diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index 31e5eeb5a..bf1367934 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -162,16 +162,4 @@ custom: displayType: boolean helpText: tooltip.ignore-request-signatures attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures - attributeFriendlyName: ignoreRequestSignatures -# shibprops: -# - category: main # required -# configFile: random.properties # required -# defaultValue: foo -# description: whatever -# idpVersion: 4.1 # required -# module: some random module -# moduleVersion: 1 -# note: this is an example for the application.yml file -# propertyName: example.property.name # required -# propertyType: SELECTION_LIST # required as one of: BOOLEAN, DURATION, INTEGER, SELECTION_LIST, SPRING_BEAN_ID, STRING -# selectionItems: dddd,eeee # required if propertyType is SELECTION_LIST - comma seperated values \ No newline at end of file + attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file diff --git a/backend/src/main/resources/i18n/messages.properties b/backend/src/main/resources/i18n/messages.properties index 92f1edb6f..ddfa6947f 100644 --- a/backend/src/main/resources/i18n/messages.properties +++ b/backend/src/main/resources/i18n/messages.properties @@ -70,6 +70,7 @@ action.source-group=Group action.enable=Enable action.disable=Disable action.get-latest=Get latest changes +action.download=Download action.add-new-role=Add new role action.roles=Roles @@ -78,6 +79,9 @@ action.select-bundle=Select Bundle action.get-latest=Get latest +action.configurations=Shibboleth configurations +action.create-new-configuration=Create Shibboleth configuration set + value.enabled=Enabled value.disabled=Disabled value.current=Current @@ -293,7 +297,7 @@ label.or=or label.name-and-upload-url=Name and Upload Url label.service-resolver-file=Select Provider Metadata File label.service-resolver-metadata-url=Service Provider Metadata URL -label.search-criteria-by=Search Criteria by { displayType } +label.search-criteria-by=The value used to search against, such as a regex pattern or entityID to match against. label.entity-ids-added=Entity Ids Added label.ui-mdui-info=User Interface / MDUI Information label.sp-sso-descriptor-info=SP SSO Descriptor Information @@ -531,6 +535,10 @@ label.role-name=Role Name label.role-description=Role Description label.role=Role +label.configuration-management=Manage Shibboleth configurations +label.configuration-name=Shibboleth configuration sets +label.new-configuration=Create new configuration set + message.delete-role-title=Delete Role? message.delete-role-body=You are requesting to delete a role. If you complete this process the role will be removed. This cannot be undone. Do you wish to continue? @@ -749,6 +757,7 @@ tooltip.role-description=A description of the purpose of the role. tooltip.contact-information=Add a contact to organization information. Contacts provide information about how to contact the organization responsible for standing up the entity. label.external-description=Description + tooltip.external-description=A brief description of the purpose of this filter. label.algorithm=Algorithm @@ -762,4 +771,4 @@ value.algorithm-cbc-256=CBC (256) - http://www.w3.org/2001/04/xmlenc#aes256-cbc value.algorithm-cbc-192=CBC (192) - http://www.w3.org/2001/04/xmlenc#aes192-cbc value.algorithm-cbc-128=CBC (128) - http://www.w3.org/2001/04/xmlenc#aes128-cbc value.algorithm-cbc-tripledes=CBC (TRIPLEDES) - http://www.w3.org/2001/04/xmlenc#tripledes-cbc -message.algorithms-unique=Each algorithm may only be used once. \ No newline at end of file +message.algorithms-unique=Each algorithm may only be used once. diff --git a/ui/package-lock.json b/ui/package-lock.json index 0cc5f3665..2083b22a0 100644 --- a/ui/package-lock.json +++ b/ui/package-lock.json @@ -25,7 +25,7 @@ "react-bootstrap": "^2.3.0", "react-bootstrap-typeahead": "^5.1.4", "react-dom": "^18.0.0", - "react-hook-form": "^7.30.0", + "react-hook-form": "^7.34.0", "react-infinite-scroll-component": "^6.1.0", "react-router": "^5.1.0", "react-router-dom": "^5.1.0", @@ -13536,9 +13536,9 @@ "dev": true }, "node_modules/react-hook-form": { - "version": "7.30.0", - "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.30.0.tgz", - "integrity": "sha512-DzjiM6o2vtDGNMB9I4yCqW8J21P314SboNG1O0obROkbg7KVS0I7bMtwSdKyapnCPjHgnxc3L7E5PEdISeEUcQ==", + "version": "7.34.2", + "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.34.2.tgz", + "integrity": "sha512-1lYWbEqr0GW7HHUjMScXMidGvV0BE2RJV3ap2BL7G0EJirkqpccTaawbsvBO8GZaB3JjCeFBEbnEWI1P8ZoLRQ==", "engines": { "node": ">=12.22.0" }, @@ -26712,9 +26712,9 @@ "dev": true }, "react-hook-form": { - "version": "7.30.0", - "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.30.0.tgz", - "integrity": "sha512-DzjiM6o2vtDGNMB9I4yCqW8J21P314SboNG1O0obROkbg7KVS0I7bMtwSdKyapnCPjHgnxc3L7E5PEdISeEUcQ==", + "version": "7.34.2", + "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.34.2.tgz", + "integrity": "sha512-1lYWbEqr0GW7HHUjMScXMidGvV0BE2RJV3ap2BL7G0EJirkqpccTaawbsvBO8GZaB3JjCeFBEbnEWI1P8ZoLRQ==", "requires": {} }, "react-infinite-scroll-component": { diff --git a/ui/package.json b/ui/package.json index 25cc8cd8a..b32a48b1d 100644 --- a/ui/package.json +++ b/ui/package.json @@ -21,7 +21,7 @@ "react-bootstrap": "^2.3.0", "react-bootstrap-typeahead": "^5.1.4", "react-dom": "^18.0.0", - "react-hook-form": "^7.30.0", + "react-hook-form": "^7.34.0", "react-infinite-scroll-component": "^6.1.0", "react-router": "^5.1.0", "react-router-dom": "^5.1.0", diff --git a/ui/public/assets/data/configuration.json b/ui/public/assets/data/configuration.json new file mode 100644 index 000000000..82e86dd4d --- /dev/null +++ b/ui/public/assets/data/configuration.json @@ -0,0 +1,29 @@ +{ + "resourceId": 11, + "name": "setname1", + "properties": [ + { + "resourceId":"577", + "category":"OPSubClaim", + "configFile":"oidc.properties", + "description":"The source attribute used in generating the sub claim", + "idpVersion":"4.1", + "module":"idp.oidc.OP", + "moduleVersion":"3", + "propertyName":"idp.oidc.subject.sourceAttribute", + "displayType":"string", + "propertyValue": "foo" + }, + { + "resourceId": "393", + "category": "ReloadableServices", + "configFile": "services.properties", + "defaultValue": "false", + "description": "Fail at startup if MetadataConfiguration is invalid", + "idpVersion": "all", + "propertyName": "idp.service.metadata.failFast", + "displayType": "boolean", + "propertyValue": "true" + } + ] +} diff --git a/ui/public/assets/data/configurations.json b/ui/public/assets/data/configurations.json new file mode 100644 index 000000000..82d601b1e --- /dev/null +++ b/ui/public/assets/data/configurations.json @@ -0,0 +1,6 @@ +[ + { + "resourceId": "foo", + "name": "Configuration 1" + } +] \ No newline at end of file diff --git a/ui/public/assets/schema/configuration/configuration.json b/ui/public/assets/schema/configuration/configuration.json new file mode 100644 index 000000000..6694bcf25 --- /dev/null +++ b/ui/public/assets/schema/configuration/configuration.json @@ -0,0 +1,37 @@ +{ + "type": "object", + "properties": { + "properties": { + "title": "label.configuration-properties", + "description": "label.configuration-properties", + "type": "array", + "required": ["property", "value"], + "items": { + "type": "object", + "properties": { + "property": { + "title": "label.property-key", + "description": "tooltip.property-key", + "type": "string", + "minLength": 1, + "maxLength": 255 + }, + "description": { + "title": "label.property-descr", + "description": "tooltip.property-descr", + "type": "string", + "minLength": 1, + "maxLength": 255 + }, + "value": { + "title": "label.property-value", + "description": "tooltip.property-value", + "type": "string", + "minLength": 1, + "maxLength": 255 + } + } + } + } + } +} diff --git a/ui/public/data/properties.json b/ui/public/data/properties.json new file mode 100644 index 000000000..dea2860f5 --- /dev/null +++ b/ui/public/data/properties.json @@ -0,0 +1,7874 @@ +[ + { + "property_name": "idp.searchForProperties", + "property_type": "bool", + "property_default_value": true, + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": 4, + "module": "", + "module_vers": "", + "description": "Auto-load all files matching conf/**/*.properties", + "note": "" + }, + { + "property_name": "idp.additionalProperties", + "property_type": "Comma-delimited paths", + "property_default_value": "none", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Used to point to additional property files to load. All properties must be unique and are ultimately pooled into a single unordered set.", + "note": "ex. /conf/ldap.properties, /conf/services.properties" + }, + { + "property_name": "idp.entityID", + "property_type": "URI", + "property_default_value": "none", + "config_category": "RelyingPartyConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "The unique name of the IdP used as the iisuer in all SAML profiles", + "note": "ex. https://unicon.net/idp/shibboleth" + }, + { + "property_name": "idp.entityID.metadataFile", + "property_type": "resource path", + "property_default_value": "%{idp.home}/metadata/idp-metadata.xml", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Identifies the file to serve for requests to the IdP's well-known metadata location", + "note": "" + }, + { + "property_name": "idp.artifact.enabled", + "property_type": "bool", + "property_default_value": true, + "config_category": "RelyingPartyConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to allow use of the SAML artifact bindings when sending messages", + "note": "" + }, + { + "property_name": "idp.artifact.secureChannel", + "property_type": "bool", + "property_default_value": true, + "config_category": "RelyingPartyConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether preparation of messages to be communicated via SAML artifact should assume use of a secure channel (allowing signing and encryption to be skipped)", + "note": "" + }, + { + "property_name": "idp.artifact.endpointIndex", + "property_type": "int", + "property_default_value": 2, + "config_category": "RelyingPartyConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Identifies the endpoint in SAML metadata associated with artifacts issued by a server node", + "note": "" + }, + { + "property_name": "idp.artifact.StorageService", + "property_type": "Bean ID of a StorageService (org.opensaml.storage)", + "property_default_value": "shibboleth.StorageService", + "config_category": "StorageConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Storage back-end to use for short-lived SAML Artifact mappings (must be server-side)", + "note": "" + }, + { + "property_name": "idp.bindings.inMetadataOrder", + "property_type": "bool", + "property_default_value": true, + "config_category": "RelyingPartyConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Controls whether the outbound binding selection is ordered by the SP's metadata or the IdP's preferred bindings (the inbuilt default order is Redirect -> POST -> Artifact -> SOAP). Set to false to leave artifact support on, but favor use of POST. Set also to false to favor the front channel over back channel for Logout.", + "note": "" + }, + { + "property_name": "idp.entityID.metadataFile", + "property_type": "file pathname", + "property_default_value": "%{idp.home}/metadata/idp-metadata.xml", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Identifies the file to serve for requests to the IdP's well-known metadata location", + "note": "" + }, + { + "property_name": "idp.scope", + "property_type": "string", + "property_default_value": "none", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "applies a (fixed) scope typically a domain-valued suffix to an input attribute's values", + "note": "" + }, + { + "property_name": "idp.cookie.secure", + "property_type": "bool", + "property_default_value": false, + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If true all cookies issued by the IdP (not including the container) will be limited to TLS", + "note": "" + }, + { + "property_name": "idp.cookie.httpOnly", + "property_type": "bool", + "property_default_value": true, + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If true all cookies issued by the IdP (not including the container) will contain the HttpOnly property", + "note": "" + }, + { + "property_name": "idp.cookie.domain", + "property_type": "string", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Overrides the domain of any cookies issued by the IdP (not including the container)", + "note": "" + }, + { + "property_name": "idp.cookie.path", + "property_type": "string", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Overrides the path of any cookies issued by the IdP (not including the container)", + "note": "" + }, + { + "property_name": "idp.cookie.maxAge", + "property_type": "int", + "property_default_value": 31536000, + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Lifetime in seconds of cookies issued by the IdP that are meant to span sessions (365 days)", + "note": "" + }, + { + "property_name": "idp.cookie.sameSite", + "property_type": "Null/None/Lax/Strict", + "property_default_value": "None", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default SameSite value to apply to cookies via servlet filter if no explicit rule for the named cookie is specified", + "note": "" + }, + { + "property_name": "idp.cookie.sameSiteCondition", + "property_type": "Bean ID of Predicate", + "property_default_value": "shibboleth.Conditions.FALSE", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Predicate condition bean controlling whether SameSite filter runs", + "note": "" + }, + { + "property_name": "idp.sealer.keyStrategy", + "property_type": "Bean ID of DataSealerKeyStrategy", + "property_default_value": "shibboleth.DataSealerKeyStrategy", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Bean ID supporting the DataSealerKeyStrategy interface to use in place of the built-in option.", + "note": "" + }, + { + "property_name": "idp.sealer.storeType", + "property_type": "string", + "property_default_value": "JCEKS", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Type of Java keystore used for IdP's internal AES encryption key", + "note": "" + }, + { + "property_name": "idp.sealer.updateInterval", + "property_type": "duration", + "property_default_value": "PT15M", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time between checks for a new AES key version", + "note": "" + }, + { + "property_name": "idp.sealer.aliasBase", + "property_type": "string", + "property_default_value": "secret", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Case insensitive name of keystore alias prefix used in AES keystore (the entries will be suffixed by the key version number)", + "note": "" + }, + { + "property_name": "idp.sealer.storeResource", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Keystore resource containing AES encryption key usually a file path", + "note": "" + }, + { + "property_name": "idp.sealer.versionResource", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Resource that tracks the active AES encryption key version usually a file path", + "note": "" + }, + { + "property_name": "idp.sealer.storePassword", + "property_type": "string", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Keystore password unlocking AES encryption keystore typically set during installation", + "note": "" + }, + { + "property_name": "idp.sealer.keyPassword", + "property_type": "string", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Key password unlocking AES encryption key typically set to the same as the previous property and set during installation", + "note": "" + }, + { + "property_name": "idp.signing.key", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Resource containing private key for signing typically a file in the credentials directory", + "note": "" + }, + { + "property_name": "idp.signing.cert", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Resource containing the public key certificate inserted into signed messages typically a file in the credentials directory", + "note": "" + }, + { + "property_name": "idp.encryption.key", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Resource containing a private key for decryption typically a file in the credentials directory", + "note": "" + }, + { + "property_name": "idp.encryption.cert", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Resource containing a public key certificate given to others needing to encrypt data for the IdP typically a file in the credentials directory", + "note": "" + }, + { + "property_name": "idp.encryption.key.2", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Resource containing an alternate private key for decryption generally unused except while changing decryption keys", + "note": "" + }, + { + "property_name": "idp.encryption.cert.2", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Resource containing an alternate public key certificate generally unused except while changing decryption keys", + "note": "" + }, + { + "property_name": "idp.security.config", + "property_type": "Bean ID of SecurityConfiguration (net.shibboleth.idp.profile.config.SecurityConfiguration)", + "property_default_value": "shibboleth.DefaultSecurityConfiguration", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean supplying the default SecurityConfiguration", + "note": "" + }, + { + "property_name": "idp.signing.config", + "property_type": "Bean ID of SignatureSigningConfiguration (org.opensaml.xmlsec)", + "property_default_value": "shibboleth.SigningConfiguration.SHA256", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean supplying the default SignatureSigningConfiguration", + "note": "" + }, + { + "property_name": "idp.encryption.config", + "property_type": "Bean ID of EncryptionConfiguration (org.opensaml.xmlsec)", + "property_default_value": "shibboleth.EncryptionConfiguration.CBC", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean supplying the default EncryptionConfiguration", + "note": "" + }, + { + "property_name": "idp.encryption.optional", + "property_type": "bool", + "property_default_value": false, + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If true failure to locate an encryption key to use won't result in request failure", + "note": "" + }, + { + "property_name": "idp.encryption.keyagreement.metadata.defaultUseKeyWrap", + "property_type": "string", + "property_default_value": "Default", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Sets the default strategy for key agreement key wrap usage for credentials from metadata if not otherwise configured on the security configuration", + "note": "" + }, + { + "property_name": "idp.trust.signatures", + "property_type": "Bean ID of SignatureTrustEngine (org.opensaml.xmlsec.signature.support)", + "property_default_value": "shibboleth.ChainingSignatureTrustEngine", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean for the trust engine used to verify signatures", + "note": "" + }, + { + "property_name": "idp.trust.certificates", + "property_type": "Bean ID of TrustEngine (org.opensaml.security.trust)", + "property_default_value": "shibboleth.ChainingX509TrustEngine", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean for the trust engine used to verify TLS certificates", + "note": "" + }, + { + "property_name": "idp.policy.messageLifetime", + "property_type": "duration", + "property_default_value": "PT3M", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default freshness window for accepting timestamped messages", + "note": "" + }, + { + "property_name": "idp.policy.assertionLifetime", + "property_type": "duration", + "property_default_value": "PT3M", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default freshness window for accepting timestamped assertions", + "note": "" + }, + { + "property_name": "idp.policy.clockSkew", + "property_type": "duration", + "property_default_value": "PT3M", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default allowance for clock differences between systems", + "note": "" + }, + { + "property_name": "idp.security.basicKeyInfoFactory", + "property_type": "Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager)", + "property_default_value": "shibboleth.BasicKeyInfoGeneratorFactory", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides the BasicKeyInfoGeneratorFactory used by default", + "note": "" + }, + { + "property_name": "idp.security.x509KeyInfoFactory", + "property_type": "Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager)", + "property_default_value": "shibboleth.X509KeyInfoGeneratorFactory", + "config_category": "SecurityConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides the X509KeyInfoGeneratorFactory used by default", + "note": "" + }, + { + "property_name": "idp.csrf.enabled", + "property_type": "bool", + "property_default_value": true, + "config_category": "CSRF", + "config_file": "idp.properties", + "idp_vers": 4, + "module": "", + "module_vers": "", + "description": "Enables CSRF