summaryrefslogtreecommitdiff
path: root/conf-from-container/conf/authn/general-authn.xml
diff options
context:
space:
mode:
Diffstat (limited to 'conf-from-container/conf/authn/general-authn.xml')
-rw-r--r--conf-from-container/conf/authn/general-authn.xml156
1 files changed, 0 insertions, 156 deletions
diff --git a/conf-from-container/conf/authn/general-authn.xml b/conf-from-container/conf/authn/general-authn.xml
deleted file mode 100644
index ac55bbb..0000000
--- a/conf-from-container/conf/authn/general-authn.xml
+++ /dev/null
@@ -1,156 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
-
- default-init-method="initialize"
- default-destroy-method="destroy">
-
- <!--
- This file provisions the IdP with information about the configured login mechanisms available for use.
- The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
- together with deployer-supplied metadata to describe them to the system.
-
- You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
- be used, regardless any other files loaded by the Spring container.
-
- Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
- and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
- expressions for password-based authentication over a secure channel, so anything more exotic requires
- customization, as the examples below for IP address and SPNEGO authentication illustrate.
- -->
-
- <util:list id="shibboleth.AvailableAuthenticationFlows">
-
- <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
- p:passiveAuthenticationSupported="true"
- p:lifetime="PT60S" p:inactivityTimeout="PT60S">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:ietf:rfc:1510" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false" />
-
- <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false" />
-
- <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />
-
- <bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
- p:nonBrowserSupported="false">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:ietf:rfc:2246" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:ietf:rfc:2246" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
- p:passiveAuthenticationSupported="true"
- p:forcedAuthenticationSupported="true" />
-
- <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
- p:forcedAuthenticationSupported="true"
- p:nonBrowserSupported="false">
- <!--
- The list below should be changed to reflect whatever locally- or
- community-defined values are appropriate to represent MFA. It is
- strongly advised that the value not be specific to Duo or any
- particular technology.
- -->
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="http://example.org/ac/classes/mfa" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="http://example.org/ac/classes/mfa" />
- </list>
- </property>
- </bean>
-
- <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
- p:passiveAuthenticationSupported="true"
- p:forcedAuthenticationSupported="true">
- <!--
- The list below almost certainly requires changes, and should generally be the
- union of any of the separate factors you combine in your particular MFA flow
- rules. The example corresponds to the example in mfa-authn-config.xml that
- combines IPAddress with Password.
- -->
- <property name="supportedPrincipals">
- <list>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
- <bean parent="shibboleth.SAML1AuthenticationMethod"
- c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
- </list>
- </property>
- </bean>
-
- </util:list>
-
- <!--
- This is a map used to "weight" particular methods above others if the IdP has to randomly select one
- to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
- of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
- assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
- to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
- is chosen. Anything not in the map has a weight of zero.
- -->
-
- <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
- <entry>
- <key>
- <bean parent="shibboleth.SAML2AuthnContextClassRef"
- c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
- </key>
- <value>1</value>
- </entry>
- </util:map>
-
-</beans>
generated by cgit v1.1 at 2026-01-06 00:45:59 +0000