From 3daae4018e30cdf34b7cb9c828b5097add55e871 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 1 Aug 2023 16:01:21 -0700 Subject: [PATCH 1/7] SHIBUI-2510 First pass using the SNAPSHOIT Shibv5 and OpenSAMLv5 libs - able to get backend unit tests to pass --- backend/build.gradle | 20 ++++++-- .../JPAMetadataResolverServiceImpl.groovy | 1 + .../MetadataResolverConfiguration.java | 4 +- .../ui/controller/EntitiesController.java | 2 +- .../controller/MetadataFiltersController.java | 14 ++---- .../MetadataResolversController.java | 4 +- .../admin/ui/domain/AbstractXMLObject.java | 21 ++++++-- .../ui/domain/AttributeConsumingService.java | 4 +- .../ui/domain/RoleDescriptorResolver.java | 4 +- .../opensaml/OpenSamlNameIdFormatFilter.java | 5 +- .../OpenSamlChainingMetadataResolver.java | 14 +++--- ...penSamlFileBackedHTTPMetadataResolver.java | 33 ++++-------- .../OpenSamlFilesystemMetadataResolver.java | 16 +++--- ...tionDrivenDynamicHTTPMetadataResolver.java | 18 +++---- .../OpenSamlLocalDynamicMetadataResolver.java | 9 ++-- ...SamlMetadataResolverConstructorHelper.java | 3 +- .../OpenSamlMetadataResolverDelegate.java | 20 +++++--- ...penSamlResourceBackedMetadataResolver.java | 16 +++--- .../admin/ui/opensaml/OpenSamlObjects.java | 8 +-- .../security/controller/UsersController.java | 2 +- .../admin/ui/security/model/User.java | 2 +- .../IShibUiPermissionEvaluator.java | 4 +- .../ui/security/service/UserService.java | 4 +- .../ui/service/BeaconDataServiceImpl.java | 2 +- .../admin/ui/service/EmailServiceImpl.java | 2 +- .../MetadataResolverConverterService.java | 6 +-- .../MetadataResolverConverterServiceImpl.java | 11 ++-- .../shibboleth/admin/util/LuceneUtility.java | 4 +- .../util/ModelRepresentationConversions.java | 2 +- .../ui/configuration/TestConfiguration.groovy | 2 +- .../controller/EntitiesControllerTests.groovy | 5 +- ...ityDescriptorVersionControllerTests.groovy | 3 +- ...ResourceBackedMetadataResolverTests.groovy | 2 +- .../security/service/UserServiceTests.groovy | 4 +- ...JPAEntityDescriptorServiceImplTests.groovy | 2 +- ...JPAMetadataResolverServiceImplTests.groovy | 4 +- ...ntityDescriptorConversionUtilsTests.groovy | 50 +++++++++---------- .../admin/ui/util/TestHelpers.groovy | 5 +- .../admin/ui/util/TestObjectGenerator.groovy | 2 +- gradle.properties | 6 ++- pac4j-module/build.gradle | 4 ++ 41 files changed, 170 insertions(+), 174 deletions(-) diff --git a/backend/build.gradle b/backend/build.gradle index ee84e1673..7f2d2e06c 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -24,6 +24,10 @@ repositories { url 'https://build.shibboleth.net/nexus/content/groups/public' artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots'] } + // TODO remove snapshots after the versions become final + maven { + url 'https://build.shibboleth.net/maven/snapshots' + } maven { // for the springboot plugin url "https://plugins.gradle.org/m2/" } @@ -143,10 +147,12 @@ dependencies { //Spring Configuration Annotation Processor - makes IntelliJ happy about @SpringBootConfigurationProperties compileOnly "org.springframework.boot:spring-boot-configuration-processor:${project.'springbootVersion'}" - runtimeOnly "org.bouncycastle:bcprov-jdk15on:1.70" - runtimeOnly "org.bouncycastle:bcprov-ext-jdk15on:1.70" - runtimeOnly "org.bouncycastle:bcutil-jdk15on:1.70" - runtimeOnly "org.bouncycastle:bcpkix-jdk15on:1.70" + // signature and encryption + runtimeOnly "org.bouncycastle:bcprov-jdk18on:1.72" + runtimeOnly "org.bouncycastle:bcprov-ext-jdk18on:1.72" + runtimeOnly "org.bouncycastle:bcutil-jdk18on:1.72" + runtimeOnly "org.bouncycastle:bcpkix-jdk18on:1.72" + // DB drivers runtimeOnly "org.postgresql:postgresql:${project.'postgresVersion'}" runtimeOnly "org.mariadb.jdbc:mariadb-java-client:${project.'mariadbVersion'}" @@ -170,7 +176,9 @@ dependencies { integrationTestImplementation "net.shibboleth.idp:${it}:${project.'shibbolethVersion'}" } + implementation "net.shibboleth.ext:spring-extensions:${project.'shibExtSpringExtensionsVersion'}" implementation "net.shibboleth.oidc:oidc-common-saml-api:${project.'shibOIDCVersion'}" + implementation "net.shibboleth.utilities:java-support:${project.'shibUtilitiesJavaSupportVersion'}" // hibernate deps ['hibernate-core'].each { @@ -277,12 +285,14 @@ dependencies { integrationTestImplementation sourceSets.main.output integrationTestImplementation configurations.compile + integrationTestImplementation "net.shibboleth.ext:spring-extensions:${project.'shibExtSpringExtensionsVersion'}" integrationTestImplementation "net.shibboleth.oidc:oidc-common-saml-api:${project.'shibOIDCVersion'}" + integrationTestImplementation "net.shibboleth.utilities:java-support:${project.'shibUtilitiesJavaSupportVersion'}" integrationTestImplementation "org.hibernate:hibernate-envers:${project.'hibernateVersion'}" integrationTestImplementation "com.opencsv:opencsv:${project.'opencsvVersion'}", { exclude group: 'commons-collections' } - integrationTestImplementation 