protection", + "note": "" + }, + { + "property_name": "idp.csrf.token.parameter", + "property_type": "string", + "property_default_value": "csrf_token", + "config_category": "CSRF", + "config_file": "idp.properties", + "idp_vers": 4, + "module": "", + "module_vers": "", + "description": "Name of the HTTP parameter that stores the CSRF token", + "note": "" + }, + { + "property_name": "idp.hsts", + "property_type": "string", + "property_default_value": "max-age=0", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Auto-configures an HSTS response header", + "note": "" + }, + { + "property_name": "idp.frameoptions", + "property_type": "DENY/SAMEORIGIN", + "property_default_value": "DENY", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Auto-configures an X-Frame-Options response header", + "note": "" + }, + { + "property_name": "idp.csp", + "property_type": "string", + "property_default_value": "frame-ancestors 'none'", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Auto-configures a Content Security Policy response header", + "note": "" + }, + { + "property_name": "idp.webflows", + "property_type": "resource path", + "property_default_value": "%{idp.home}/flows", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Location from which to load user-supplied webflows from", + "note": "" + }, + { + "property_name": "idp.views", + "property_type": "Comma-delimited paths", + "property_default_value": "%{idp.home}/views", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Location from which to load user-modifiable Velocity view templates. This can be set to include \"classpath*:/META-INF/net/shibboleth/idp/views\" (or equivalent) to load templates from the classpath, such as from extension jars, but doing so disables support for template reloading.", + "note": "" + }, + { + "property_name": "idp.errors.detailed", + "property_type": "bool", + "property_default_value": false, + "config_category": "ErrorHandlingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to expose detailed error causes in status information provided to outside parties", + "note": "" + }, + { + "property_name": "idp.errors.signed", + "property_type": "bool", + "property_default_value": true, + "config_category": "ErrorHandlingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to digitally sign error responses in SAML or similar protocols, if signing is otherwise warranted (this can prevent a simple denial of service vector, since errors are simple to trigger)", + "note": "" + }, + { + "property_name": "idp.errors.defaultView", + "property_type": "string", + "property_default_value": "error", + "config_category": "ErrorHandlingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "The default view name to render for exceptions and events", + "note": "" + }, + { + "property_name": "idp.errors.excludedExceptions", + "property_type": "Bean ID of Properties (java.util.Properties)", + "property_default_value": "none", + "config_category": "ErrorHandlingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Bean defing Properties mapping exception class names to error views. The matching by class name does not support wildcards, but does do substring matches (so it's not necessary to fully qualify the class).", + "note": "" + }, + { + "property_name": "idp.errors.exceptionMappings", + "property_type": "Bean ID of Collection (java.util)", + "property_default_value": "none", + "config_category": "ErrorHandlingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Bean defining Collection identifying exception classes to ignore (causing them to bubble outward, so use with caution)", + "note": "" + }, + { + "property_name": "idp.storage.cleanupInterval", + "property_type": "duration", + "property_default_value": "PT10M", + "config_category": "StorageConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Interval of background thread sweeping server-side storage for expired records", + "note": "" + }, + { + "property_name": "idp.storage.htmlLocalStorage", + "property_type": "bool", + "property_default_value": false, + "config_category": "StorageConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to use HTML Local Storage (if available) instead of cookies", + "note": "" + }, + { + "property_name": "idp.storage.clientSessionStorageName", + "property_type": "string", + "property_default_value": "shib_idp_session_ss", + "config_category": "StorageConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of cookie or HTML storage key used by the default per-session instance of the client storage service", + "note": "" + }, + { + "property_name": "idp.storage.clientPersistentStorageName", + "property_type": "string", + "property_default_value": "shib_idp_persistent_ss", + "config_category": "StorageConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of cookie or HTML storage key used by the default persistent instance of the client storage service", + "note": "" + }, + { + "property_name": "idp.replayCache.StorageService", + "property_type": "Bean ID of a StorageService (org.opensaml.storage)", + "property_default_value": "shibboleth.StorageService", + "config_category": "StorageConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Storage back-end to use for message replay checking (must be server-side)", + "note": "" + }, + { + "property_name": "idp.replayCache.strict", + "property_type": "bool", + "property_default_value": true, + "config_category": "StorageConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether storage errors during replay checks should be treated as a replay", + "note": "" + }, + { + "property_name": "idp.session.enabled", + "property_type": "bool", + "property_default_value": true, + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to enable the IdP's session tracking feature", + "note": "" + }, + { + "property_name": "idp.session.StorageService", + "property_type": "Bean ID of StorageService (org.opensaml.storage)", + "property_default_value": "shibboleth.ClientSessionStorageService", + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Bean name of a storage implementation/configuration to use for IdP sessions", + "note": "" + }, + { + "property_name": "idp.session.cookieName", + "property_type": "string", + "property_default_value": "shib_idp_session", + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.2, + "module": "", + "module_vers": "", + "description": "Name of cookie containing IdP session ID (note this is not the same as the cookie the Java container uses to track its own sessions)", + "note": "" + }, + { + "property_name": "idp.session.idSize", + "property_type": "int", + "property_default_value": 32, + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Number of characters in IdP session identifiers", + "note": "" + }, + { + "property_name": "idp.session.consistentAddress", + "property_type": "bool", + "property_default_value": true, + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to bind IdP sessions to IP addresses", + "note": "" + }, + { + "property_name": "idp.session.consistentAddressCondition", + "property_type": "BiPredicate", + "property_default_value": "Direct string comparison", + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "A 2-argument predicate that compares a bound session's address to a client address", + "note": "" + }, + { + "property_name": "idp.session.timeout", + "property_type": "duration", + "property_default_value": "PT60M", + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Inactivity timeout policy for IdP sessions (must be non-zero)", + "note": "" + }, + { + "property_name": "idp.session.slop", + "property_type": "duration", + "property_default_value": 0, + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Extra time after expiration before removing SP sessions in case a logout is invoked", + "note": "" + }, + { + "property_name": "idp.session.maskStorageFailure", + "property_type": "bool", + "property_default_value": false, + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to hide storage failures from users during session cache reads/writes", + "note": "" + }, + { + "property_name": "idp.session.trackSPSessions", + "property_type": "bool", + "property_default_value": false, + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to save a record of every SP accessed during an IdP session (requires a server-side session store or HTML LocalStorage)", + "note": "" + }, + { + "property_name": "idp.session.secondaryServiceIndex", + "property_type": "bool", + "property_default_value": false, + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to track SPs on the basis of the SAML subject ID used, for logout purposes (requires SP session tracking be on)", + "note": "" + }, + { + "property_name": "idp.session.defaultSPlifetime", + "property_type": "duration", + "property_default_value": "PT2H", + "config_category": "SessionConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default length of time to maintain record of an SP session (must be non-zero), overridable by relying-party-specific setting", + "note": "" + }, + { + "property_name": "idp.authn.flows", + "property_type": "regex", + "property_default_value": "none", + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Required expression that identifies the login flows to globally enable", + "note": "ex. Password, MA, DUO" + }, + { + "property_name": "idp.authn.defaultLifetime", + "property_type": "duration", + "property_default_value": "PT60M", + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default amount of time to allow reuse prior authentication flows", + "note": "measured since first usage" + }, + { + "property_name": "idp.authn.defaultTimeout", + "property_type": "duration", + "property_default_value": "PT30M", + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default inactivity timeout to prevent reuse of prior authentication flows", + "note": "measured since last usage" + }, + { + "property_name": "idp.authn.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": true, + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication", + "note": "" + }, + { + "property_name": "idp.authn.favorSSO", + "property_type": "bool", + "property_default_value": false, + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to prioritize prior authentication results when an SP requests more than one possible matching method", + "note": "" + }, + { + "property_name": "idp.authn.rpui", + "property_type": "bool", + "property_default_value": true, + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to populate information about the relying party into the tree for user interfaces during login and interceptors", + "note": "" + }, + { + "property_name": "idp.authn.identitySwitchIsError", + "property_type": "bool", + "property_default_value": false, + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session.", + "note": "" + }, + { + "property_name": "idp.authn.discoveryURL", + "property_type": "string", + "property_default_value": "none", + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Provides a static discovery URL to use for external discovery this property replaces the need for the XML-defined bean used in V4.0 for this purpose", + "note": "" + }, + { + "property_name": "idp.authn.overrideRequestedAuthnContext", + "property_type": "bool", + "property_default_value": false, + "config_category": "AuthenticationConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4, + "module": "", + "module_vers": "", + "description": "Whether to override an explicit element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global setting applying to all SPs that may have such a profile configuration set.", + "note": "" + }, + { + "property_name": "idp.consent.StorageService", + "property_type": "Bean ID", + "property_default_value": "shibboleth.ClientPersistentStorageService", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of storage service used to store users' consent choices", + "note": "" + }, + { + "property_name": "idp.consent.attribute-release.userStorageKey", + "property_type": "Bean ID", + "property_default_value": "shibboleth.consent.PrincipalConsentStorageKey", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of function used to return the String storage key representing a user defaults to the principal name", + "note": "" + }, + { + "property_name": "idp.consent.attribute-release.userStorageKeyAttribute", + "property_type": "string", + "property_default_value": "uid", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Attribute whose value is the storage key representing a user", + "note": "" + }, + { + "property_name": "idp.consent.attribute-release.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Optional condition to apply to control activation of attribute-release flow along with system default behavior", + "note": "" + }, + { + "property_name": "idp.consent.attribute-release.auditFormat", + "property_type": "logback", + "property_default_value": "%T|%SP|%e|%u|%CCI|%CCV|%CCA", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default consent auditing formats", + "note": "" + }, + { + "property_name": "idp.consent.terms-of-use.userStorageKey", + "property_type": "Bean ID", + "property_default_value": "shibboleth.consent.PrincipalConsentStorageKey", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of function used to return the String storage key representing a user defaults to the principal name", + "note": "" + }, + { + "property_name": "idp.consent.terms-of-use.userStorageKeyAttribute", + "property_type": "string", + "property_default_value": "uid", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Attribute whose value is the storage key representing a user", + "note": "" + }, + { + "property_name": "idp.consent.terms-of-use.consentValueMessageCodeSuffix", + "property_type": "string", + "property_default_value": ".text", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix of message property used as value of consent storage records when idp.consent.compareValues is true", + "note": "" + }, + { + "property_name": "idp.consent.terms-of-use.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Optional condition to apply to control activation of terms-of-use flow", + "note": "" + }, + { + "property_name": "idp.consent.terms-of-use.auditFormat", + "property_type": "logback", + "property_default_value": "%T|%SP|%e|%u|%CCI|%CCV|%CCA", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default consent auditing formats", + "note": "" + }, + { + "property_name": "idp.consent.allowDoNotRemember", + "property_type": "bool", + "property_default_value": true, + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether not remembering/storing consent is allowed", + "note": "" + }, + { + "property_name": "idp.consent.allowGlobal", + "property_type": "bool", + "property_default_value": true, + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether consent to any attribute and to any relying party is allowed", + "note": "" + }, + { + "property_name": "idp.consent.allowPerAttribute", + "property_type": "bool", + "property_default_value": false, + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether per-attribute consent is allowed", + "note": "" + }, + { + "property_name": "idp.consent.compareValues", + "property_type": "bool", + "property_default_value": false, + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether attribute values and terms of use text are stored and compared for equality", + "note": "" + }, + { + "property_name": "idp.consent.maxStoredRecords", + "property_type": "int", + "property_default_value": 10, + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Maximum number of records stored when using space-limited storage (e.g. cookies), 0 = no limit", + "note": "" + }, + { + "property_name": "idp.consent.expandedMaxStoredRecords", + "property_type": "int", + "property_default_value": 0, + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Maximum number of records stored when using larger/server-side storage, 0 = no limit", + "note": "" + }, + { + "property_name": "idp.consent.storageRecordLifetime", + "property_type": "duration", + "property_default_value": "(v4.0=P1Y,v4.1=infinite)", + "config_category": "ConsentConfiguration", + "config_file": "idp.properties", + "idp_vers": "4.x", + "module": "", + "module_vers": "", + "description": "Time in milliseconds to expire consent storage records", + "note": "" + }, + { + "property_name": "idp.logout.elaboration", + "property_type": "bool", + "property_default_value": false, + "config_category": "LogoutConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to search metadata for user interface information associated with every service involved in logout propagation", + "note": "" + }, + { + "property_name": "idp.logout.authenticated", + "property_type": "bool", + "property_default_value": true, + "config_category": "LogoutConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to require signed logout messages in accordance with the SAML 2.0 standard", + "note": "" + }, + { + "property_name": "idp.logout.promptUser", + "property_type": "Bean ID of Predicate", + "property_default_value": false, + "config_category": "LogoutConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If the bean returns true the user is given the option to actually cancel the IdP logout outright and prevent removal of the session", + "note": "" + }, + { + "property_name": "idp.logout.preserveQuery", + "property_type": "bool", + "property_default_value": false, + "config_category": "LogoutConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic", + "note": "" + }, + { + "property_name": "idp.logout.assumeAsync", + "property_type": "bool", + "property_default_value": false, + "config_category": "LogoutConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.2, + "module": "", + "module_vers": "", + "description": "When true allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints", + "note": "" + }, + { + "property_name": "idp.logout.propagationHidden", + "property_type": "bool", + "property_default_value": false, + "config_category": "LogoutConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.2, + "module": "", + "module_vers": "", + "description": "Applies the \"display:none\" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user", + "note": "" + }, + { + "property_name": "idp.soap.httpClient", + "property_type": "Bean ID of HttpClient to use for SOAP-based logout", + "property_default_value": "SOAPClient.HttpClient", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP)", + "note": "" + }, + { + "property_name": "idp.ui.fallbackLanguages", + "property_type": "Comma-delimited list", + "property_default_value": "none", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "languages to use if no match can be found with the browser-supported languages", + "note": "ex. en, fr, de" + }, + { + "property_name": "idp.cas.StorageService", + "property_type": "Bean ID", + "property_default_value": "shibboleth.StorageService", + "config_category": "CasProtocolConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Storage service used by CAS protocol for chained proxy-granting tickets and when using server-managed \"simple\" TicketService. MUST be server-side storage (e.g. in-memory, memcached, database)", + "note": "" + }, + { + "property_name": "idp.cas.serviceRegistryClass", + "property_type": "?", + "property_default_value": "net.shibboleth.idp.cas.service.PatternServiceRegistry", + "config_category": "CasProtocolConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "CAS service registry implementation class", + "note": "" + }, + { + "property_name": "idp.cas.relyingPartyIdFromMetadata", + "property_type": "bool", + "property_default_value": false, + "config_category": "CasProtocolConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If true CAS services provisioned with SAML metadata are identified via entityID", + "note": "" + }, + { + "property_name": "idp.fticks.federation", + "property_type": "string", + "property_default_value": "none", + "config_category": "FTICKSLoggingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Enables F-TICKS output and specifies the value of the federation-identifier field", + "note": "" + }, + { + "property_name": "idp.fticks.condition", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "FTICKSLoggingConfiguration", + "config_file": "idp.