159 lines
7.9 KiB
XML
159 lines
7.9 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
||
|
xmlns:context="http://www.springframework.org/schema/context"
|
||
|
xmlns:util="http://www.springframework.org/schema/util"
|
||
|
xmlns:p="http://www.springframework.org/schema/p"
|
||
|
xmlns:c="http://www.springframework.org/schema/c"
|
||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
|
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
|
||
|
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
|
||
|
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
|
||
|
|
||
|
default-init-method="initialize"
|
||
|
default-destroy-method="destroy">
|
||
|
|
||
|
<!--
|
||
|
This file provisions the IdP with information about the configured login mechanisms available for use.
|
||
|
The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
|
||
|
together with deployer-supplied metadata to describe them to the system.
|
||
|
|
||
|
You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
|
||
|
be used, regardless any other files loaded by the Spring container.
|
||
|
|
||
|
Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
|
||
|
and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
|
||
|
expressions for password-based authentication over a secure channel, so anything more exotic requires
|
||
|
customization, as the examples below for IP address and SPNEGO authentication illustrate.
|
||
|
-->
|
||
|
|
||
|
<util:list id="shibboleth.AvailableAuthenticationFlows">
|
||
|
|
||
|
<bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
|
||
|
p:passiveAuthenticationSupported="true"
|
||
|
p:lifetime="PT60S" p:inactivityTimeout="PT60S">
|
||
|
<property name="supportedPrincipals">
|
||
|
<list>
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
|
||
|
</list>
|
||
|
</property>
|
||
|
</bean>
|
||
|
|
||
|
<bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
|
||
|
p:nonBrowserSupported="false">
|
||
|
<property name="supportedPrincipals">
|
||
|
<list>
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
|
||
|
<bean parent="shibboleth.SAML1AuthenticationMethod"
|
||
|
c:method="urn:ietf:rfc:1510" />
|
||
|
</list>
|
||
|
</property>
|
||
|
</bean>
|
||
|
|
||
|
<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
|
||
|
p:nonBrowserSupported="false" />
|
||
|
|
||
|
<bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
|
||
|
p:nonBrowserSupported="false" />
|
||
|
|
||
|
<bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />
|
||
|
|
||
|
<bean id="authn/Function" parent="shibboleth.AuthenticationFlow" />
|
||
|
|
||
|
<bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
|
||
|
p:nonBrowserSupported="false">
|
||
|
<property name="supportedPrincipals">
|
||
|
<list>
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
|
||
|
<bean parent="shibboleth.SAML1AuthenticationMethod"
|
||
|
c:method="urn:ietf:rfc:2246" />
|
||
|
</list>
|
||
|
</property>
|
||
|
</bean>
|
||
|
|
||
|
<bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
|
||
|
<property name="supportedPrincipals">
|
||
|
<list>
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
|
||
|
<bean parent="shibboleth.SAML1AuthenticationMethod"
|
||
|
c:method="urn:ietf:rfc:2246" />
|
||
|
</list>
|
||
|
</property>
|
||
|
</bean>
|
||
|
|
||
|
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
|
||
|
p:passiveAuthenticationSupported="true"
|
||
|
p:forcedAuthenticationSupported="true" />
|
||
|
|
||
|
<bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
|
||
|
p:forcedAuthenticationSupported="true"
|
||
|
p:nonBrowserSupported="false">
|
||
|
<!--
|
||
|
The list below should be changed to reflect whatever locally- or
|
||
|
community-defined values are appropriate to represent MFA. It is
|
||
|
strongly advised that the value not be specific to Duo or any
|
||
|
particular technology.
|
||
|
-->
|
||
|
<property name="supportedPrincipals">
|
||
|
<list>
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="http://example.org/ac/classes/mfa" />
|
||
|
<bean parent="shibboleth.SAML1AuthenticationMethod"
|
||
|
c:method="http://example.org/ac/classes/mfa" />
|
||
|
</list>
|
||
|
</property>
|
||
|
</bean>
|
||
|
|
||
|
<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
|
||
|
p:passiveAuthenticationSupported="true"
|
||
|
p:forcedAuthenticationSupported="true">
|
||
|
<!--
|
||
|
The list below almost certainly requires changes, and should generally be the
|
||
|
union of any of the separate factors you combine in your particular MFA flow
|
||
|
rules. The example corresponds to the example in mfa-authn-config.xml that
|
||
|
combines IPAddress with Password.
|
||
|
-->
|
||
|
<property name="supportedPrincipals">
|
||
|
<list>
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
|
||
|
<bean parent="shibboleth.SAML1AuthenticationMethod"
|
||
|
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
|
||
|
</list>
|
||
|
</property>
|
||
|
</bean>
|
||
|
|
||
|
</util:list>
|
||
|
|
||
|
<!--
|
||
|
This is a map used to "weight" particular methods above others if the IdP has to randomly select one
|
||
|
to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
|
||
|
of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
|
||
|
assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
|
||
|
to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
|
||
|
is chosen. Anything not in the map has a weight of zero.
|
||
|
-->
|
||
|
|
||
|
<util:map id="shibboleth.AuthenticationPrincipalWeightMap">
|
||
|
<entry>
|
||
|
<key>
|
||
|
<bean parent="shibboleth.SAML2AuthnContextClassRef"
|
||
|
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
|
||
|
</key>
|
||
|
<value>1</value>
|
||
|
</entry>
|
||
|
</util:map>
|
||
|
|
||
|
</beans>
|