'com.saucelabs:sebuilder-interpreter:1.0.6' + integrationTestImplementation "com.saucelabs:sebuilder-interpreter:1.0.6" integrationTestImplementation "jp.vmi:selenese-runner-java:${project.'seleneseRunnerVersion'}" integrationTestImplementation "org.seleniumhq.selenium:selenium-http-jdk-client:4.8.3" diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy index 146fa38d6..c92544cbf 100644 --- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy +++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy @@ -700,6 +700,7 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService { break } target.setRules(rules) + target.initialize() metadataFilters.add(target) } if (metadataFilter instanceof NameIdFormatFilter) { diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/MetadataResolverConfiguration.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/MetadataResolverConfiguration.java index 345d622f5..95a31810d 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/MetadataResolverConfiguration.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/MetadataResolverConfiguration.java @@ -7,8 +7,8 @@ import edu.internet2.tier.shibboleth.admin.ui.service.IndexWriterService; import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverConverterService; import edu.internet2.tier.shibboleth.admin.util.TokenPlaceholderResolvers; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resolver.ResolverException; import org.opensaml.saml.metadata.resolver.ChainingMetadataResolver; import org.opensaml.saml.metadata.resolver.MetadataResolver; import org.slf4j.Logger; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesController.java index de122e3f3..ecb0809ae 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesController.java @@ -9,7 +9,7 @@ import io.swagger.v3.oas.annotations.tags.Tags; import jakarta.servlet.http.HttpServletRequest; import lombok.extern.slf4j.Slf4j; -import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.shared.resolver.ResolverException; import org.apache.http.client.utils.DateUtils; import org.opensaml.core.xml.io.MarshallingException; import org.opensaml.saml.saml2.metadata.EntityDescriptor; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java index 530d0af97..bab89c307 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java @@ -15,7 +15,7 @@ import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverService; import io.swagger.v3.oas.annotations.tags.Tag; import io.swagger.v3.oas.annotations.tags.Tags; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; +import net.shibboleth.shared.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.scripting.EvaluableScript; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; @@ -261,16 +261,8 @@ private void validateScriptFilterOrThrowScriptException(MetadataFilter metadataF } if (EntityAttributesFilterTarget.EntityAttributesFilterTargetType.CONDITION_SCRIPT != ((EntityAttributesFilter) metadataFilter).getEntityAttributesFilterTarget().getEntityAttributesFilterTargetType()) { return; - } try { - EntityAttributesFilter entityAttributesFilter = (EntityAttributesFilter) metadataFilter; - EvaluableScript es = new EvaluableScript(); - es.setScript(entityAttributesFilter.getEntityAttributesFilterTarget().getValue().get(0)); - es.initialize(); - } - catch (Exception ex) { - if (ex instanceof ComponentInitializationException) { - throw new ScriptException(ex); - } } + EntityAttributesFilter entityAttributesFilter = (EntityAttributesFilter) metadataFilter; + new EvaluableScript(entityAttributesFilter.getEntityAttributesFilterTarget().getValue().get(0)); } } \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java index ca065e7b2..481bd8600 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java @@ -19,8 +19,8 @@ import io.swagger.v3.oas.annotations.tags.Tag; import io.swagger.v3.oas.annotations.tags.Tags; import lombok.extern.slf4j.Slf4j; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resolver.ResolverException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractXMLObject.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractXMLObject.java index 6285a7e84..b9dfa61d1 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractXMLObject.