Date: Thu, 28 Mar 2024 09:30:29 +0000 (UTC) Message-ID: <86334407.5869.1711618229356@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_5868_1934959369.1711618229355" ------=_Part_5868_1934959369.1711618229355 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The following MCB config files show the configuration of usernam= e/password authentication via Kerberos/JAAS and the SafeNet eTokenPASS OTP = product. The 'example' labels describe the customized configurations.
multi-context-broker.xml:
<?x= ml version=3D"1.0" encoding=3D"UTF-8"?> <MultiContextBroker> <velocityPropertiesFile>/local/shibboleth-idp/conf/velocity.prope= rties</velocityPropertiesFile> <!-- Show this list of choices for initial authentication to establish a= session. Optionally limit the choices to those also requested by the SP. If no choices match the SP reque= st, then show the entire list just as if the SP had not requested any. --> <!-- example: IdP displays a menu with the following choices. --> <initialAuthContext requestedOnly=3D"false"> <context name=3D"urn:oasis:names:tc:SAML:2.0:ac:classes:Pass= word" /> <context name=3D"http://id.incommon.org/assurance/bronze" /&= gt; </initialAuthContext> <!-- This value identifies the ID of the attribute in the Shibboleth att= ribute-resolver.xml file that contains the user's allowed context values. --> <!-- example: IdP can obtain a value for the attribute name given be= low --> <idms attributeResolverID=3D"eduPersonAssurance" /> <!-- If set to FALSE, then if the user has no assigned contexts and the = SP does not request one, then successful authentication via the initial authentication will be re= turned to the SP as successful. This in effect mimics the current Shibboleth behavior. If set to TRUE, then a valid context for the user is always require= d. --> <principalAuthnContextRequired>true</principalAuthnContextRequ= ired> <!-- The maximum number of failures allowed a user before returning a SA= ML failure to the relying party. Must be specified according to schema definition. Se= t to a value of -1 to allow an unlimited number of login failures. --> <maxFailures>3</maxFailures> <!-- authContexts is the list of configured contexts the MCB will honor. --> <authnContexts> <!-- For each context, the name attribute is used to match up with t= he values returned by the IdMS and also used to match the requested authentication context sent by the = SP. The method attribute corresponds to the authentication method t= his context uses. --> <context name=3D"urn:oasis:names:tc:SAML:2.0:ac:classes:Password= " method=3D"password"> <allowedContexts> <context name=3D"http://id.incommon.org/assurance/bronze= " /> </allowedContexts> </context> <context name=3D"http://id.incommon.org/assurance/bronze" method= =3D"bronze"> <!-- Note that since the bronze level allows silver and silver a= llows gold, means gold is acceptable here. Contexts are inherited. Since two levels of silver have been configu= red, either is acceptable for authenticating at the bronze level (but only because both are listed). --> <allowedContexts> <context name=3D"http://id.incommon.org/assurance/silver= " /> <context name=3D"http://id.incommon.org/assurance/silver= -token" /> <!-- <context name=3D"urn:oasis:names:tc:SAML:2.0:ac:classes:= X509" /> --> </allowedContexts> </context> <context name=3D"http://id.incommon.org/assurance/silver" method= =3D"silver"> <!-- allowedContexts is a list of contexts which satisfy this le= vel as well --> <allowedContexts> <context name=3D"http://id.incommon.org/assurance/silver= -token" /> </allowedContexts> </context> <context name=3D"urn:oasis:names:tc:SAML:2.0:ac:classes:X509" me= thod=3D"token"> <!-- allowedContexts is a list of contexts which satisfy this le= vel as well --> <allowedContexts> <context name=3D"edu:internet2:middleware:assurance:mcb:= tokenpluspin" /> </allowedContexts> </context> <context name=3D"edu:internet2:middleware:assurance:mcb:tokenplu= spin" method=3D"tokenpluspin" /> </authnContexts> <!-- authMethods is the list of authentication methods supported by the = MCB --> <authMethods> <!