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Optional bean name of a Predicate to use to decide whether to run", + "note": "" + }, + { + "property_name": "idp.fticks.algorithm", + "property_type": "string", + "property_default_value": "SHA-2", + "config_category": "FTICKSLoggingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Digest algorithm used to obscure usernames", + "note": "" + }, + { + "property_name": "idp.fticks.salt", + "property_type": "string", + "property_default_value": "none", + "config_category": "FTICKSLoggingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "A salt to apply when digesting usernames (if not specified, the username will not be included)", + "note": "" + }, + { + "property_name": "idp.fticks.loghost", + "property_type": "string", + "property_default_value": "localhost", + "config_category": "FTICKSLoggingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "The remote syslog host", + "note": "" + }, + { + "property_name": "idp.fticks.logport", + "property_type": "int", + "property_default_value": 514, + "config_category": "FTICKSLoggingConfiguration", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "The remote syslog port", + "note": "" + }, + { + "property_name": "idp.audit.shortenBindings", + "property_type": "bool", + "property_default_value": true, + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Set false if you want SAML bindings \"spelled out\" in audit log", + "note": "" + }, + { + "property_name": "idp.velocity.runtime.strictmode", + "property_type": "bool", + "property_default_value": false, + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Set to true to fail on velocity syntax errors", + "note": "" + }, + { + "property_name": "idp.intercept.External.externalPath", + "property_type": "path", + "property_default_value": "contextRelative:intercept.jsp", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Path to use with External interceptor flow", + "note": "" + }, + { + "property_name": "idp.impersonate.generalPolicy", + "property_type": "Policy ID", + "property_default_value": "GeneralImpersonationPolicy", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Policies to use with Impersonate interceptor flow", + "note": "" + }, + { + "property_name": "idp.impersonate.specificPolicy", + "property_type": "Policy ID", + "property_default_value": "SpecificImpersonationPolicy", + "config_category": "Core", + "config_file": "idp.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Policies to use with Impersonate interceptor flow", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.authenticator", + "property_type": "string", + "property_default_value": "anonSearchAuthenticator", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Controls the workflow for how authentication occurs against LDAP: one of anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.ldapURL", + "property_type": "LDAP URI", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Connection URI for LDAP directory", + "note": "ex. ldap://localhost or ldaps://localhost" + }, + { + "property_name": "idp.authn.LDAP.useStartTLS", + "property_type": "bool", + "property_default_value": true, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether StartTLS should be used after connecting with LDAP alone.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.connectTimeout", + "property_type": "duration", + "property_default_value": "PT3S", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to wait for the TCP connection to occur.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.responseTimeout", + "property_type": "duration", + "property_default_value": "PT3S", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to wait for an LDAP response message", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.connectionStrategy", + "property_type": "string", + "property_default_value": "ACTIVE_PASSIVE", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Connection strategy to use when multiple URLs are supplied: one of ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.sslConfig", + "property_type": "string", + "property_default_value": "certificateTrust", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "How to establish trust in the server's TLS certificate: one of jvmTrust, certificateTrust, or keyStoreTrust", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.trustCertificates", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "A resource to load trust anchors from when using sslConfig = certificateTrust", + "note": "ex. %{idp.home}/credentials/ldap-server.crt" + }, + { + "property_name": "idp.authn.LDAP.trustStore", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "A resource to load a Java keystore containing trust anchors when using sslConfig = keyStoreTrust", + "note": "ex. %{idp.home}/credentials/ldap-server.truststore" + }, + { + "property_name": "idp.authn.LDAP.returnAttributes", + "property_type": "comma-seperated strings", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "List of attributes to request during authentication", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.baseDN", + "property_type": "string", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Base DN to search against when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.subtreeSearch", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to search recursively when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.userFilter", + "property_type": "string", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "LDAP search filter when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.bindDN", + "property_type": "string", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "DN to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.bindDNCredential", + "property_type": "string", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Password to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator usually set via %{idp.home}/credentials/secrets.properties", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.dnFormat", + "property_type": "string", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "A formatting string to generate the user DNs to authenticate when using an LDAP.authenticator of directAuthenticator or adAuthenticator", + "note": "ex. uid=%s,ou=people,dc=example,dc=org or for AD %s@domain.com" + }, + { + "property_name": "idp.authn.LDAP.resolveEntryOnFailure", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether the user's LDAP entry should be returned in the authentication response even when the user bind fails.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.resolveEntryWithBindDN", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether the user's LDAP entry should be resolved with the bindDN credentials rather than as the authenticated user.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.usePasswordPolicy", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to use the Password Policy Control.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.usePasswordExpiration", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to use the Password Expired Control.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.activeDirectory", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If you are using Active Directory this switch will attempt to use the account states defined by AD. Note that this flag is unnecessary if you are using the 'adAuthenticator'. It is meant to be specified with one of the other authenticator types.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.freeIPADirectory", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If you are using the FreeIPA LDAP this switch will attempt to use the account states defined by that product.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.eDirectory", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "If you are using the EDirectory LDAP this switch will attempt to use the account states defined by that product.", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.disablePooling", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether connection pools should be used for LDAP authentication and DN resolution", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.minSize", + "property_type": "int", + "property_default_value": 3, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Minimum LDAP connection pool size", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.maxSize", + "property_type": "int", + "property_default_value": 10, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Maximum LDAP connection pool size", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.validateOnCheckout", + "property_type": "bool", + "property_default_value": false, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to validate connections when checking them out of the pool", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.validatePeriodically", + "property_type": "bool", + "property_default_value": true, + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether to validate connections in the background", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.validatePeriod", + "property_type": "duration", + "property_default_value": "PT5M", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Duration between validation if idp.pool.LDAP.validatePeriodically is true", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.validateDN", + "property_type": "string", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "4.0.1", + "module": "", + "module_vers": "", + "description": "DN to search with the validateFilter: defaults to the rootDSE", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.validateFilter", + "property_type": "string", + "property_default_value": "(objectClass=*)", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "4.0.1", + "module": "", + "module_vers": "", + "description": "Search filter to execute in order to validate a pooled connection", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.prunePeriod", + "property_type": "duration", + "property_default_value": "PT5M", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Duration between looking for idle connections to reduce the pool back to its minimum size", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.idleTime", + "property_type": "duration", + "property_default_value": "PT10M", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Duration connections must be idle to be eligible for pruning", + "note": "" + }, + { + "property_name": "idp.pool.LDAP.blockWaitTime", + "property_type": "duration", + "property_default_value": "PT3S", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Duration to wait for a free connection in the pool", + "note": "" + }, + { + "property_name": "idp.authn.LDAP.bindPoolPassivator", + "property_type": "string", + "property_default_value": "none", + "config_category": "LDAPAuthnConfiguration", + "config_file": "v4: ldap.properties , V4.1: authn/authn.properties", + "idp_vers": "4.0.1", + "module": "", + "module_vers": "", + "description": "Controls how connections in the bind pool are passivated. Connections in the bind pool may be in an authenticated state that will not allow validation searches to succeed. This property controls how bind connections are placed back into the pool. If your directory requires searches to be performed by the idp.authn.LDAP.bindDN or anonymously, this property controls that behavior. one of: none, bind, anonymousBind.", + "note": "" + }, + { + "property_name": "idp.authn.JAAS.loginConfigNames", + "property_type": "string", + "property_default_value": "ShibUserPassAuth", + "config_category": "JAASAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Comma-delimited set of JAAS application configuration names to use", + "note": "" + }, + { + "property_name": "idp.authn.JAAS.loginConfig", + "property_type": "resource path", + "property_default_value": "%{idp.home}/conf/authn/jaas.config", + "config_category": "JAASAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Location of JAAS configuration file", + "note": "" + }, + { + "property_name": "idp.authn.Krb5.refreshConfig", + "property_type": "bool", + "property_default_value": false, + "config_category": "KerberosAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt", + "note": "" + }, + { + "property_name": "idp.authn.Krb5.preserveTicket", + "property_type": "bool", + "property_default_value": false, + "config_category": "KerberosAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to preserve the resulting Kerberos TGT in the Java Subject's private credential set", + "note": "" + }, + { + "property_name": "idp.authn.Krb5.servicePrincipal", + "property_type": "string", + "property_default_value": "none", + "config_category": "KerberosAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of a service principal to use to verify the KDC supplying the TGT by requesting and verifying a service ticket issued for it", + "note": "" + }, + { + "property_name": "idp.authn.Krb5.keytab", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "KerberosAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Path to a keytab file containing keys belonging to the service principal defined in idp.authn.Krb5.servicePrincipal", + "note": "" + }, + { + "property_name": "idp.authn.External.externalAuthnPath", + "property_type": "string", + "property_default_value": "contextRelative:external.jsp", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Spring Web Flow redirection expression for the protected resource", + "note": "" + }, + { + "property_name": "idp.authn.External.matchExpression", + "property_type": "regex", + "property_default_value": "none", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Regular expression to match username against", + "note": "" + }, + { + "property_name": "idp.authn.External.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.External.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.External.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.External.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.External.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.External.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.External.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.External.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.External.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.External.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.External.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.External.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.External.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password", + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.External.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "ExternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.External", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.externalAuthnPath", + "property_type": "string", + "property_default_value": "contextRelative:external.jsp", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Spring Web Flow redirection expression for the protected resource", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.matchExpression", + "property_type": "regex", + "property_default_value": "none", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Regular expression to match username against", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.RemoteUser.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password", + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUser.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "RemoteUserAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUser", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.checkRemoteUser", + "property_type": "bool", + "property_default_value": true, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether to check REMOTE_USER for a username", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.checkAttributes", + "property_type": "string", + "property_default_value": "none", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Comma-delimited lists of request attributes to check for a username", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.checkHeaders", + "property_type": "string", + "property_default_value": "none", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Comma-delimited list of request headers to check for a username", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.trim", + "property_type": "bool", + "property_default_value": true, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether to trim leading and trailing whitespace from the username before validating it", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.lowercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether to lowercase the username before validating it", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.uppercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether to uppercase the username before validating it", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.matchExpression", + "property_type": "regex", + "property_default_value": "none", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "A regular expression that must match the username", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.allowedUsernames", + "property_type": "string", + "property_default_value": "none", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Comma-delimited list of usernames to accept while blocking all others", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.deniedUsernames", + "property_type": "string", + "property_default_value": "none", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Comma-delimited list of usernames to deny while accepting all others", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.externalAuthnPath", + "property_type": "string", + "property_default_value": "contextRelative:external.jsp", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Spring Web Flow redirection expression for the protected resource", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.matchExpression", + "property_type": "regex", + "property_default_value": "none", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Regular expression to match username against", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.RemoteUserInternal.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password", + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.RemoteUserInternal.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "RemoteUserInternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.RemoteUserInternal", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.externalAuthnPath", + "property_type": "URL path", + "property_default_value": "/Authn/SPNEGO", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Servlet-relative path to the SPNEGO external authentication implementation", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.enforceRun", + "property_type": "bool", + "property_default_value": false, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether to always try to run SPNEGO independent of the user's auto-login setting", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.refreshKrbConfig", + "property_type": "bool", + "property_default_value": false, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.matchExpression", + "property_type": "regex", + "property_default_value": "none", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Regular expression to match username against", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.cookieName", + "property_type": "string", + "property_default_value": "_idp_spnego_autologin", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.2, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Name of cookie used to track auto-login state of client", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.SPNEGO.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, saml1/urn:ietf:rfc:1510", + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.SPNEGO.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "SPNEGOAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.SPNEGO", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.X509.externalAuthnPath", + "property_type": "string", + "property_default_value": "contextRelative:x509-prompt.jsp", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Spring Web Flow redirection expression for the protected resource", + "note": "" + }, + { + "property_name": "idp.authn.X509.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.X509.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.X509.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.X509.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.X509.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.X509.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.X509.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.X509.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.X509.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.X509.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.X509.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.X509.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.X509.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, saml1/urn:ietf:rfc:2246", + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.X509.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "X509AuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.X509", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.saveCertificateToCredentialSet", + "property_type": "bool", + "property_default_value": true, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to save the certificate into the Subject's public credential set. Disable to reduce the size if not relying on the certificate for subject c14n.", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.X509Internal.