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractXMLObject.java @@ -5,13 +5,14 @@ import jakarta.persistence.InheritanceType; import jakarta.persistence.Transient; import lombok.EqualsAndHashCode; -import net.shibboleth.utilities.java.support.collection.LockableClassToInstanceMultiMap; +import net.shibboleth.shared.collection.LockableClassToInstanceMultiMap; import net.shibboleth.utilities.java.support.xml.QNameSupport; import org.hibernate.envers.AuditOverride; import org.hibernate.envers.Audited; import org.opensaml.core.xml.Namespace; import org.opensaml.core.xml.NamespaceManager; import org.opensaml.core.xml.XMLObject; +import org.opensaml.core.xml.XMLRuntimeException; import org.opensaml.core.xml.schema.XSBooleanValue; import org.opensaml.core.xml.util.IDIndex; import org.w3c.dom.Element; @@ -22,7 +23,6 @@ import java.util.List; import java.util.Set; - /** * This covers both SAMLObject and XMLObject */ @@ -41,15 +41,25 @@ public abstract class AbstractXMLObject extends AbstractAuditable implements XML private String schemaTypeElementLocalName; private String schemaTypeNamespacePrefix; - //TODO all this class - public void detach() { - } @Transient private transient Element dom; + /** + * copied from org.opensaml.core.xml.AbstractXMLObject + * @since OpenSAML 5.0.0 + */ + @Nonnull + @Override + public Element ensureDOM() { + if (dom != null) { + return dom; + } + throw new XMLRuntimeException("DOM was null"); + } + @Nullable public Element getDOM() { return this.dom; @@ -225,6 +235,7 @@ public void setNil(@Nullable XSBooleanValue xsBooleanValue) { private transient final LockableClassToInstanceMultiMap objectMetadata = new LockableClassToInstanceMultiMap<>(true); @Nonnull + @Override public LockableClassToInstanceMultiMap getObjectMetadata() { return objectMetadata; } diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AttributeConsumingService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AttributeConsumingService.java index 605d1c588..c289f7ede 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AttributeConsumingService.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AttributeConsumingService.java @@ -38,12 +38,12 @@ public class AttributeConsumingService extends AbstractXMLObject implements org. private List requestedAttributes = new ArrayList<>(); @Override - public int getIndex() { + public Integer getIndex() { return acsIndex; } @Override - public void setIndex(int index) { + public void setIndex(Integer index) { this.acsIndex = index; } diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RoleDescriptorResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RoleDescriptorResolver.java index e203d5acd..d5cd826df 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RoleDescriptorResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/RoleDescriptorResolver.java @@ -2,8 +2,8 @@ import jakarta.persistence.Entity; import lombok.EqualsAndHashCode; -import net.shibboleth.utilities.java.support.resolver.CriteriaSet; -import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.shared.resolver.CriteriaSet; +import net.shibboleth.shared.resolver.ResolverException; import org.opensaml.saml.saml2.metadata.RoleDescriptor; import javax.annotation.Nonnull; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/opensaml/OpenSamlNameIdFormatFilter.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/opensaml/OpenSamlNameIdFormatFilter.java index d9c1fc636..d7e6d73b5 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/opensaml/OpenSamlNameIdFormatFilter.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/opensaml/OpenSamlNameIdFormatFilter.java @@ -1,7 +1,7 @@ package edu.internet2.tier.shibboleth.admin.ui.domain.filters.opensaml; +import net.shibboleth.shared.component.ComponentSupport; import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements; -import net.shibboleth.utilities.java.support.component.ComponentSupport; import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.saml.common.SAMLObjectBuilder; @@ -34,8 +34,7 @@ public class OpenSamlNameIdFormatFilter extends NameIDFormatFilter { public OpenSamlNameIdFormatFilter() { formatBuilder = (SAMLObjectBuilder) - XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilderOrThrow( - NameIDFormat.DEFAULT_ELEMENT_NAME); + XMLObjectProviderRegistrySupport.getBuilderFactory().ensureBuilder(NameIDFormat.DEFAULT_ELEMENT_NAME); } @Override diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlChainingMetadataResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlChainingMetadataResolver.java index 3213736a6..d0b188569 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlChainingMetadataResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlChainingMetadataResolver.java @@ -2,11 +2,12 @@ import com.google.common.base.Predicates; import com.google.common.collect.Collections2; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.component.ComponentSupport; +import net.shibboleth.shared.component.InitializableComponent; +import net.shibboleth.shared.resolver.CriteriaSet; +import net.shibboleth.shared.resolver.ResolverException; import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.component.ComponentSupport; -import net.shibboleth.utilities.java.support.resolver.CriteriaSet; -import net.shibboleth.utilities.java.support.resolver.ResolverException; import org.opensaml.saml.metadata.resolver.ChainingMetadataResolver; import org.opensaml.saml.metadata.resolver.MetadataResolver; import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver; @@ -23,7 +24,7 @@ /** * @author Bill Smith (wsmith@unicon.net) */ -public class OpenSamlChainingMetadataResolver extends ChainingMetadataResolver { +public class OpenSamlChainingMetadataResolver extends ChainingMetadataResolver implements InitializableComponent { @Nonnull private final Logger log = LoggerFactory.getLogger(OpenSamlChainingMetadataResolver.class); @Nonnull @NonnullElements private List mutableResolvers; @@ -55,6 +56,7 @@ public List getResolvers() { @Override @Nonnull public Iterable resolve(@Nullable final CriteriaSet criteria) throws ResolverException { + //noinspection removal ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this); //Our overridden method uses a collection of mutable resolvers instead of regular resolvers for (final MetadataResolver resolver : mutableResolvers) { @@ -90,4 +92,4 @@ public void refresh() throws ResolverException { } } } -} +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFileBackedHTTPMetadataResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFileBackedHTTPMetadataResolver.java index 49770c317..239d00edb 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFileBackedHTTPMetadataResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFileBackedHTTPMetadataResolver.java @@ -1,11 +1,11 @@ package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.FileBackedHttpMetadataResolver; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.resolver.ResolverException; -import net.shibboleth.utilities.java.support.xml.ParserPool; -import org.apache.http.HttpResponse; -import org.apache.http.impl.client.HttpClients; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resolver.ResolverException; +import net.shibboleth.shared.xml.ParserPool; +import org.apache.hc.client5.http.impl.classic.HttpClients; +import org.apache.hc.core5.http.ClassicHttpResponse; import org.apache.lucene.index.IndexWriter; import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; @@ -22,21 +22,14 @@ import static edu.internet2.tier.shibboleth.admin.util.DurationUtility.toPositiveNonZeroDuration; import static edu.internet2.tier.shibboleth.admin.util.TokenPlaceholderResolvers.placeholderResolverService; -/** - * @author Bill Smith (wsmith@unicon.net) - */ public class OpenSamlFileBackedHTTPMetadataResolver extends FileBackedHTTPMetadataResolver implements Refilterable { - private static final Logger logger = LoggerFactory.getLogger(OpenSamlFileBackedHTTPMetadataResolver.class); + private OpenSamlMetadataResolverDelegate delegate; private IndexWriter indexWriter; private FileBackedHttpMetadataResolver sourceResolver; - private OpenSamlMetadataResolverDelegate delegate; - - public OpenSamlFileBackedHTTPMetadataResolver(ParserPool parserPool, - IndexWriter indexWriter, - FileBackedHttpMetadataResolver sourceResolver) throws ResolverException { + public OpenSamlFileBackedHTTPMetadataResolver(ParserPool parserPool, IndexWriter indexWriter, FileBackedHttpMetadataResolver sourceResolver) throws ResolverException { super(HttpClients.createMinimal(), sourceResolver.getMetadataURL(), sourceResolver.getBackingFile()); this.indexWriter = indexWriter; this.sourceResolver = sourceResolver; @@ -72,23 +65,19 @@ public Instant getLastRefresh() { // TODO: this is still probably not the best way to do this? @Override - protected void processConditionalRetrievalHeaders(HttpResponse response) { + protected void processConditionalRetrievalHeaders(ClassicHttpResponse response) { // let's do nothing 'cause we want to allow a refresh } @Override protected void initMetadataResolver() throws ComponentInitializationException { super.initMetadataResolver(); - - - delegate.addIndexedDescriptorsFromBackingStore(this.getBackingStore(), - this.sourceResolver.getResourceId(), - indexWriter); + delegate.addIndexedDescriptorsFromBackingStore(this.getBackingStore(), this.sourceResolver.getResourceId(), indexWriter); } @Nonnull @Override - protected BatchEntityBackingStore getBackingStore() { + protected EntityBackingStore getBackingStore() { if (super.getBackingStore() == null) { super.setBackingStore(super.createNewBackingStore()); } @@ -100,7 +89,7 @@ protected BatchEntityBackingStore getBackingStore() { */ public void refilter() { try { - this.getBackingStore().setCachedFilteredMetadata(filterMetadata(getCachedOriginalMetadata())); + ((BatchEntityBackingStore)this.getBackingStore()).setCachedFilteredMetadata(filterMetadata(getCachedOriginalMetadata())); } catch (FilterException e) { logger.error("An error occurred while attempting to filter metadata!", e); } diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFilesystemMetadataResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFilesystemMetadataResolver.java index 3137d2f60..7521e5ba7 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFilesystemMetadataResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFilesystemMetadataResolver.java @@ -1,8 +1,8 @@ package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.resolver.ResolverException; -import net.shibboleth.utilities.java.support.xml.ParserPool; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resolver.ResolverException; +import