Versions Compared

Old Version 1

changes.mady.by.user David Langenberg (uchicago.edu)

Saved on

compared with

New Version 2

changes.mady.by.user David Langenberg (uchicago.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
xml
xml
<?xml version="1.0" encoding="UTF-8"?>
<MultiContextBroker>

    <velocityPropertiesFile>/opt/shibboleth-idp/conf/velocity.properties</velocityPropertiesFile>

    <!--
        Show this list of choices for initial authentication to establish a session. Optionally limit the choices
        to those also requested by the SP. If no choices match the SP request, then show the entire list just as if
        the SP had not requested any.
    -->
    <initialAuthContext >
            <context name="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
    </initialAuthContext>
    <!-- 
        This value identifies the ID of the attribute in the Shibboleth attribute-resolver.xml file that contains the user's allowed context values.
    -->
    <idms attributeResolverID="eduPersonAssurance" />
    
    <!-- 
        The maximum number of failures allowed a user before returning a SAML failure to the
        relying party. Must be specified according to schema definition. Set to a value of -1
        to allow an unlimited number of login failures.
     -->
    <maxFailures>3</maxFailures>
    
    <!-- 
        authContexts is the list of configured contexts the MCB will honor.
     -->
    <authnContexts>
        <!-- 
            For each context, the name attribute is used to match up with the values returned by the IdMS and also
            used to match the requested authentication context sent by the SP.
            The method attribute corresponds to the authentication method this context uses.
         -->
        <context name="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" method="password">
            <allowedContexts>
            </allowedContexts>
        </context>

	<context name="http://uchicago.edu/duoorsilver" method="duo">
		<allowedContexts>
			<context name="http://id.incommon.org/assurance/silver" />
		</allowedContexts>
	</context>
	<context name="http://uchicago.edu/duo" method="duo">
		<allowedContexts>
		</allowedContexts>
	</context>

	<context name="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" method="password">
		<allowedContexts>
            </allowedContexts>

	</context>

        <context name="http://id.incommon.org/assurance/silver" method="silver">
            <!-- 
                allowedContexts is a list of contexts which satisfy this level as well
             -->
            <allowedContexts>
                <context name="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                <context name="http://uchicago.edu/duo" />
            </allowedContexts>
        </context>

    </authnContexts>
    
    <!-- 
        authMethods is the list of authentication methods supported by the MCB
     -->
    <authMethods>
        <!-- 
            A method defines one authentication method. The name attribute corresponds to the method value
            used in the context definition. The bean attribute is the name of the submodule bean loaded by
            the Spring framework during Shibboleth startup. The value of the method node is the friendly name
            used for display purposes.
        -->
        <method name="password" bean="mcb.usernamepassword">
            Username/Password Only
        </method>
        <method name="bronze" bean="mcb.usernamepasswordbronze">
            Bronze Level Password
        </method>
        <method name="silver" bean="mcb.usernamepasswordsilver">
            Silver Assurance Level
        </method>
        <method name="duo" bean="mcb.duo">
            Duo 
        </method>    
    </authMethods>
</MultiContextBroker>