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, saml1/urn:ietf:rfc:2246", + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.X509Internal.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "X509InternalAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.IPAddress.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol", + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.IPAddress.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "IPAddressAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.IPAddress", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.Function.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.Function.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.Function.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.Function.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.Function.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.Function.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.Function.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.Function.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.Function.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.Function.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.Function.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.Function.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.Function.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password", + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.Function.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "FunctionAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Function", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.duo.apiHost", + "property_type": "URL", + "property_default_value": "none", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "DuoWeb API hostname assigned to the integration", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.applicationKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "A secret supplied by you and not shared with Duo; see https://duo.com/docs/duoweb-v2, \"Generate an akey\".", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.integrationKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "DuoWeb integration key (supplied by Duo as Client ID)", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.secretKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "DuoWeb secret key (supplied by Duo as Client secret)", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.apiHost", + "property_type": "URL", + "property_default_value": "${idp.duo.apiHost}", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Duo AuthAPI hostname assigned to the integration", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.integrationKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Duo AuthAPI integration key (supplied by Duo as Client ID)", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.secretKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Duo AuthAPI secret key (supplied by Duo as Client secret)", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.header.factor", + "property_type": "string", + "property_default_value": "X-Shibboleth-Duo-Factor", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Name of HTTP request header for Duo AuthAPI factor", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.header.device", + "property_type": "string", + "property_default_value": "X-Shibboleth-Duo-Device", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Name of HTTP request header for Duo AuthAPI device ID or name", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.header.passcode", + "property_type": "string", + "property_default_value": "X-Shibboleth-Duo-Passcode", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Name of HTTP request header for Duo AuthAPI passcode", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.auto", + "property_type": "bool", + "property_default_value": true, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Allow the factor to be defaulted to auto if no headers are received", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.duo.nonbrowser.clientAddressTrusted", + "property_type": "bool", + "property_default_value": true, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/duo.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Pass client address to Duo in API calls to support logging, push display, and network-based Duo policies", + "note": "this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key" + }, + { + "property_name": "idp.authn.Duo.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.Duo.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.Duo.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.Duo.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.Duo.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.Duo.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.Duo.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.Duo.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.Duo.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.Duo.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.Duo.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.Duo.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.Duo.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa", + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.Duo.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "DuoAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.Duo", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.SAML.externalAuthnPath", + "property_type": "url path", + "property_default_value": "servletRelative:/Authn/SAML2/POST/SSO", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Spring Web Flow redirection expression for the IdP's AssertionConsumerService", + "note": "" + }, + { + "property_name": "idp.authn.SAML.proxyEntityID", + "property_type": "string", + "property_default_value": "none", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Statically-defined entityID of IdP to use for authentication", + "note": "" + }, + { + "property_name": "idp.authn.SAML.outboundMessageHandlerFunction", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Optional bean ID of Function to run just prior to AuthnRequest signing/encoding step", + "note": "" + }, + { + "property_name": "idp.authn.SAML.inboundMessageHandlerFunction", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Optional bean ID of Function to run at the late stages of Response decoding/processing", + "note": "" + }, + { + "property_name": "idp.authn.SAML.assertionValidator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Optional bean ID of AssertionValidator to run", + "note": "" + }, + { + "property_name": "idp.authn.SAML.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.SAML.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.SAML.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.SAML.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.SAML.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.SAML.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.SAML.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.SAML.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.SAML.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.SAML.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.SAML.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.SAML.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.SAML.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password", + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.SAML.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "SAMLAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.MFA.validateLoginTransitions", + "property_type": "bool", + "property_default_value": true, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions", + "note": "" + }, + { + "property_name": "idp.authn.MFA.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.MFA.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.MFA.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.MFA.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.MFA.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Whether the flow enforces upstream IdP imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.MFA.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.MFA.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Whether to invoke IdP discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.MFA.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.MFA.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.MFA.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Bean ID of Predicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.MFA.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.MFA.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.MFA.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password", + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.MFA.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "MultiFactorAuthnConfiguration", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.MFA", + "module_vers": "", + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.transientId.generator", + "property_type": "Bean ID of a TransientIdGenerationStrategy", + "property_default_value": "shibboleth.CryptoTransientIdGenerator", + "config_category": "NameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Identifies the strategy plugin for generating transient IDs", + "note": "" + }, + { + "property_name": "idp.nameid.saml2.default", + "property_type": "URI", + "property_default_value": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", + "config_category": "NameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default Format to generate if nothing else is indicated", + "note": "" + }, + { + "property_name": "idp.nameid.saml1.default", + "property_type": "URI", + "property_default_value": "urn:mace:shibboleth:1.0:nameIdentifier", + "config_category": "NameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Default Format to generate if nothing else is indicated", + "note": "" + }, + { + "property_name": "idp.persistentId.generator", + "property_type": "Bean ID of a PairwiseIdStore", + "property_default_value": "shibboleth.ComputedPersistentIdGenerator", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Identifies the strategy plugin for sourcing persistent IDs", + "note": "" + }, + { + "property_name": "idp.persistentId.dataSource", + "property_type": "Bean ID of a JDBC DataSource", + "property_default_value": "none", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Identifies a data source for storage-based management of persistent IDs", + "note": "" + }, + { + "property_name": "idp.persistentId.computed", + "property_type": "Bean ID of a PairwiseIdStore", + "property_default_value": "shibboleth.ComputedPersistentIdGenerator", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Identifies a strategy plugin to use to generate the first persistent identifier for each subject", + "note": "used to migrate from the computed to stored strategies: can be null" + }, + { + "property_name": "idp.persistentId.sourceAttribute", + "property_type": "string", + "property_default_value": "none", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "List of attributes to search for a value to uniquely identify the subject of a persistent identifier that MUST be stable long-lived and non-reassignable", + "note": "" + }, + { + "property_name": "idp.persistentId.useUnfilteredAttributes", + "property_type": "boolean", + "property_default_value": true, + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether or not the previous property has access to unreleased attributes", + "note": "" + }, + { + "property_name": "idp.persistentId.salt", + "property_type": "string", + "property_default_value": "none", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "A secret salt for the hash when using computed persistent IDs", + "note": "" + }, + { + "property_name": "idp.persistentId.encodedSalt", + "property_type": "Base64-encoded String", + "property_default_value": "none", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "An encoded form of the persistentId.salt", + "note": "" + }, + { + "property_name": "idp.persistentId.algorithm", + "property_type": "string", + "property_default_value": "SHA", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "The hash algorithm used when using computed persistent IDs", + "note": "" + }, + { + "property_name": "idp.persistentId.encoding", + "property_type": "string", + "property_default_value": "BASE64", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "The final encoding applied to the hash generated when using computed persistent IDs: one of BASE32 or BASE64", + "note": "" + }, + { + "property_name": "idp.persistentId.exceptionMap", + "property_type": "Bean ID", + "property_default_value": "shibboleth.ComputedIdExceptionMap", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Advanced feature allowing revocation or regeneration of computed persistent IDs for specific subjects or services", + "note": "" + }, + { + "property_name": "idp.persistentId.queryTimeout", + "property_type": "duration", + "property_default_value": "PT5S", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Query timeout for database access", + "note": "" + }, + { + "property_name": "idp.persistentId.transactionRetries", + "property_type": "int", + "property_default_value": 3, + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Number of retries in the event database locking bugs cause retryable failures", + "note": "" + }, + { + "property_name": "idp.persistentId.retryableErrors", + "property_type": "string", + "property_default_value": "23000,23505", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "List of error strings to identify as retryable failures", + "note": "" + }, + { + "property_name": "idp.persistentId.verifyDatabase", + "property_type": "bool", + "property_default_value": true, + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "When true the connection and layout of the database is verified at bean initialization time and any failures are fatal.", + "note": "" + }, + { + "property_name": "idp.persistentId.tableName", + "property_type": "string", + "property_default_value": "shibpid", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides the name of the table in the database", + "note": "" + }, + { + "property_name": "idp.persistentId.localEntityColumn", + "property_type": "string", + "property_default_value": "localEntity", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.persistentId.peerEntityColumn", + "property_type": "string", + "property_default_value": "peerEntity", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.persistentId.principalNameColumn", + "property_type": "string", + "property_default_value": "principalName", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.persistentId.sourceIdColumn", + "property_type": "string", + "property_default_value": "localId", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.persistentId.persistentIdColumn", + "property_type": "string", + "property_default_value": "persistentId", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.persistentId.peerProvidedIdColumn", + "property_type": "string", + "property_default_value": "peerProvidedId", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.persistentId.createTimeColumn", + "property_type": "string", + "property_default_value": "creationDate", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.persistentId.deactivationTimeColumn", + "property_type": "string", + "property_default_value": "deactivationDate", + "config_category": "PersistentNameIDGenerationConfiguration", + "config_file": "saml-nameid.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Overrides database column names", + "note": "" + }, + { + "property_name": "idp.service.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Set default fail-fast behavior of all services unless overridden by service", + "note": "" + }, + { + "property_name": "idp.service.logging.resource", + "property_type": "resource path", + "property_default_value": "%{idp.home}/conf/logback.xml", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Logging configuration resource to use (the reloadable service ID is shibboleth.LoggingService)", + "note": "" + }, + { + "property_name": "idp.service.logging.failFast", + "property_type": "bool", + "property_default_value": true, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if logging configuration is invalid", + "note": "" + }, + { + "property_name": "idp.service.logging.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to logging configuration and reload service. A value of 0 indicates that the logging configuration never reloads", + "note": "" + }, + { + "property_name": "idp.service.relyingparty.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.RelyingPartyResolverResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for RelyingPartyConfiguration", + "note": "" + }, + { + "property_name": "idp.service.relyingparty.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if RelyingPartyConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.relyingparty.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to RelyingPartyConfiguration and reload service. A value of 0 indicates that the relying party configuration never reloads", + "note": "" + }, + { + "property_name": "idp.service.relyingparty.ignoreUnmappedEntityAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "See MetadataDrivenConfiguration SAML Attribute Name Format Usage", + "note": "" + }, + { + "property_name": "idp.service.metadata.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.MetadataResolverResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for MetadataConfiguration", + "note": "" + }, + { + "property_name": "idp.service.metadata.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if MetadataConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.metadata.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to MetadataConfiguration and reload service. A value of 0 indicates that the metadata configuration never reloads", + "note": "" + }, + { + "property_name": "idp.service.metadata.enableByReferenceFilters", + "property_type": "bool", + "property_default_value": true, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Disabling this turns off internal support for the ByReferenceFilter feature which provides a very small performance boost", + "note": "" + }, + { + "property_name": "idp.service.attribute.registry.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.AttributeRegistryResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for AttributeRegistryConfiguration", + "note": "" + }, + { + "property_name": "idp.service.attribute.registry.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if AttributeRegistryConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.attribute.registry.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to AttributeRegistryConfiguration and reload service. A value of 0 indicates that the service configuration never reloads", + "note": "" + }, + { + "property_name": "idp.service.attribute.registry.encodeType", + "property_type": "bool", + "property_default_value": true, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Shortcut for controlling the encoding of xsi:type information for all SAML transcoding rules in the registry", + "note": "" + }, + { + "property_name": "idp.service.attribute.resolver.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.AttributeResolverResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for AttributeResolverConfiguration", + "note": "" + }, + { + "property_name": "idp.service.attribute.resolver.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if AttributeResolverConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.attribute.resolver.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to AttributeResolverConfiguration and reload service. A value of 0 indicates that the service configuration never reloads", + "note": "" + }, + { + "property_name": "idp.service.attribute.resolver.maskFailures", + "property_type": "bool", + "property_default_value": true, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether attribute resolution failure should silently produce no attributes or cause an overall profile request failure event", + "note": "" + }, + { + "property_name": "idp.service.attribute.resolver.stripNulls", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether null values should be stripped from the results of the attribute resolution. This filtering happens prior to filtering and encoding, but after attribute resolution is complete. To strip nulls during attribute resolution (so that they will be invisible to dependant attribute definitions) use a SimpleAttributeDefinition and specify ignoreNullValues", + "note": "" + }, + { + "property_name": "idp.service.attribute.resolver.suppressDisplayInfo", + "property_type": "bool", + "property_default_value": true, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": 4.2, + "module": "", + "module_vers": "", + "description": "Setting this to false re-enables the legacy behavior of looking up the display information for the resolved attributes during resolution. As from 4.2 this the display information is looked up at point of use (during the attribute consent flow) and so there should be no reason to revert this behavior unless using third party software which expect the IdPAttribute DisplayName and DisplayDescriptions to be pre-populated", + "note": "" + }, + { + "property_name": "idp.service.attribute.filter.