Better matching, refers to empty ruleset that has to be populated to work. --> + <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/> + <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/> + + </util:map> + + <!-- List of context classes or declarations to ignore if an SP requests them. --> + + <util:list id="shibboleth.IgnoredContexts"> + <value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value> + </util:list> + +</beans> |