net.shibboleth.shared.xml.ParserPool; import org.apache.lucene.index.IndexWriter; import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; @@ -15,16 +15,12 @@ import java.io.File; import java.time.Instant; -/** - * @author Bill Smith (wsmith@unicon.net) - */ public class OpenSamlFilesystemMetadataResolver extends FilesystemMetadataResolver implements Refilterable { - private static final Logger logger = LoggerFactory.getLogger(OpenSamlFilesystemMetadataResolver.class); + private OpenSamlMetadataResolverDelegate delegate; private IndexWriter indexWriter; private edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.FilesystemMetadataResolver sourceResolver; - private OpenSamlMetadataResolverDelegate delegate; public OpenSamlFilesystemMetadataResolver(ParserPool parserPool, IndexWriter indexWriter, @@ -70,7 +66,7 @@ protected void initMetadataResolver() throws ComponentInitializationException { @Nonnull @Override - protected BatchEntityBackingStore getBackingStore() { + protected EntityBackingStore getBackingStore() { if (super.getBackingStore() == null) { super.setBackingStore(super.createNewBackingStore()); } @@ -82,7 +78,7 @@ protected BatchEntityBackingStore getBackingStore() { */ public void refilter() { try { - this.getBackingStore().setCachedFilteredMetadata(filterMetadata(getCachedOriginalMetadata())); + ((BatchEntityBackingStore)this.getBackingStore()).setCachedFilteredMetadata(filterMetadata(getCachedOriginalMetadata())); } catch (FilterException e) { logger.error("An error occurred while attempting to filter metadata!", e); } diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java index cd952a777..c20e4c35f 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java @@ -4,9 +4,10 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataRequestURLConstructionScheme; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.RegexScheme; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.TemplateScheme; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.xml.ParserPool; -import org.apache.http.impl.client.HttpClients; +import net.shibboleth.shared.component.ComponentInitializationException; + +import net.shibboleth.shared.xml.ParserPool; +import org.apache.hc.client5.http.impl.classic.HttpClients; import org.apache.lucene.index.IndexWriter; import org.apache.velocity.app.VelocityEngine; import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; @@ -15,17 +16,12 @@ import org.opensaml.saml.metadata.resolver.impl.RegexRequestURLBuilder; import org.opensaml.saml.metadata.resolver.impl.TemplateRequestURLBuilder; -/** - * @author Bill Smith (wsmith@unicon.net) - */ public class OpenSamlFunctionDrivenDynamicHTTPMetadataResolver extends FunctionDrivenDynamicHTTPMetadataResolver { + private OpenSamlMetadataResolverDelegate delegate; private IndexWriter indexWriter; private DynamicHttpMetadataResolver sourceResolver; - private OpenSamlMetadataResolverDelegate delegate; - public OpenSamlFunctionDrivenDynamicHTTPMetadataResolver(ParserPool parserPool, - IndexWriter indexWriter, - DynamicHttpMetadataResolver sourceResolver) { + public OpenSamlFunctionDrivenDynamicHTTPMetadataResolver(ParserPool parserPool, IndexWriter indexWriter, DynamicHttpMetadataResolver sourceResolver) { super(HttpClients.createMinimal()); this.indexWriter = indexWriter; this.sourceResolver = sourceResolver; @@ -86,4 +82,4 @@ public void refresh() throws ComponentInitializationException { this.sourceResolver.getResourceId(), indexWriter); } -} +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlLocalDynamicMetadataResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlLocalDynamicMetadataResolver.java index bca96b876..649c14bd3 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlLocalDynamicMetadataResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlLocalDynamicMetadataResolver.java @@ -1,7 +1,7 @@ package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.xml.ParserPool; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.xml.ParserPool; import org.apache.lucene.index.IndexWriter; import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.persist.XMLObjectLoadSaveManager; @@ -9,9 +9,6 @@ import javax.annotation.Nonnull; -/** - * @author Bill Smith (wsmith@unicon.net) - */ public class OpenSamlLocalDynamicMetadataResolver extends LocalDynamicMetadataResolver { private IndexWriter indexWriter; private edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.LocalDynamicMetadataResolver sourceResolver; @@ -52,4 +49,4 @@ public void refresh() throws ComponentInitializationException { this.sourceResolver.getResourceId(), indexWriter); } -} +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java index 548c14eb6..bb53d658a 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java @@ -3,7 +3,8 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicMetadataResolverAttributes; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.HttpMetadataResolverAttributes; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ReloadableMetadataResolverAttributes; -import net.shibboleth.utilities.java.support.xml.ParserPool; + +import net.shibboleth.shared.xml.ParserPool; import org.opensaml.saml.metadata.resolver.MetadataResolver; import org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver; import org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverDelegate.