...
認証フローの階層化の設定を行ってください。
conf/authn/general-authn.xml
のauthn/Password
にExtendedフローで利用するLevel2, Level3
を追加します。コード ブロック language diff title conf/authn/general-authn.xml collapse true <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true"> <property name="supportedPrincipals"> <util:list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> <!-- --> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> + <!-- Extended Flows --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level2" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level3" /> </util:list> </property> </bean>
conf/authn/password-authn-config.xml
でExtendedフローのbean
をアンコメントします。をアンコメントし、下記の設定を行います。shibboleth.authn.Password.ExtendedFlows
のc:_0に、ExtendedフローとするRemoteUser
とX509
を設定します。shibboleth.authn.Password.PrincipalOverride
に、Password認証フローで認証するLevel1
を追加します。
コード ブロック language diff title conf/authn/password-authn-config.xml collapse true <!-- Configuration of "extended" login methods to offer in the password login form. The String bean is a regular expression identifying the flows to offer. These flows must also be enabled at the "top" level to be available for use. The ExtendedFlowParameters bean can be used to transfer custom parameters from the login form into the context tree for use later by other flows. The last bean provides the set of custom Principals to use for results produced by the Password flow itself. You would use this if you need the Password flow to run as a shell to run the "extended" login methods, but want to limit its own results more narrowly. --> - <!-- - <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" /> + <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="RemoteUser|X509" /> <util:list id="shibboleth.authn.Password.ExtendedFlowParameters"> </util:list> <util:list id="shibboleth.authn.Password.PrincipalOverride"> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> </util:list> - -->
...