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.AttributeFilterResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for AttributeFilterConfiguration", + "note": "" + }, + { + "property_name": "idp.service.attribute.filter.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if AttributeFilterConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.attribute.filter.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to AttributeFilterConfiguration and reload service A value of 0 indicates that the attribute filter configuration never reloads", + "note": "" + }, + { + "property_name": "idp.service.attribute.filter.maskFailures", + "property_type": "bool", + "property_default_value": true, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Whether attribute filtering failure should silently produce no attributes or causes an overall profile request failure event", + "note": "" + }, + { + "property_name": "idp.service.nameidGeneration.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.NameIdentifierGenerationResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for NameIDGenerationConfiguration", + "note": "" + }, + { + "property_name": "idp.service.nameidGeneration.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if NameIDGenerationConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.nameidGeneration.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to NameIDGenerationConfiguration and reload service", + "note": "" + }, + { + "property_name": "idp.service.access.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.AccessControlResource", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for AccessControlConfiguration", + "note": "" + }, + { + "property_name": "idp.service.access.failFast", + "property_type": "bool", + "property_default_value": true, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if AccessControlConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.access.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice changes to AccessControlConfiguration and reload service", + "note": "" + }, + { + "property_name": "idp.service.cas.registry.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.CASServiceRegistryResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for CASServiceRegistry configuration", + "note": "" + }, + { + "property_name": "idp.service.cas.registry.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if CASServiceRegistry configuration is invalid", + "note": "" + }, + { + "property_name": "idp.service.cas.registry.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice CASServiceRegistry configuration changes and reload service", + "note": "" + }, + { + "property_name": "idp.service.managedBean.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.ManagedBeanResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying resources to use for ManagedBeanConfiguration", + "note": "" + }, + { + "property_name": "idp.service.managedBean.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Fail at startup if ManagedBeanConfiguration is invalid", + "note": "" + }, + { + "property_name": "idp.service.managedBean.checkInterval", + "property_type": "duration", + "property_default_value": 0, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Time to notice ManagedBeanConfiguration changes and reload service", + "note": "" + }, + { + "property_name": "idp.message.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.MessageSourceResources", + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Name of Spring bean identifying Spring message property resources", + "note": "" + }, + { + "property_name": "idp.message.cacheSeconds", + "property_type": "int", + "property_default_value": 300, + "config_category": "ReloadableServices", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Seconds between reloads of message property resources", + "note": "" + }, + { + "property_name": "idp.status.logging", + "property_type": "string", + "property_default_value": "Status", + "config_category": "Status", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.status.accessPolicy", + "property_type": "string", + "property_default_value": "AccessByIPAddress", + "config_category": "Status", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.status.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "Status", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.status.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "Status", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.status.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "Status", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.status.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "Status", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.status.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "Status", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.reload.logging", + "property_type": "string", + "property_default_value": "Reload", + "config_category": "MetadataReload", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.reload.accessPolicy", + "property_type": "string", + "property_default_value": "AccessByIPAddress", + "config_category": "MetadataReload", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.reload.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetadataReload", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.reload.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetadataReload", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.reload.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "MetadataReload", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.reload.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetadataReload", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.reload.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "MetadataReload", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.resolvertest.logging", + "property_type": "string", + "property_default_value": "ResolverTest", + "config_category": "AACLI", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.resolvertest.accessPolicy", + "property_type": "string", + "property_default_value": "AccessByIPAddress", + "config_category": "AACLI", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.resolvertest.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "AACLI", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.resolvertest.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "AACLI", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.resolvertest.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "AACLI", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.resolvertest.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "AACLI", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.resolvertest.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "AACLI", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.mdquery.logging", + "property_type": "string", + "property_default_value": "MetadataQuery", + "config_category": "MetadataQuery", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.mdquery.accessPolicy", + "property_type": "string", + "property_default_value": "AccessByIPAddress", + "config_category": "MetadataQuery", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.mdquery.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetadataQuery", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.mdquery.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetadataQuery", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.mdquery.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "MetadataQuery", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.mdquery.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetadataQuery", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.mdquery.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "MetadataQuery", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.metrics.logging", + "property_type": "string", + "property_default_value": "Metrics", + "config_category": "MetricsConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.metrics.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetricsConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.metrics.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetricsConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.metrics.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "MetricsConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.metrics.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "MetricsConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.metrics.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "MetricsConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.hello.logging", + "property_type": "string", + "property_default_value": "Hello", + "config_category": "HelloWorldConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.hello.accessPolicy", + "property_type": "string", + "property_default_value": "AccessByAdminUser", + "config_category": "HelloWorldConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.hello.authenticated", + "property_type": "bool", + "property_default_value": true, + "config_category": "HelloWorldConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.hello.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "HelloWorldConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.hello.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "HelloWorldConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.hello.resolveAttributes", + "property_type": "bool", + "property_default_value": true, + "config_category": "HelloWorldConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.hello.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "HelloWorldConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.lockout.logging", + "property_type": "string", + "property_default_value": "Lockout", + "config_category": "AccountLockoutManagement", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.lockout.accessPolicy", + "property_type": "string", + "property_default_value": "AccessDenied", + "config_category": "AccountLockoutManagement", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.lockout.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "AccountLockoutManagement", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.lockout.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "AccountLockoutManagement", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.lockout.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "AccountLockoutManagement", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.lockout.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "AccountLockoutManagement", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.lockout.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "AccountLockoutManagement", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.storage.logging", + "property_type": "string", + "property_default_value": "Storage", + "config_category": "?", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.storage.accessPolicy", + "property_type": "string", + "property_default_value": "AccessDenied", + "config_category": "?", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.storage.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "?", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.storage.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "?", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.storage.defaultAuthenticationMethods", + "property_type": "string", + "property_default_value": "none", + "config_category": "?", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.storage.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "AttendedRestartConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.unlock-keys.logging", + "property_type": "string", + "property_default_value": "UnlockKeys", + "config_category": "AttendedRestartConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Audit log identifier for flow", + "note": "" + }, + { + "property_name": "idp.unlock-keys.accessPolicy", + "property_type": "string", + "property_default_value": "AccessDenied", + "config_category": "AttendedRestartConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Name of access control policy for request authorization", + "note": "" + }, + { + "property_name": "idp.unlock-keys.authenticated", + "property_type": "bool", + "property_default_value": true, + "config_category": "AttendedRestartConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether authentication should be performed prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.unlock-keys.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "AttendedRestartConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether the flow should allow for non-browser clients during authentication", + "note": "" + }, + { + "property_name": "idp.unlock-keys.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "AttendedRestartConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether attributes should be resolved prior to access control evaluation", + "note": "" + }, + { + "property_name": "idp.unlock-keys.postAuthenticationFlows", + "property_type": "string", + "property_default_value": "none", + "config_category": "AttendedRestartConfiguration", + "config_file": "admin/admin.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "?", + "note": "" + }, + { + "property_name": "idp.c14n.simple.lowercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "SimplePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to lowercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.simple.uppercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "SimplePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to uppercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.simple.trim", + "property_type": "bool", + "property_default_value": true, + "config_category": "SimplePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to trim leading and trailing whitespace from the username", + "note": "" + }, + { + "property_name": "idp.c14n.attribute.lowercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "AttributePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to lowercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.attribute.uppercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "AttributePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to uppercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.attribute.trim", + "property_type": "bool", + "property_default_value": true, + "config_category": "AttributePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to trim leading and trailing whitespace from the username", + "note": "" + }, + { + "property_name": "idp.c14n.attribute.attributesToResolve", + "property_type": "string", + "property_default_value": "none", + "config_category": "AttributePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Comma-delimited list of attributes to resolve (an empty list directs the resolver to resolve everything it can)", + "note": "" + }, + { + "property_name": "idp.c14n.attribute.attributeSourceIds", + "property_type": "string", + "property_default_value": "none", + "config_category": "AttributePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Comma-delimited list of attributes to search for in the results looking for a StringAttributeValue or ScopedStringAttributeValue", + "note": "" + }, + { + "property_name": "idp.c14n.attribute.resolveFromSubject", + "property_type": "bool", + "property_default_value": false, + "config_category": "AttributePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to examine the input Subject for IdPAttributePrincipal objects to pull from directly instead of from the output of the Attribute Resolver service", + "note": "" + }, + { + "property_name": "idp.c14n.attribute.resolutionCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "AttributePostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Bean ID of a Predicate to evaluate to determine whether to run the Attribute Resolver or go directly to the Subject alone", + "note": "" + }, + { + "property_name": "idp.c14n.x500.lowercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "X500PostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to lowercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.x500.uppercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "X500PostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to uppercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.x500.trim", + "property_type": "bool", + "property_default_value": true, + "config_category": "X500PostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to trim leading and trailing whitespace from the username", + "note": "" + }, + { + "property_name": "idp.c14n.x500.subjectAltNameTypes", + "property_type": "List", + "property_default_value": "none", + "config_category": "X500PostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Comma-delimited list of subjectAltName extension types to look for", + "note": "" + }, + { + "property_name": "idp.c14n.x500.objectIDs", + "property_type": "List", + "property_default_value": "2.5.4.3", + "config_category": "X500PostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Comma-delimited list of attribute OIDs to search for in the subject DN", + "note": "" + }, + { + "property_name": "idp.c14n.saml.proxy.lowercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "SAML2ProxyTransformPostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to lowercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.saml.proxy.uppercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "SAML2ProxyTransformPostLoginC14NConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to uppercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.saml.lowercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "NameIDConsumptionConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to lowercase the username", + "note": "" + }, + { + "property_name": "idp.c14n.saml.uppercase", + "property_type": "bool", + "property_default_value": false, + "config_category": "NameIDConsumptionConfiguration", + "config_file": "c14n/subject-c14n.