...
本ドキュメントで使用する認証コンテクストと認証フローの関係を下記に示します。
| 情報 |
|---|
ここでRemoteUserはパスワード認証とクライアント証明書認証の中間の強度の認証の例として挙げております。実際に運用する場合は別途用意した認証フローで置き換えてください。また、レベルとの対応付けも本ドキュメント独自のもので、例示として使用しています。 |
| 認証コンテクスト | 略称 | 認証フロー |
|---|---|---|
urn:mace:gakunin.jp:idprivacy:ac:classes:Level1 | Level1 | Password |
urn:mace:gakunin.jp:idprivacy:ac:classes:Level2 | Level2 | RemoteUser |
urn:mace:gakunin.jp:idprivacy:ac:classes:Level3 | Level3 | X509 |
...
conf/idp.propertiesのidp.authn.flowsに有効にする認証フローを設定します。コード ブロック language diff title conf/idp.properties collapse true # Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows= Password +idp.authn.flows= Password|RemoteUser|X509
既に認証済みの認証フローを優先するために、
conf/idp.propertiesのidp.authn.favorSSOをアンコメントします。コード ブロック language diff title conf/idp.properties collapse true # Whether to prioritize "active" results when an SP requests more than # one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = true +idp.authn.favorSSO = true
conf/authn/general-authn.xmlのshibboleth.AvailableAuthenticationFlows内の認証フローを弱い認証フローから強い認証フローの順に並べます。各認証フローのsupportedPrincipalsプロパティに下記を追加します。認証フロー supportedPrincipalsプロパティPassword継承元の shibboleth.AuthenticationFlowで定義されているsupportedPrincipals, Level1RemoteUserLevel2, Level1X509Level3, Level2, Level1コード ブロック language diff title conf/authn/general-authn.xml collapse true <util:list id="shibboleth.AvailableAuthenticationFlows"> <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:lifetime="PT60S" p:inactivityTimeout="PT60S"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> </list> </property> </bean> <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:1510" /> </list> </property> </bean> <bean id="authn/External" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false" /> + <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:forcedAuthenticationSupported="true"> + <property name="supportedPrincipals"> + <util:list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> + </util:list> + </property> + </bean> + <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false" /> + p:nonBrowserSupported="false"> + <property name="supportedPrincipals"> + <util:list> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level2" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> + </util:list> + </property> + </bean> <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" /> <bean id="authn/X509" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:2246" /> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level3" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level2" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> </list> </property> </bean> <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:2246" /> </list> </property> </bean> - <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:forcedAuthenticationSupported="true" /> - </util:list>conf/relying-party.xmlのshibboleth.DefaultRelyingParty内のShibboleth.SSOとSAML2.SSOにdefaultAuthenticationMethodsプロパティを設定します。コード ブロック language diff title conf/relying-party.xml collapse true <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> - <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> + <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" + p:defaultAuthenticationMethods="urn:oasis:names:tc:SAML:1.0:am:password" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> - <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> + <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" + p:defaultAuthenticationMethods="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean>
...