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverDelegate.java index a30610415..2fe693e1f 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverDelegate.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverDelegate.java @@ -1,7 +1,8 @@ package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.resolver.CriteriaSet; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resolver.CriteriaSet; +import net.shibboleth.shared.resolver.ResolverException; import org.apache.lucene.document.Document; import org.apache.lucene.document.Field; import org.apache.lucene.document.StringField; @@ -16,9 +17,6 @@ import javax.annotation.Nullable; import java.io.IOException; -/** - * @author Bill Smith (wsmith@unicon.net) - */ public class OpenSamlMetadataResolverDelegate extends AbstractMetadataResolver { private static final Logger logger = LoggerFactory.getLogger(OpenSamlMetadataResolverDelegate.class); @@ -28,6 +26,16 @@ public Iterable resolve(@Nullable CriteriaSet criteria) { throw new UnsupportedOperationException("This method should not be called."); } + /** + * TODO - NOT ENTIRELY SURE WHY OPEN SAML ADDED THIS OR WHAT IS SUPPOSED TO BE HAPPENING, NOR WHY WE HAD THE ORIGINAL RESOLVE METHOD + * IMPLEMENTED AS WE DID. WE MAY NEED TO CIRCLE BACK HERE + */ + @Nonnull + @Override + protected Iterable doResolve(@Nullable CriteriaSet criteria) throws ResolverException { + throw new UnsupportedOperationException("This method should not be called."); + } + void addIndexedDescriptorsFromBackingStore(AbstractMetadataResolver.EntityBackingStore backingStore, String resourceId, IndexWriter indexWriter) throws ComponentInitializationException { try { indexWriter.deleteAll(); @@ -44,4 +52,4 @@ void addIndexedDescriptorsFromBackingStore(AbstractMetadataResolver.EntityBackin throw new ComponentInitializationException(e); } } -} +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlResourceBackedMetadataResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlResourceBackedMetadataResolver.java index f8fabc96c..e59f0850d 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlResourceBackedMetadataResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlResourceBackedMetadataResolver.java @@ -1,8 +1,8 @@ package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.resource.Resource; -import net.shibboleth.utilities.java.support.xml.ParserPool; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resource.Resource; +import net.shibboleth.shared.xml.ParserPool; import org.apache.lucene.index.IndexWriter; import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; @@ -15,16 +15,12 @@ import java.io.IOException; import java.time.Instant; -/** - * @author Bill Smith (wsmith@unicon.net) - */ public class OpenSamlResourceBackedMetadataResolver extends ResourceBackedMetadataResolver implements Refilterable { - private static final Logger logger = LoggerFactory.getLogger(OpenSamlResourceBackedMetadataResolver.class); + private OpenSamlMetadataResolverDelegate delegate; private IndexWriter indexWriter; private edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ResourceBackedMetadataResolver sourceResolver; - private OpenSamlMetadataResolverDelegate delegate; public OpenSamlResourceBackedMetadataResolver(ParserPool parserPool, IndexWriter indexWriter, @@ -62,7 +58,7 @@ protected void initMetadataResolver() throws ComponentInitializationException { @Nonnull @Override - protected BatchEntityBackingStore getBackingStore() { + protected EntityBackingStore getBackingStore() { if (super.getBackingStore() == null) { super.setBackingStore(super.createNewBackingStore()); } @@ -74,7 +70,7 @@ protected BatchEntityBackingStore getBackingStore() { */ public void refilter() { try { - this.getBackingStore().setCachedFilteredMetadata(filterMetadata(getCachedOriginalMetadata())); + ((BatchEntityBackingStore)this.getBackingStore()).setCachedFilteredMetadata(filterMetadata(getCachedOriginalMetadata())); } catch (FilterException e) { logger.error("An error occurred while attempting to filter metadata!", e); } diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/OpenSamlObjects.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/OpenSamlObjects.java index 6975575df..40cd0314b 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/OpenSamlObjects.