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Whether to uppercase the username", + "note": "" + }, + { + "property_name": "idp.service.logging.saml1sso", + "property_type": "string", + "property_default_value": "SSO", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.saml1attrquery", + "property_type": "string", + "property_default_value": "AttributeQuery", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.saml1artifact", + "property_type": "string", + "property_default_value": "ArtifactResolution", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.saml2sso", + "property_type": "string", + "property_default_value": "SSO", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.saml2attrquery", + "property_type": "string", + "property_default_value": "AttributeQuery", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.saml2artifact", + "property_type": "string", + "property_default_value": "ArtifactResolution", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.saml2slo", + "property_type": "string", + "property_default_value": "Logout", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.logout", + "property_type": "string", + "property_default_value": "Logout", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.cas", + "property_type": "string", + "property_default_value": "SSO", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.status", + "property_type": "string", + "property_default_value": "Status", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.resolvertest", + "property_type": "string", + "property_default_value": "ResolverTest", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.service.logging.serviceReload", + "property_type": "string", + "property_default_value": "Reload", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": "all", + "module": "", + "module_vers": "", + "description": "Suffix added to audit logging category when various profiles/flows are audited", + "note": "you can use this to route different kinds of audit records to different destinations based on general function" + }, + { + "property_name": "idp.audit.hashAlgorithm", + "property_type": "string", + "property_default_value": "SHA-256", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Hash algorithm to apply to various hashed fields", + "note": "" + }, + { + "property_name": "idp.audit.salt", + "property_type": "string", + "property_default_value": "none", + "config_category": "AuditLoggingConfiguration", + "config_file": "services.properties", + "idp_vers": 4.1, + "module": "", + "module_vers": "", + "description": "Salt to apply to hashed fields must be set to use those fields", + "note": "" + }, + { + "property_name": "idp.oidc.issuer", + "property_type": "URL", + "property_default_value": "none", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Set the Open ID Connect Issuer value", + "note": "" + }, + { + "property_name": "idp.oidc.idToken.defaultLifetime", + "property_type": "duration", + "property_default_value": "PT1H", + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Lifetime of ID token", + "note": "" + }, + { + "property_name": "idp.oidc.accessToken.defaultLifetime", + "property_type": "duration", + "property_default_value": "PT10M", + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Lifetime of access token", + "note": "" + }, + { + "property_name": "idp.oidc.authorizeCode.defaultLifetime", + "property_type": "duration", + "property_default_value": "PT5M", + "config_category": "OPAuthorization", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Lifetime of authorization code", + "note": "" + }, + { + "property_name": "idp.oidc.refreshToken.defaultLifetime", + "property_type": "duration", + "property_default_value": "PT2H", + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Lifetime of refresh token", + "note": "" + }, + { + "property_name": "idp.oidc.forcePKCE", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether client is required to use PKCE", + "note": "" + }, + { + "property_name": "idp.oidc.allowPKCEPlain", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether client is allowed to use PKCE code challenge method plain", + "note": "" + }, + { + "property_name": "idp.oidc.encodedAttributes", + "property_type": "Set", + "property_default_value": "none", + "config_category": "OPAuthorization", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Specifies IdPAttributes to encode into tokens for recovery on back-channel token requests", + "note": "" + }, + { + "property_name": "idp.oidc.encodeConsentInTokens", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPAuthorization", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether to embed consent decisions in access/refresh tokens and authorization code to allow for client-side consent storage", + "note": "" + }, + { + "property_name": "idp.oidc.alwaysIncludedAttributes", + "property_type": "Set", + "property_default_value": "none", + "config_category": "OPAuthorization", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Specifies IdPAttributes to always include in ID token regardless of response_type", + "note": "" + }, + { + "property_name": "idp.oidc.deniedUserInfoAttributes", + "property_type": "Set", + "property_default_value": "none", + "config_category": "OPAuthorization", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Specifies IdPAttributes to omit from UserInfo token", + "note": "" + }, + { + "property_name": "idp.oidc.revocationCache.authorizeCode.lifetime", + "property_type": "duration", + "property_default_value": "PT6H", + "config_category": "OPRevocation", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Lifetime of entries in revocation cache for authorize code", + "note": "" + }, + { + "property_name": "idp.oidc.revocationCache.StorageService", + "property_type": "Bean ID", + "property_default_value": "shibboleth.StorageService", + "config_category": "OPAuthorization", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean ID of StorageService for revocation cache requires server-side storage", + "note": "" + }, + { + "property_name": "idp.oidc.tokenEndpointAuthMethods", + "property_type": "Collection", + "property_default_value": "client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt", + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The acceptable client authentication methods", + "note": "" + }, + { + "property_name": "idp.oauth2.grantTypes", + "property_type": "Collection", + "property_default_value": "authorization_code,refresh_token", + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "OAuth grant types to allow", + "note": "" + }, + { + "property_name": "idp.oauth2.enforceRefreshTokenRotation", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3.2, + "description": "Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token.", + "note": "" + }, + { + "property_name": "idp.oauth2.accessToken.type", + "property_type": "string", + "property_default_value": "none", + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3.2, + "description": "Format of access token. Supported values are JWT or nothing.", + "note": "" + }, + { + "property_name": "idp.oauth2.encryptionOptional", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether the absence of encryption details in a resource server’s metadata should fail when issuing an access token", + "note": "" + }, + { + "property_name": "idp.oauth2.accessToken.defaultLifetime", + "property_type": "duration", + "property_default_value": "PT10M", + "config_category": "OPToken", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Lifetime of access token issued to client for resource server", + "note": "" + }, + { + "property_name": "idp.oauth2.revocationMethod", + "property_type": "string", + "property_default_value": "CHAIN", + "config_category": "OPRevocation", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens). TOKEN refers to revoking single token", + "note": "" + }, + { + "property_name": "idp.oidc.dynreg.defaultRegistrationValidity", + "property_type": "duration", + "property_default_value": "PT24H", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Registration lifetime", + "note": "" + }, + { + "property_name": "idp.oidc.dynreg.defaultScope", + "property_type": "string", + "property_default_value": "openid profile email address phone offline_access", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The default scopes accepted in dynamic registration", + "note": "" + }, + { + "property_name": "idp.oidc.dynreg.defaultSubjectType", + "property_type": "string", + "property_default_value": "public", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The default subject type if not set by client in request. Maybe set to pairwise or public.", + "note": "" + }, + { + "property_name": "idp.oidc.dynreg.defaultMetadataPolicyFile", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "OPMetadataPolicies", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Full path to the file containing default metadata policy used for dynamic client registration", + "note": "" + }, + { + "property_name": "idp.oidc.dynreg.tokenEndpointAuthMethods", + "property_type": "Collection", + "property_default_value": "client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The acceptable client authentication methods when using dynamic registration", + "note": "" + }, + { + "property_name": "idp.signing.oidc.rs.key", + "property_type": "JWK file pathname", + "property_default_value": "%{idp.home}/credentials/idp-signing-rs.jwk", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "JWK RSA signing keypair", + "note": "" + }, + { + "property_name": "idp.signing.oidc.es.key", + "property_type": "JWK file pathname", + "property_default_value": "%{idp.home}/credentials/idp-signing-es.jwk", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "JWK EC signing keypair", + "note": "" + }, + { + "property_name": "idp.signing.oidc.rsa.enc.key", + "property_type": "JWK file pathname", + "property_default_value": "%{idp.home}/credentials/idp-encryption-rsa.jwk", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "JWK RSA decryption keypair", + "note": "" + }, + { + "property_name": "idp.oidc.signing.config", + "property_type": "Bean ID", + "property_default_value": "shibboleth.oidc.SigningConfiguration", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Allows override of default signing configuration", + "note": "" + }, + { + "property_name": "idp.oidc.encryption.config", + "property_type": "Bean ID", + "property_default_value": "shibboleth.oidc.EncryptionConfiguration", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Allows override of default encryption configuration", + "note": "" + }, + { + "property_name": "idp.oidc.rodecrypt.config", + "property_type": "Bean ID", + "property_default_value": "shibboleth.oidc.requestObjectDecryptionConfiguration", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Allows override of default request decryption configuration", + "note": "" + }, + { + "property_name": "idp.oidc.rovalid.config", + "property_type": "Bean ID", + "property_default_value": "shibboleth.oidc.requestObjectSignatureValidationConfiguration", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Allows override of default request signature validation configuration", + "note": "one of these has the wrong name" + }, + { + "property_name": "idp.oidc.rovalid.config", + "property_type": "Bean ID", + "property_default_value": "shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration", + "config_category": "OPSecurity", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Allows override of default JWT token validation configuration", + "note": "one of these has the wrong name" + }, + { + "property_name": "idp.authn.OAuth2Client.requireAll", + "property_type": "bool", + "property_default_value": false, + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether all validators must succeed or just one", + "note": "" + }, + { + "property_name": "idp.authn.OAuth2Client.removeAfterValidation", + "property_type": "bool", + "property_default_value": true, + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether to remove the object holding the password from the request's active state after validating it (to avoid it being preserved in the session any longer than needed)", + "note": "" + }, + { + "property_name": "idp.authn.OAuth2Client.retainAsPrivateCredential", + "property_type": "bool", + "property_default_value": false, + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether to keep the password around as a private credential in the Java Subject for use in later stages such as attribute resolution", + "note": "use with caution as it retains the password and makes it available in plaintext from within server memory at various stages." + }, + { + "property_name": "idp.authn.OAuth2Client.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.OAuth2Client.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean ID of Predicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.OAuth2Client.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean ID of BiConsumer for subject customization" + }, + { + "property_name": "idp.authn.OAuth2Client.supportedPrincipals", + "property_type": "string", + "property_default_value": "none", + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Comma-delimited list of protocol-specific Principal strings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.OAuth2Client.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": true, + "config_category": "OAuth2ClientAuthnConfiguration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow", + "note": "" + }, + { + "property_name": "idp.oidc.ResponseHeaderFilter", + "property_type": "Bean ID", + "property_default_value": "shibboleth.ResponseHeaderFilter", + "config_category": "OPCustomFilterRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "By default this configures the values defined by the idp.hsts, idp.frameoptions and idp.csp properties into the corresponding HTTP headers and applies them to the OP plugin as well as the original IdP endpoints", + "note": "" + }, + { + "property_name": "idp.oidc.discovery.template", + "property_type": "resource path", + "property_default_value": "%{idp.home}/static/openid-configuration.json", + "config_category": "OPDiscovery", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Location of discovery template to use", + "note": "" + }, + { + "property_name": "idp.oidc.discovery.resolver", + "property_type": "Bean ID", + "property_default_value": "shibboleth.oidc.DefaultOpenIdConfigurationResolver", + "config_category": "OPDiscovery", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Implementation bean for discovery shouldn't require alteration", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.logging", + "property_type": "string", + "property_default_value": "IssueRegistrationAccessToken", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Audit logging label for this profile", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.nonBrowserSupported", + "property_type": "bool", + "property_default_value": true, + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Enables support for non-browser-based authentication", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.authenticated", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether to enable user authentication for requests", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.resolveAttributes", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Whether to resolve attributes if authentication is enabled", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.defaultTokenLifetime", + "property_type": "duration", + "property_default_value": "P1D", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Default access token lifetime if not specified", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.accessPolicy", + "property_type": "string", + "property_default_value": "AccessByIPAddress", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Name of access control policy to apply to all requests", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.policyLocationPolicy", + "property_type": "string", + "property_default_value": "AccessByAdmin", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Name of access control policy to apply to requests specifying a policyLocation", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.policyIdPolicy", + "property_type": "string", + "property_default_value": "AccessByAdmin", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Name of access control policy to apply to requests specifying a policyId", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.clientIdPolicy", + "property_type": "string", + "property_default_value": "AccessByAdmin", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Name of access control policy to apply to requests specifying a clientId", + "note": "" + }, + { + "property_name": "idp.oidc.admin.registration.lookup.policy", + "property_type": "Bean ID", + "property_default_value": "shibboleth.oidc.admin.DefaultMetadataPolicyLookupStrategy", + "config_category": "OPDynamicClientRegistration", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean ID of type Function>, used to locate metadata policy based on the policyLocation parameter. Defaults to a caching resolver locating server resources to load based on policyLocation parameter.", + "note": "" + }, + { + "property_name": "idp.service.clientinfo.failFast", + "property_type": "bool", + "property_default_value": false, + "config_category": "OPClientResolution", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "If true any failures during initialization of any resolvers result in IdP startup failure", + "note": "" + }, + { + "property_name": "idp.service.clientinfo.checkInterval", + "property_type": "duration", + "property_default_value": "PT0S", + "config_category": "OPClientResolution", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "When non-zero enables monitoring of resources for service reload", + "note": "" + }, + { + "property_name": "idp.service.clientinfo.resources", + "property_type": "Bean ID", + "property_default_value": "shibboleth.ClientInformationResolverResources", + "config_category": "OPClientResolution", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Name of bean used to define the resources to use in configuring this service", + "note": "" + }, + { + "property_name": "idp.oauth2.defaultAllowedScope", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "OPClientCredentialsGrant", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "bean of type Function called shibboleth.oidc.AllowedScopeStrategy", + "note": "" + }, + { + "property_name": "idp.oauth2.defaultAllowedAudience", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "OPClientCredentialsGrant", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "bean of type Function> called shibboleth.oidc.AllowedAudienceStrategy", + "note": "" + }, + { + "property_name": "idp.oauth2.authn.flows", + "property_type": "regex", + "property_default_value": "OAuth2Client", + "config_category": "OPClientAuthentication", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Regular expression matching OAuth login flows to enable.", + "note": "" + }, + { + "property_name": "idp.oidc.subject.sourceAttribute", + "property_type": "string", + "property_default_value": "none", + "config_category": "OPSubClaim", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The source attribute used in generating the sub claim", + "note": "" + }, + { + "property_name": "idp.oidc.subject.algorithm", + "property_type": "string", + "property_default_value": "SHA", + "config_category": "OPSubClaim", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The digest algorithm used in generating the sub claim", + "note": "" + }, + { + "property_name": "idp.oidc.subject.salt", + "property_type": "string", + "property_default_value": "none", + "config_category": "OPSubClaim", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Salt to inject for randomness should generally be moved into credentials/secrets.properties to avoid committing to configuration repository", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": true, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Whether the flow enforces upstream IdP-imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Whether the flow considers itself to be proxying", + "note": "and therefore enforces SP-signaled restrictions on proxying" + }, + { + "property_name": "idp.authn.DuoOIDC.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Whether to invoke IdP-discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Bean ID ofPredicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Bean ID ofPredicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Bean ID ofBiConsumer for subject customization", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Comma-delimited list of protocol-specific Principalstrings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.DuoOIDC.