-
Notifications
You must be signed in to change notification settings - Fork 7
AuthenticationConfiguration
Current File(s): conf/authn/*
Here is documented oidc extension specific additions to Shibboleth IdP AuthenticationConfiguration
OIDC extension provides a new oidc specific bean to inherit authentication method principals from. This principal may be set as supportedPrincipals for authentication flows. For oidc requests and responses only principals inherited from this specific bean are considered as valid.
- shibboleth.OIDCAuthnContextClassReference
The only supported comparison type is exact. The weighted map applies to principals inherited from this bean.
OIDC acr differs from it's SAML2 counterpart in one significant way. The requested authentication context class may be presented as voluntary or essential. If it is presented as essential the authentication flow has to match to the requested acr. In the voluntary case any otherwise valid flow will do if there is no match for requested acr.
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true" >
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
<bean parent="shibboleth.OIDCAuthnContextClassReference"
c:classRef="password" />
</list>
</property>
</bean>
- shibboleth.OIDCAuthnContextClassReference, parent bean for attaching oidc authentication method principal constants to flows.
- shibboleth.OIDCAuthnMethodExact, for the shibboleth.AuthnComparisonRules map.