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/OpenSamlObjects.java @@ -3,10 +3,10 @@ import com.google.common.io.ByteSource; import edu.internet2.tier.shibboleth.admin.ui.opensaml.config.InitializationService; import jakarta.annotation.PostConstruct; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.xml.BasicParserPool; -import net.shibboleth.utilities.java.support.xml.ParserPool; -import net.shibboleth.utilities.java.support.xml.XMLParserException; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.xml.ParserPool; +import net.shibboleth.shared.xml.XMLParserException; +import net.shibboleth.shared.xml.impl.BasicParserPool; import org.opensaml.core.config.ConfigurationService; import org.opensaml.core.config.InitializationException; import org.opensaml.core.xml.XMLObject; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java index f20ce7889..596376812 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java @@ -9,7 +9,7 @@ import io.swagger.v3.oas.annotations.tags.Tag; import io.swagger.v3.oas.annotations.tags.Tags; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.security.access.prepost.PreAuthorize; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java index 667191315..cf93fc9ba 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java @@ -19,7 +19,7 @@ import lombok.NoArgsConstructor; import lombok.Setter; import lombok.ToString; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import java.util.HashSet; import java.util.Set; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/IShibUiPermissionEvaluator.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/IShibUiPermissionEvaluator.java index 53eddc63e..b0fe375a0 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/IShibUiPermissionEvaluator.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/permission/IShibUiPermissionEvaluator.java @@ -2,7 +2,7 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.Auditable; import edu.internet2.tier.shibboleth.admin.ui.exception.ForbiddenException; -import org.apache.commons.lang.NotImplementedException; +import org.apache.commons.lang3.NotImplementedException; import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; @@ -24,5 +24,5 @@ public interface IShibUiPermissionEvaluator extends PermissionEvaluator { default Collection getAuditableEntities(Authentication authentication, Class auditableType, - PermissionType permissionType) throws ForbiddenException {throw new NotImplementedException();} + PermissionType permissionType) {throw new NotImplementedException();} } \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java index 735ce0614..8768d3386 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java @@ -16,8 +16,8 @@ import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserLoginRecordRepository; import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; import lombok.NoArgsConstructor; -import org.apache.commons.lang.StringUtils; -import org.apache.commons.lang.time.DateUtils; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.time.DateUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java index 13657aae6..538ee932a 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java @@ -16,7 +16,7 @@ import edu.internet2.tier.shibboleth.admin.ui.service.beacon.BeaconDetail; import edu.internet2.tier.shibboleth.admin.ui.service.beacon.ShibuiDetail; import lombok.SneakyThrows; -import org.apache.commons.lang.time.DateUtils; +import org.apache.commons.lang3.time.DateUtils; import org.apache.commons.lang3.StringUtils; import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.boot.actuate.info.InfoEndpoint; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImpl.java index 541e9cd61..d9f648e61 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImpl.java @@ -4,7 +4,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; import jakarta.mail.MessagingException; import jakarta.mail.internet.MimeMessage; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.support.ResourceBundleMessageSource; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterService.java index 4bd037879..4881b7a12 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterService.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterService.java @@ -1,7 +1,7 @@ package edu.internet2.tier.shibboleth.admin.ui.service; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resolver.ResolverException; import org.opensaml.saml.metadata.resolver.MetadataResolver; import java.io.IOException; @@ -11,4 +11,4 @@ */ public interface MetadataResolverConverterService { MetadataResolver convertToOpenSamlRepresentation(edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver resolver) throws IOException, ResolverException, ComponentInitializationException; -} +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImpl.java index d0d20bd61..ec507bada 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImpl.java @@ -11,11 +11,11 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml.OpenSamlLocalDynamicMetadataResolver; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml.OpenSamlResourceBackedMetadataResolver; import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects; -import