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow", + "note": "" + }, + { + "property_name": "idp.duo.oidc.apiHost", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "DuoOIDC API hostname assigned to the integration", + "note": "" + }, + { + "property_name": "idp.duo.oidc.clientId", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "The OAuth 2.0 Client Identifier valid at the Authorization Server", + "note": "" + }, + { + "property_name": "idp.duo.oidc.redirectURL", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Redirection URI to which the 2FA response will be sent", + "note": "ex. https://:/idp/profile/Authn/Duo/2FA/duo-callback" + }, + { + "property_name": "idp.duo.oidc.redirecturl.allowedOrigins", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "If the idp.duo.oidc.redirectURL is not set one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection.", + "note": "" + }, + { + "property_name": "idp.duo.oidc.secretKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token).", + "note": "" + }, + { + "property_name": "idp.duo.oidc.endpoint.health", + "property_type": "string", + "property_default_value": "/oauth/v1/health_check", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Duo's OAuth 2.0 health check endpoint", + "note": "" + }, + { + "property_name": "idp.duo.oidc.endpoint.token", + "property_type": "string", + "property_default_value": "/oauth/v1/token", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Duo's OAuth 2.0 token endpoint", + "note": "" + }, + { + "property_name": "idp.duo.oidc.endpoint.authorize", + "property_type": "string", + "property_default_value": "/oauth/v1/authorize", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Duo's OAuth 2.0 authorization endpoint", + "note": "" + }, + { + "property_name": "idp.duo.oidc.jwt.verifier.clockSkew", + "property_type": "duration", + "property_default_value": "PT60S", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Leeway allowed in token expiry calculations", + "note": "" + }, + { + "property_name": "idp.duo.oidc.jwt.verifier.iatWindow", + "property_type": "duration", + "property_default_value": "PT60S", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Maximum amount (in either direction from now) of duration for which a token is valid after it is issued", + "note": "" + }, + { + "property_name": "idp.duo.oidc.jwt.verifier.issuerPath", + "property_type": "string", + "property_default_value": "/oauth/v1/token", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://+", + "note": "" + }, + { + "property_name": "idp.duo.oidc.jwt.verifier.preferredUsername", + "property_type": "string", + "property_default_value": "preferred_username", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request.", + "note": "" + }, + { + "property_name": "idp.duo.oidc.jwt.verifier.authLifetime", + "property_type": "duration", + "property_default_value": "PT60S", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "How long the authentication is valid. Only applies to forced authentication requests.", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.apiHost", + "property_type": "string", + "property_default_value": "%{idp.duo.oidc.apiHost}", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Duo AuthAPI hostname assigned to the integration", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.integrationKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Duo AuthAPI integration key supplied by Duo", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.secretKey", + "property_type": "string", + "property_default_value": "none", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Duo AuthAPI secret key supplied by Duo", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.header.factor", + "property_type": "strinig", + "property_default_value": "X-Shibboleth-Duo-Factor", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Name of HTTP request header for Duo AuthAPI factor", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.header.device", + "property_type": "string", + "property_default_value": "X-Shibboleth-Duo-Device", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Name of HTTP request header for Duo AuthAPI device ID or name", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.header.passcode", + "property_type": "string", + "property_default_value": "X-Shibboleth-Duo-Passcode", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Name of HTTP request header for Duo AuthAPI passcode", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.auto", + "property_type": "bool", + "property_default_value": true, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Allow the factor to be defaulted in as \"auto\" if no headers are received", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nonbrowser.clientAddressTrusted", + "property_type": "bool", + "property_default_value": true, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": 1, + "description": "Pass client address to Duo in API calls to support logging", + "note": "push display" + }, + { + "property_name": "idp.duo.oidc.connectionTimeout", + "property_type": "duration", + "property_default_value": "PT1M", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": "1 (nimbus)", + "description": "Maximum length of time to wait for the connection to be established", + "note": "" + }, + { + "property_name": "idp.duo.oidc.connectionRequestTimeout", + "property_type": "duration", + "property_default_value": "PT1M", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": "1 (nimbus)", + "description": "Maximum length of time to wait for a connection to be returned from the connection manager", + "note": "" + }, + { + "property_name": "idp.duo.oidc.socketTimeout", + "property_type": "duration", + "property_default_value": "PT1M", + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": "1 (nimbus)", + "description": "Maximum period inactivity between two consecutive data packets", + "note": "" + }, + { + "property_name": "idp.duo.oidc.maxConnectionsTotal", + "property_type": "int", + "property_default_value": 100, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": "1 (nimbus)", + "description": "Max total simultaneous connections allowed by the pooling connection manager", + "note": "" + }, + { + "property_name": "idp.duo.oidc.maxConnectionsPerRoute", + "property_type": "int", + "property_default_value": 100, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": "1 (nimbus)", + "description": "Max simultaneous connections per route allowed by the pooling connection manager", + "note": "" + }, + { + "property_name": "idp.duo.oidc.nimbus.checkRevocation", + "property_type": "bool", + "property_default_value": false, + "config_category": "DuoOIDCAuthnConfiguration", + "config_file": "authn/duo-oidc.properties", + "idp_vers": 4.1, + "module": "idp.authn.DuoOIDC", + "module_vers": "1 (nimbus)", + "description": "To enable certificate revocation checking", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.headerName", + "property_type": "string", + "property_default_value": "X-Shibboleth-TOTP", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Name of request header to use for extracting non-browser submitted token codes", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.fieldName", + "property_type": "string", + "property_default_value": "tokencode", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Name of HTML form field to use for locating browser-submitted token codes", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.tokenSeedAttribute", + "property_type": "string", + "property_default_value": "tokenSeeds", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Name of IdPAttribute to resolve to obtain token seeds for users", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.order", + "property_type": "int", + "property_default_value": 1000, + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Flow priority relative to other enabled login flows (lower is \"higher\" in priority)", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.nonBrowserSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Whether the flow should handle non-browser request profiles (e.g., ECP)", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.passiveAuthenticationSupported", + "property_type": "bool", + "property_default_value": false, + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Whether the flow allows for passive authentication", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.forcedAuthenticationSupported", + "property_type": "bool", + "property_default_value": true, + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Whether the flow supports forced authentication", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.proxyRestrictionsEnforced", + "property_type": "bool", + "property_default_value": "%{idp.authn.enforceProxyRestrictions:true}", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Whether the flow enforces upstream IdP-imposed restrictions on proxying", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.proxyScopingEnforced", + "property_type": "bool", + "property_default_value": false, + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Whether the flow considers itself to be proxying", + "note": "and therefore enforces SP-signaled restrictions on proxying" + }, + { + "property_name": "idp.authn.TOTP.discoveryRequired", + "property_type": "bool", + "property_default_value": false, + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Whether to invoke IdP-discovery prior to running flow", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.lifetime", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultLifetime:PT1H}", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Lifetime of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.inactivityTimeout", + "property_type": "duration", + "property_default_value": "%{idp.authn.defaultTimeout:PT30M}", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Inactivity timeout of results produced by this flow", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.reuseCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Bean ID ofPredicate controlling result reuse for SSO", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.activationCondition", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Bean ID ofPredicate determining whether flow is usable for request", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.subjectDecorator", + "property_type": "Bean ID", + "property_default_value": "none", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Bean ID ofBiConsumer for subject customization", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.supportedPrincipals", + "property_type": "string", + "property_default_value": "saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken", + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Comma-delimited list of protocol-specific Principalstrings associated with flow", + "note": "" + }, + { + "property_name": "idp.authn.TOTP.addDefaultPrincipals", + "property_type": "bool", + "property_default_value": false, + "config_category": "TOTP", + "config_file": "authn/authn.properties", + "idp_vers": 4.1, + "module": "idp.authn.TOTP", + "module_vers": 1, + "description": "Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow", + "note": "" + }, + { + "property_name": "idp.metadata.dnsname", + "property_type": "string", + "property_default_value": "none", + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "Supplies the DNS name used within the URLs specifying the end points. This should not be used in conjunction with the --DNSName qualifier", + "note": "" + }, + { + "property_name": "idp.metadata.backchannel.cert", + "property_type": "resource path", + "property_default_value": "none", + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "Specifies the path to the certificate protecting the back channel. This should not be used in conjunction with the --backChannel qualifier.", + "note": "" + }, + { + "property_name": "idp.metadata.idpsso.mdui.logo.path", + "property_type": "URL", + "property_default_value": "none", + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "Specifies the path part of the URL which describes a logo for the IdP. The protocol is hard wired to be https:// and the DNS name is used for the host. The is always emitted. If this is absent then then a fixed path ('/path/to/logo') is used.", + "note": "" + }, + { + "property_name": "idp.metadata.idpsso.mdui.logo.height", + "property_type": "int", + "property_default_value": 80, + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "The height of the logo in pixels.", + "note": "" + }, + { + "property_name": "idp.metadata.idpsso.mdui.logo.width", + "property_type": "init", + "property_default_value": 80, + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "The width of the logo in pixels", + "note": "" + }, + { + "property_name": "idp.metadata.idpsso.mdui.langs", + "property_type": "string", + "property_default_value": "none", + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "A space separated list of languages used to lookup values formed appending each one to the name and description properties idp.metadata.idpsso.mdui.displayname. and idp.metadata.idpsso.mdui.description.. If this is absent then an and for the \"en\" language is emitted which you need to edit.", + "note": "" + }, + { + "property_name": "idp.metadata.idpsso.mdui.displayname.", + "property_type": "string", + "property_default_value": "none", + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "Display name for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language", + "note": "" + }, + { + "property_name": "idp.metadata.idpsso.mdui.description.", + "property_type": "string", + "property_default_value": "none", + "config_category": "Metadatagen", + "config_file": "--propertyFiles mdgen.properties", + "idp_vers": 4.1, + "module": "idp.metadatagen", + "module_vers": 1, + "description": "Description for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language", + "note": "" + }, + { + "property_name": "idp.oidc.encryptionOptional", + "property_type": "bool", + "property_default_value": false, + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Set false to preclude issuing unencrypted ID/UserInfo tokens without specific overrides", + "note": "no doc" + }, + { + "property_name": "idp.oidc.dynreg.defaultSecretExpiration", + "property_type": "duration", + "property_default_value": "P12M", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "The validity of client secret registered", + "note": "no doc" + }, + { + "property_name": "idp.oidc.dynreg.allowNoneForRequestSigning", + "property_type": "bool", + "property_default_value": true, + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Regardless of what signing algorithms are configured allow none for request object signing", + "note": "no doc" + }, + { + "property_name": "idp.oidc.dynreg.validateRemoteJwks", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean to determine whether dynamic registration should validate the remote JWK set if it's defined in the request", + "note": "no doc" + }, + { + "property_name": "idp.oidc.jwk.StorageService", + "property_type": "Bean ID", + "property_default_value": "shibboleth.StorageService", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Storage for storing remote jwk sets.", + "note": "no doc" + }, + { + "property_name": "idp.oidc.metadata.saml", + "property_type": "Bean ID", + "property_default_value": "shibboleth.Conditions.TRUE", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean to determine whether SAML metadata should be exploited for trusted OIDC RP resolution", + "note": "no doc" + }, + { + "property_name": "idp.oidc.jwksuri.fetchInterval", + "property_type": "duration", + "property_default_value": "PT30M", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Upgrade interval to the remote JWKs", + "note": "no doc" + }, + { + "property_name": "idp.oidc.config.minRefreshDelay", + "property_type": "duration", + "property_default_value": "PT5M", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bounds on the next file refresh of the OP configuration resource", + "note": "no doc" + }, + { + "property_name": "idp.oidc.config.maxRefreshDelay", + "property_type": "duration", + "property_default_value": "PT4H", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bounds on the next file refresh of the OP configuration resource", + "note": "no doc" + }, + { + "property_name": "idp.oidc.LoginHintLookupStrategy", + "property_type": "Bean ID", + "property_default_value": "DefaultRequestLoginHintLookupFunction", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean used for extracting login_hint from the authentication request. The default function parses login_hint as is.", + "note": "no doc" + }, + { + "property_name": "idp.oidc.SPSessionCreationStrategy", + "property_type": "Bean ID", + "property_default_value": "DefaultSPSessionCreationStrategy", + "config_category": "OIDC OP", + "config_file": "oidc.properties", + "idp_vers": 4.1, + "module": "idp.oidc.OP", + "module_vers": 3, + "description": "Bean used for creating SPSessions needed for SLO. By default builds protocol-independent BasicSPSession as SLO is not yet supported.", + "note": "no doc" + } +] \ No newline at end of file diff --git a/ui/src/app/App.js b/ui/src/app/App.js index 546241f10..ca70ee51a 100644 --- a/ui/src/app/App.js +++ b/ui/src/app/App.js @@ -34,6 +34,7 @@ import { Roles } from './admin/Roles'; import { Groups } from './admin/Groups'; import { BASE_PATH } from './App.constant'; import { ProtectRoute } from './core/components/ProtectRoute'; +import { IdpConfiguration } from './admin/IdpConfiguration'; function App() { @@ -108,6 +109,11 @@ function App() { } /> + + + + + } /> diff --git a/ui/src/app/admin/IdpConfiguration.js b/ui/src/app/admin/IdpConfiguration.js new file mode 100644 index 000000000..6f774d9ea --- /dev/null +++ b/ui/src/app/admin/IdpConfiguration.js @@ -0,0 +1,34 @@ +import React from 'react'; +import { Switch, Route, useRouteMatch, Redirect } from 'react-router-dom'; +import { ConfigurationsProvider } from './hoc/ConfigurationsProvider'; +import { NewConfiguration } from './container/NewConfiguration'; +import { EditConfiguration } from './container/EditConfiguration'; +import { ConfigurationList } from './container/ConfigurationList'; + +export function IdpConfiguration() { + + let { path, url } = useRouteMatch(); + + return ( + <> + + + + {(configurations, onDelete) => + + } + + } /> + + + } /> + + + } /> + + + } /> + + + ); +} \ No newline at end of file diff --git a/ui/src/app/admin/component/ConfigurationForm.js b/ui/src/app/admin/component/ConfigurationForm.js new file mode 100644 index 000000000..e48062f01 --- /dev/null +++ b/ui/src/app/admin/component/ConfigurationForm.js @@ -0,0 +1,139 @@ +import React from 'react'; +import Button from 'react-bootstrap/Button'; +import { useFieldArray, useForm } from 'react-hook-form'; +import { FontAwesomeIcon } from '@fortawesome/react-fontawesome'; +import { faSpinner, faSave, faTrash } from '@fortawesome/free-solid-svg-icons'; + +import Translate from '../../i18n/components/translate'; +import PropertySelector from './PropertySelector'; + +import { useProperties, usePropertiesLoading } from '../hoc/PropertiesProvider'; + +import Form from 'react-bootstrap/Form'; +import FloatingLabel from 'react-bootstrap/FloatingLabel'; + +export function ConfigurationForm({ configuration = {}, schema, onSave, onCancel }) { + + const { control, register, getValues, watch, formState: { errors } } = useForm({ + defaultValues: { + ...configuration + } + }); + + const { fields, prepend, remove } = useFieldArray({ + control, + name: "properties", + }); + + const properties = useProperties(); + const loading = usePropertiesLoading(); + + const addProperties = (props) => { + const parsed = props.reduce((coll, prop, idx) => { + if (prop.isCategory) { + return [...coll, ...properties.filter(p => p.category === prop.category)]; + } else { + return [...coll, prop]; + } + }, []); + + prepend(parsed); + }; + + const saveConfig = (formValues) => { + const parsed = formValues.properties.map(p => ({ + propertyName: p.propertyName, + propertyValue: p.propertyValue, + configFile: p.configFile, + })); + onSave({ + ...formValues, + properties: parsed + }); + }; + + return (<> +
+
+ + + + +
+
+
+
+
+ + Name + + +
+
+
+
+
+ +
+
+
+
+
+
+ + + + + + + + + + + + {fields.map((p, idx) => ( + + + + + + + + ))} + +
PropertyCategoryTypeValueAction
{ p.propertyName }{ p.category }{ p.displayType } + {p.displayType !== 'boolean' ? + + + + : + + } + + +
+
+
+
+
+ ) +} diff --git a/ui/src/app/admin/component/PropertySelector.js b/ui/src/app/admin/component/PropertySelector.js new file mode 100644 index 000000000..44cdfd085 --- /dev/null +++ b/ui/src/app/admin/component/PropertySelector.js @@ -0,0 +1,92 @@ +import React, { Fragment, useCallback } from 'react'; +import { groupBy } from 'lodash'; +import { Highlighter, Menu, MenuItem, Token, Typeahead } from 'react-bootstrap-typeahead'; +import Button from 'react-bootstrap/Button'; + +import { ToggleButton } from '../../form/component/ToggleButton'; + +export function PropertySelector ({ properties, options, onAddProperties }) { + + // React.useEffect(() => console.log(properties), [properties]); + + const menu = useCallback((results, menuProps, state) => { + let index = 0; + const mapped = results.map(p => !p.category || p.category === '?' ? { ...p, category: 'Misc' } : p); + const grouped = groupBy(mapped, 'category'); + const items = Object.keys(grouped).sort().map((item) => ( + + {index !== 0 && } + + + {item} - Add all + + + {grouped[item].map((i) => { + const item = + p.propertyName === i.propertyName) }> + + {`- ${i.propertyName}`} + + ; + index += 1; + return item; + })} + + )); + + return {items}; + }, [properties]); + + const token = (option, { onRemove }, index) => ( + + {`${option.propertyName}`} + + ); + + const select = (data) => { + setSelected(data); + }; + + const [selected, setSelected] = React.useState([]); + + const add = (s) => { + onAddProperties(s); + setSelected([]); + } + + return ( + +
+ + select(selected)} + options={[...options]} + selected={selected} + labelKey={option => `${option.propertyName}`} + filterBy={['propertyName', 'category', 'displayType']} + renderMenu={ menu } + multiple={ true } + renderToken={ token } + > + {({ isMenuShown, toggleMenu }) => ( + toggleMenu()}> + Options + + )} + +
+ + + ) +} + +export default PropertySelector; \ No newline at end of file diff --git a/ui/src/app/admin/container/ConfigurationList.js b/ui/src/app/admin/container/ConfigurationList.js new file mode 100644 index 000000000..4acffc1c2 --- /dev/null +++ b/ui/src/app/admin/container/ConfigurationList.js @@ -0,0 +1,80 @@ +import React from 'react'; +import { faDownload, faPlusCircle, faTrash } from '@fortawesome/free-solid-svg-icons'; +import { FontAwesomeIcon } from '@fortawesome/react-fontawesome'; + +import Button from 'react-bootstrap/Button'; +import { Link } from 'react-router-dom'; + +import { Translate } from '../../i18n/components/translate'; + +import { DeleteConfirmation } from '../../core/components/DeleteConfirmation'; + +export function ConfigurationList({ configurations, onDelete }) { + + const remove = (id) => { + onDelete(id); + } + + return ( + + {(block) => +
+
+
+
+ + Configuration Management + +
+
+
+ +   + Create new configuration + +
+
+ + + + + + + + + {(configurations?.length > 0) ? configurations.map((c, i) => + + + + + ) : + + } + +
+ Configuration Name (label) + Actions
+ + {c.name} + + + + + + +
No configurations.