-- A method defines one authentication method. The name attribute = corresponds to the method value used in the context definition. The bean attribute is the name = of the submodule bean loaded by the Spring framework during Shibboleth startup. The value of th= e method node is the friendly name used for display purposes. --> <method name=3D"password" bean=3D"mcb.usernamepassword"> Username/Password Only </method> <method name=3D"bronze" bean=3D"mcb.usernamepasswordbronze"> Username/OTP </method> <method name=3D"silver" bean=3D"mcb.usernamepasswordsilver"> Silver Assurance Level </method> <method name=3D"token" bean=3D"mcb.token"> Silver Assurance Level (via hardware token) </method> <method name=3D"tokenpluspin" bean=3D"mcb.tokenpluspin"> Gold Level - Token/PIN Required </method> </authMethods> </MultiContextBroker>
mcb-spring.xml:
<?x= ml version=3D"1.0" encoding=3D"UTF-8"?> <beans xmlns=3D"http://www.springframework.org/schema/beans" xmlns:xsi= =3D"http://www.w3.org/2001/XMLSchema-instance" xmlns:util=3D"http://www.springframework.org/schema/util" xsi:schemaLocation=3D"http://www.springframework.org/schema/beans http:= //www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/util http://= www.springframework.org/schema/util/spring-util-2.0.xsd"> <!-- This bean represents an authentication submodule --> <!-- Example: Configures the use of Kerberos to do password authenti= cation --> <bean id=3D"mcb.usernamepassword" class=3D"edu.internet2.middleware.= assurance.mcb.authn.provider.JAASLoginSubmodule"> <constructor-arg index=3D"0" value=3D"/local/shibboleth-idp/conf= /login.config.mcb" /> <constructor-arg index=3D"1" value=3D"MCBUserPassAuth" /> <constructor-arg index=3D"2" value=3D"jaaslogin.vm" /> </bean> <!-- This bean represents an authentication submodule --> <!-- Example: Configures the use of the SafeNet eTokenPass OTP devic= e using the RADIUS JAAS Module from Pieter Vandepitte --> <bean id=3D"mcb.usernamepasswordbronze" class=3D"edu.internet2.middl= eware.assurance.mcb.authn.provider.JAASLoginSubmodule"> <constructor-arg index=3D"0" value=3D"/local/shibboleth-idp/conf= /login.config.radius" /> <constructor-arg index=3D"1" value=3D"MCBUserOTPAuth" /> <constructor-arg index=3D"2" value=3D"jaasloginbronze.vm" /> </bean> <!-- This bean represents an authentication submodule --> <bean id=3D"mcb.usernamepasswordsilver" class=3D"edu.internet2.middl= eware.assurance.mcb.authn.provider.JAASLoginSubmodule"> <constructor-arg index=3D"0" value=3D"/local/shibboleth-idp/conf= /login.config.mcb" /> <constructor-arg index=3D"1" value=3D"MCBUserPassAuth" /> <constructor-arg index=3D"2" value=3D"jaasloginsilver.vm" /> </bean> <!-- This bean represents an authentication submodule --> <!-- <bean id=3D"mcb.token" class=3D"edu.internet2.middleware.assurance.m= cb.authn.provider.TokenLoginSubmodule"> </bean> --> <!-- Example: Configure the use of the remote_user login handler for= X.509 certs --> <bean id=3D"mcb.token" class=3D"edu.internet2.middleware.assurance.m= cb.authn.provider.RemoteUserSubmodule"> <!-- <constructor-arg index=3D"0" value=3D"/Authn/MCB/RemoteU= ser" /> --> <constructor-arg index=3D"0" value=3D"/Authn/X509/Login" /> </bean> <!-- This bean is our configuration object representing the custom c= onfiguration file --> <bean id=3D"mcb.Configuration" class=3D"edu.internet2.middleware.ass= urance.mcb.authn.provider.MCBConfiguration"> <constructor-arg value=3D"/local/shibboleth-idp/conf/multi-context-broker.xml" /= > <constructor-arg> <list> <ref bean=3D"mcb.usernamepassword" /> <ref bean=3D"mcb.usernamepasswordbronze" /> <ref bean=3D"mcb.usernamepasswordsilver" /> <ref bean=3D"mcb.token" /> </list> </constructor-arg> </bean> <!-- This bean places the configuration bean into the Servlet space = --> <bean id=3D"mcb.ServletAttributeExporter" class=3D"edu.internet2.mid= dleware.shibboleth.common.config.service.ServletContextAttributeExporter" depends-on=3D"mcb.Configuration" init-method=3D"initialize"> <constructor-arg> <list> <value>mcb.Configuration</value> </list> </constructor-arg> </bean> </beans>