...
conf/idp.properties
のidp.authn.flows
に有効にする認証フローを設定します。コード ブロック language diff title idp.properties collapse true # Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows= Password +idp.authn.flows= Password|RemoteUser|X509
認証結果を保持している認証フローを優先するために、conf認証結果を保持している認証フローを優先するために、
conf/idp.properties
のidp.authn.favorSSO
をアンコメントします。コード ブロック language diff title conf/idp.properties collapse true # Whether to prioritize "active" results when an SP requests more than # one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = true +idp.authn.favorSSO = true
conf/authn/general-authn.xmlのshibboleth.AvailableAuthenticationFlows内の認証フローを弱い認証フローから強い認証フローの順に並べます。各認証フローのsupportedPrincipalsプロパティに下記を追加します。
認証フロー supportedPrincipals
プロパティPassword
継承元の shibboleth.AuthenticationFlow
で定義されているsupportedPrincipals, Level1
RemoteUser
Level2, Level1
X509
Level3, Level2, Level1
コード ブロック language diff title conf/authn/general-authn.xml collapse true <util:list id="shibboleth.AvailableAuthenticationFlows"> <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:lifetime="PT60S" p:inactivityTimeout="PT60S"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" /> </list> </property> </bean> <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:1510" /> </list> </property> </bean> <bean id="authn/External" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false" /> + <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" + p:passiveAuthenticationSupported="true" + p:forcedAuthenticationSupported="true"> + <property name="supportedPrincipals"> + <util:list> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> + <bean parent="shibboleth.SAML1AuthenticationMethod" + c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> + </util:list> + </property> + </bean> + <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow" - p:nonBrowserSupported="false" /> + p:nonBrowserSupported="false"> + <property name="supportedPrincipals"> + <util:list> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level2" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> + </util:list> + </property> + </bean> <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" /> <bean id="authn/X509" parent="shibboleth.AuthenticationFlow" p:nonBrowserSupported="false"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:2246" /> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level3" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level2" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> </list> </property> </bean> <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow"> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:ietf:rfc:2246" /> </list> </property> </bean> - <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" - p:passiveAuthenticationSupported="true" - p:forcedAuthenticationSupported="true" /> - </util:list>
conf/relying-party.xml
のshibboleth.DefaultRelyingParty
内のShibboleth.SSO
とSAML2.SSO
にdefaultAuthenticationMethods
プロパティを設定します。コード ブロック language diff title conf/relying-party.xml collapse true <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty"> <property name="profileConfigurations"> <list> - <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> + <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" + p:defaultAuthenticationMethods="urn:oasis:names:tc:SAML:1.0:am:password" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> - <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> + <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" + p:defaultAuthenticationMethods="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean>
...
Password認証フローのExtendedフロー
設定
認証フローの階層化の設定を行ってください。
conf/authn/general-authn.xml
のauthn/Password
にExtendedフローで利用するLevel2, Level3
を追加します。コード ブロック language diff title conf/authn/general-authn.xml collapse true <bean id="authn/Password" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true"> <property name="supportedPrincipals"> <util:list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> <!-- --> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> + <!-- Extended Flows --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level2" /> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level3" /> </util:list> </property> </bean>
conf/authn/password-authn-config.xmlで
でExtendedフローのExtended
フローのbean
をアンコメントします。shibboleth.authn.Password.ExtendedFlows
のc:_0に、ExtendedフローとするRemoteUser
とX509
を設定します。shibboleth.authn.Password.PrincipalOverride
に、Password認証フローで認証するLevel1
を追加します。
コード ブロック language diff title conf/authn/password-authn-config.xml collapse true <!-- Configuration of "extended" login methods to offer in the password login form. The String bean is a regular expression identifying the flows to offer. These flows must also be enabled at the "top" level to be available for use. The ExtendedFlowParameters bean can be used to transfer custom parameters from the login form into the context tree for use later by other flows. The last bean provides the set of custom Principals to use for results produced by the Password flow itself. You would use this if you need the Password flow to run as a shell to run the "extended" login methods, but want to limit its own results more narrowly. --> - <!-- - <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" /> + <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="RemoteUser|X509" /> <util:list id="shibboleth.authn.Password.ExtendedFlowParameters"> </util:list> <util:list id="shibboleth.authn.Password.PrincipalOverride"> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> + <!-- --> + <bean parent="shibboleth.SAML2AuthnContextClassRef" + c:classRef="urn:mace:gakunin.jp:idprivacy:ac:classes:Level1" /> </util:list> - -->
...