+
+
+
+
+
+ } + + ); +} \ No newline at end of file diff --git a/ui/src/app/admin/container/EditConfiguration.js b/ui/src/app/admin/container/EditConfiguration.js new file mode 100644 index 000000000..7ff66b46d --- /dev/null +++ b/ui/src/app/admin/container/EditConfiguration.js @@ -0,0 +1,91 @@ +import React from 'react'; + +import { Prompt, useHistory, useParams } from 'react-router-dom'; +import Translate from '../../i18n/components/translate'; +import { useConfiguration } from '../hooks'; +import { Schema } from '../../form/Schema'; +import { ConfigurationForm } from '../component/ConfigurationForm'; + +import { createNotificationAction, NotificationTypes, useNotificationDispatcher } from '../../notifications/hoc/Notifications'; +import { useTranslator } from '../../i18n/hooks'; +import { BASE_PATH } from '../../App.constant'; +import { PropertiesProvider } from '../hoc/PropertiesProvider'; + +export function EditConfiguration() { + const history = useHistory(); + const notifier = useNotificationDispatcher(); + const translator = useTranslator(); + const { id } = useParams(); + + const { put, get, response, loading } = useConfiguration({}); + + const [blocking, setBlocking] = React.useState(false); + + const [configuration, setConfiguration] = React.useState(); + + async function save(config) { + let toast; + const resp = await put(`${config.resourceId}`, config); + if (response.ok) { + gotoList({ refresh: true }); + toast = createNotificationAction(`Added property successfully.`, NotificationTypes.SUCCESS); + } else { + toast = createNotificationAction(`${resp.errorCode} - ${translator(resp.errorMessage)}`, NotificationTypes.ERROR); + } + if (toast) { + notifier(toast); + } + }; + + async function loadConfiguration(id) { + const config = await get(`/${id}`); + if (response.ok) { + setConfiguration(config); + } + } + + /*eslint-disable react-hooks/exhaustive-deps*/ + React.useEffect(() => { loadConfiguration(id) }, []); + + const cancel = () => { + gotoList(); + }; + + const gotoList = (state = null) => { + setBlocking(false); + history.push(`/configurations`, state); + }; + + return ( +
+ + `message.unsaved-editor` + } + /> +
+
+
+
+ Create new configuration set +
+
+
+
+ + + {(schema) => + save(data)} + onCancel={() => cancel()} />} + + +
+
+
+ ); +} \ No newline at end of file diff --git a/ui/src/app/admin/container/NewConfiguration.js b/ui/src/app/admin/container/NewConfiguration.js new file mode 100644 index 000000000..84477fe40 --- /dev/null +++ b/ui/src/app/admin/container/NewConfiguration.js @@ -0,0 +1,80 @@ +import React from 'react'; + +import { Prompt, useHistory } from 'react-router-dom'; +import Translate from '../../i18n/components/translate'; +import { useConfiguration } from '../hooks'; +import { Schema } from '../../form/Schema'; +import { ConfigurationForm } from '../component/ConfigurationForm'; + +import { createNotificationAction, NotificationTypes, useNotificationDispatcher } from '../../notifications/hoc/Notifications'; +import { useTranslator } from '../../i18n/hooks'; +import { BASE_PATH } from '../../App.constant'; +import { PropertiesProvider } from '../hoc/PropertiesProvider'; + +export function NewConfiguration() { + const history = useHistory(); + const notifier = useNotificationDispatcher(); + const translator = useTranslator(); + + const { post, response, loading } = useConfiguration({}); + + const [blocking, setBlocking] = React.useState(false); + + async function save(config) { + let toast; + const resp = await post(``, config); + if (response.ok) { + gotoList({ refresh: true }); + toast = createNotificationAction(`Added property successfully.`, NotificationTypes.SUCCESS); + } else { + toast = createNotificationAction(`${resp.errorCode} - ${translator(resp.errorMessage)}`, NotificationTypes.ERROR); + } + if (toast) { + notifier(toast); + } + }; + + const cancel = () => { + gotoList(); + }; + + const gotoList = (state = null) => { + setBlocking(false); + history.push(`/configurations`, state); + }; + + const [configuration] = React.useState({}); + + return ( +
+ + `message.unsaved-editor` + } + /> +
+
+
+
+ Create new configuration set +
+
+
+
+ + + {(schema) => + save(data)} + onCancel={() => cancel()} />} + + +
+
+
+ ); +} \ No newline at end of file diff --git a/ui/src/app/admin/hoc/ConfigurationsProvider.js b/ui/src/app/admin/hoc/ConfigurationsProvider.js new file mode 100644 index 000000000..aa23ddd45 --- /dev/null +++ b/ui/src/app/admin/hoc/ConfigurationsProvider.js @@ -0,0 +1,42 @@ +import React from 'react'; +import { useConfigurations } from '../hooks'; +import { createNotificationAction, NotificationTypes, useNotificationDispatcher } from '../../notifications/hoc/Notifications'; +import { useTranslator } from '../../i18n/hooks'; + +export function ConfigurationsProvider({ children, cache = 'no-cache' }) { + + const [configurations, setConfigurations] = React.useState([]); + + const notifier = useNotificationDispatcher(); + const translator = useTranslator(); + + const { get, del, response, loading } = useConfigurations({ + cachePolicy: cache + }); + + async function loadConfigurations() { + const list = await get(`shib/property/set`); + if (response.ok) { + setConfigurations(list); + } + } + + async function removeConfiguration(id) { + let toast; + const resp = await del(`/${id}`); + if (response.ok) { + loadConfigurations(); + toast = createNotificationAction(`Deleted property successfully.`, NotificationTypes.SUCCESS); + } else { + toast = createNotificationAction(`${resp.errorCode} - ${translator(resp.errorMessage)}`, NotificationTypes.ERROR); + } + if (toast) { + notifier(toast); + } + } + + /*eslint-disable react-hooks/exhaustive-deps*/ + React.useEffect(() => { loadConfigurations() }, []); + + return (<>{children(configurations, removeConfiguration, loading)}); +} \ No newline at end of file diff --git a/ui/src/app/admin/hoc/PropertiesProvider.js b/ui/src/app/admin/hoc/PropertiesProvider.js new file mode 100644 index 000000000..95bbc5d04 --- /dev/null +++ b/ui/src/app/admin/hoc/PropertiesProvider.js @@ -0,0 +1,47 @@ +import React from 'react'; +import useFetch from 'use-http'; +import API_BASE_PATH from '../../App.constant'; + +const PropertiesContext = React.createContext(); + +const { Provider, Consumer } = PropertiesContext; + +function PropertiesProvider({ children, cache = 'no-cache' }) { + + const [properties, setProperties] = React.useState([]); + + + const { get, response, loading } = useFetch('', { + cachePolicy: cache + }); + + async function loadProperties() { + const list = await get(`${API_BASE_PATH}/shib/properties`); + if (response.ok) { + setProperties(list); + } + } + + /*eslint-disable react-hooks/exhaustive-deps*/ + React.useEffect(() => { loadProperties() }, []); + + return ({children}); +} + +function useProperties() { + const { properties } = React.useContext(PropertiesContext); + return properties; +} + +function usePropertiesLoading() { + const { loading } = React.useContext(PropertiesContext); + return loading; +} + +export { + PropertiesProvider, + PropertiesContext, + Consumer as PropertiesConsumer, + useProperties, + usePropertiesLoading, +}; diff --git a/ui/src/app/admin/hoc/PropertyProvider.js b/ui/src/app/admin/hoc/PropertyProvider.js new file mode 100644 index 000000000..119f3d26d --- /dev/null +++ b/ui/src/app/admin/hoc/PropertyProvider.js @@ -0,0 +1,20 @@ +import React from 'react'; +import { useProperty } from '../hooks'; + +export function PropertyProvider({ id, children }) { + + const [property, setProperty] = React.useState(); + const { get, response } = useProperty(id); + + async function loadProperty() { + const r = await get(``); + if (response.ok) { + setProperty(r); + } + } + + /*eslint-disable react-hooks/exhaustive-deps*/ + React.useEffect(() => { loadProperty() }, []); + + return (<>{children(property)}); +} \ No newline at end of file diff --git a/ui/src/app/admin/hooks.js b/ui/src/app/admin/hooks.js index b2c63a7c3..11184e55e 100644 --- a/ui/src/app/admin/hooks.js +++ b/ui/src/app/admin/hooks.js @@ -46,3 +46,19 @@ export function useGroupUiValidator() { export function useRoleUiSchema() { return {}; } + +export function useConfigurations (opts = { cachePolicy: 'no-cache' }) { + return useFetch(`${API_BASE_PATH}/`, opts); +} + +export function useConfiguration(opts = { cachePolicy: 'no-cache' }) { + return useFetch(`${API_BASE_PATH}/shib/property/set`, opts); +} + +export function useConfigurationUiSchema () { + return { + description: { + 'ui:widget': 'textarea' + } + }; +} \ No newline at end of file diff --git a/ui/src/app/core/components/Header.js b/ui/src/app/core/components/Header.js index ff979056b..114b73a8c 100644 --- a/ui/src/app/core/components/Header.js +++ b/ui/src/app/core/components/Header.js @@ -7,7 +7,7 @@ import Dropdown from 'react-bootstrap/Dropdown'; import { FontAwesomeIcon } from '@fortawesome/react-fontawesome'; -import { faTh, faSignOutAlt, faPlusCircle, faCube, faCubes, faUsersCog, faSpinner, faUserCircle, faCog, faBoxOpen, faTags, faIdBadge } from '@fortawesome/free-solid-svg-icons'; +import { faTh, faSignOutAlt, faPlusCircle, faCube, faCubes, faUsersCog, faSpinner, faUserCircle, faCog, faBoxOpen, faTags, faIdBadge, faFileLines } from '@fortawesome/free-solid-svg-icons'; import Translate from '../../i18n/components/translate'; import { useTranslator } from '../../i18n/hooks'; @@ -88,6 +88,10 @@ export function Header () { + + + + } diff --git a/ui/src/app/core/components/ProtectRoute.js b/ui/src/app/core/components/ProtectRoute.js index 77133d9e7..c8a7a299f 100644 --- a/ui/src/app/core/components/ProtectRoute.js +++ b/ui/src/app/core/components/ProtectRoute.js @@ -1,7 +1,6 @@ -import { isUndefined } from 'lodash'; import React from 'react'; import { Redirect } from 'react-router-dom'; - +import { isUndefined } from 'lodash'; import { useCurrentUser, useIsAdmin } from '../user/UserContext'; export function ProtectRoute({ children, redirectTo, ...rest }) { diff --git a/ui/src/app/form/component/ToggleButton.js b/ui/src/app/form/component/ToggleButton.js new file mode 100644 index 000000000..d45c04cd4 --- /dev/null +++ b/ui/src/app/form/component/ToggleButton.js @@ -0,0 +1,23 @@ +import Button from 'react-bootstrap/Button'; +import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"; +import { faCaretDown, faCaretUp } from "@fortawesome/free-solid-svg-icons"; + +export function ToggleButton ({ isOpen, onClick, disabled, children }) { + return ( + + ); +} + +export default ToggleButton; \ No newline at end of file diff --git a/ui/src/app/form/component/fields/FilterTargetField.js b/ui/src/app/form/component/fields/FilterTargetField.js index f78c522dd..d42738059 100644 --- a/ui/src/app/form/component/fields/FilterTargetField.js +++ b/ui/src/app/form/component/fields/FilterTargetField.js @@ -324,7 +324,4 @@ const FilterTargetField = ({ ); }; -/* -*/ - export default FilterTargetField; \ No newline at end of file diff --git a/ui/src/app/form/component/widgets/OptionWidget.js b/ui/src/app/form/component/widgets/OptionWidget.js index 92fc81b3d..b4ac812c6 100644 --- a/ui/src/app/form/component/widgets/OptionWidget.js +++ b/ui/src/app/form/component/widgets/OptionWidget.js @@ -2,31 +2,17 @@ import React, { useRef } from "react"; import ListGroup from "react-bootstrap/ListGroup"; import Form from "react-bootstrap/Form"; -import Button from 'react-bootstrap/Button'; + import Translate from "../../../i18n/components/translate"; import { InfoIcon } from "../InfoIcon"; import { Typeahead } from 'react-bootstrap-typeahead'; import { FontAwesomeIcon } from "@fortawesome/react-fontawesome"; -import { faAsterisk, faCaretDown, faCaretUp } from "@fortawesome/free-solid-svg-icons"; +import { faAsterisk } from "@fortawesome/free-solid-svg-icons"; import { useTranslator } from "../../../i18n/hooks"; +import { ToggleButton } from '../ToggleButton'; -const ToggleButton = ({ isOpen, onClick, disabled, children }) => ( - -); const OptionWidget = ({ id, diff --git a/ui/src/theme/project/configuration.scss b/ui/src/theme/project/configuration.scss new file mode 100644 index 000000000..0da05f1ff --- /dev/null +++ b/ui/src/theme/project/configuration.scss @@ -0,0 +1,11 @@ +#property-selector { + .dropdown-header { + padding-right: 0rem; + padding-left: 0rem; + font-size: 1rem; + + .dropdown-item { + font-weight: bold; + } + } +} \ No newline at end of file diff --git a/ui/src/theme/project/index.scss b/ui/src/theme/project/index.scss index 4e36779c5..fd2b6a070 100644 --- a/ui/src/theme/project/index.scss +++ b/ui/src/theme/project/index.scss @@ -13,6 +13,8 @@ @import './utility'; @import './notifications'; @import './filters'; +@import './typeahead'; +@import './configuration'; html, body { height: 100%; diff --git a/ui/src/theme/project/typeahead.scss b/ui/src/theme/project/typeahead.scss new file mode 100644 index 000000000..0fca115fa --- /dev/null +++ b/ui/src/theme/project/typeahead.scss @@ -0,0 +1,43 @@ +@import '~react-bootstrap-typeahead/css/Typeahead'; + +.rbt-token-removeable { + cursor: pointer; + padding-right: 21px; +} + +.rbt-token { + background-color: #e7f4ff; + border: 0; + border-radius: .25rem; + color: #007bff; + display: inline-block; + line-height: 1em; + margin: 1px 3px 2px 0; + padding: 4px 7px; + padding-right: 1.8em; + position: relative; + + .rbt-token-remove-button { + bottom: 0; + color: inherit; + font-size: inherit; + font-weight: normal; + opacity: 1; + outline: none; + padding: 3px 7px; + position: absolute; + right: 0; + text-shadow: none; + top: 0px; + + box-sizing: content-box; + width: 1em; + height: 1em; + padding: .25em .25em; + color: inherit; + background: transparent url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='#007bff' %3e%3cpath d='M.293.293a1 1 0 0 1 1.414 0L8 6.586 14.293.293a1 1 0 1 1 1.414 1.414L9.414 8l6.293 6.293a1 1 0 0 1-1.414 1.414L8 9.414l-6.293 6.293a1 1 0 0 1-1.414-1.414L6.586 8 .293 1.707a1 1 0 0 1 0-1.414z'/%3e%3c/svg%3e") center/1em auto no-repeat; + border: 0; + border-radius: .375rem; + } +} +