net.shibboleth.ext.spring.resource.ResourceHelper; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.resolver.ResolverException; +import net.shibboleth.shared.resource.Resource; +import net.shibboleth.shared.spring.resource.ResourceHelper; import net.shibboleth.utilities.java.support.logic.ConstraintViolationException; -import net.shibboleth.utilities.java.support.resolver.ResolverException; -import net.shibboleth.utilities.java.support.resource.Resource; import org.apache.lucene.index.IndexWriter; import org.opensaml.core.xml.persist.FilesystemLoadSaveManager; import org.opensaml.core.xml.persist.XMLObjectLoadSaveManager; @@ -30,9 +30,6 @@ import static edu.internet2.tier.shibboleth.admin.util.TokenPlaceholderResolvers.placeholderResolverService; -/** - * @author Bill Smith (wsmith@unicon.net) - */ @Service public class MetadataResolverConverterServiceImpl implements MetadataResolverConverterService { diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/LuceneUtility.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/LuceneUtility.java index 57a96051e..a840c2a04 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/LuceneUtility.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/LuceneUtility.java @@ -1,7 +1,7 @@ package edu.internet2.tier.shibboleth.admin.util; import edu.internet2.tier.shibboleth.admin.ui.service.DirectoryService; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.lucene.index.DirectoryReader; import org.apache.lucene.index.IndexReader; import org.apache.lucene.index.MultiReader; @@ -44,4 +44,4 @@ public IndexReader getIndexReader(String resourceId) throws IOException { } return indexReader; } -} +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/ModelRepresentationConversions.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/ModelRepresentationConversions.java index fb205e903..ac232a8a6 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/ModelRepresentationConversions.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/util/ModelRepresentationConversions.java @@ -8,7 +8,7 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.XSInteger; import edu.internet2.tier.shibboleth.admin.ui.domain.XSString; import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; +import net.shibboleth.shared.component.ComponentInitializationException; import org.opensaml.core.xml.XMLObject; import org.springframework.beans.factory.annotation.Autowired; diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy index dfe0851cc..1ea0670ce 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy @@ -11,7 +11,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.service.GroupServiceImpl import edu.internet2.tier.shibboleth.admin.ui.service.CustomEntityAttributesDefinitionServiceImpl import edu.internet2.tier.shibboleth.admin.ui.service.IndexWriterService import jakarta.persistence.EntityManager -import net.shibboleth.ext.spring.resource.ResourceHelper +import net.shibboleth.shared.spring.resource.ResourceHelper import net.shibboleth.utilities.java.support.component.ComponentInitializationException import org.apache.lucene.document.Document import org.apache.lucene.document.Field diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy index 0261fceb5..825dcb480 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy @@ -4,8 +4,9 @@ import edu.internet2.tier.shibboleth.admin.ui.AbstractBaseDataJpaTest import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorRepository import edu.internet2.tier.shibboleth.admin.ui.service.JPAEntityDescriptorServiceImpl -import net.shibboleth.ext.spring.resource.ResourceHelper -import net.shibboleth.utilities.java.support.resolver.CriteriaSet +import net.shibboleth.shared.resolver.CriteriaSet +import net.shibboleth.shared.spring.resource.ResourceHelper + import org.opensaml.core.criterion.EntityIdCriterion import org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver import org.spockframework.spring.SpringBean diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy index ab5e7d944..e4059f160 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorVersionControllerTests.groovy @@ -22,7 +22,6 @@ import edu.internet2.tier.shibboleth.admin.ui.service.EnversEntityDescriptorVers import edu.internet2.tier.shibboleth.admin.ui.service.EnversMetadataResolverVersionService import edu.internet2.tier.shibboleth.admin.ui.service.JPAEntityDescriptorServiceImpl import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverVersionService -import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin import edu.internet2.tier.shibboleth.admin.util.EntityDescriptorConversionUtils import groovy.json.JsonOutput import groovy.json.JsonSlurper @@ -119,7 +118,7 @@ class EntityDescriptorVersionControllerTests extends AbstractBaseDataJpaTest { ed.setOrganization(new Organization().with { it.organizationNames = [new OrganizationName(value: 'testme', XMLLang: 'en')] it.organizationDisplayNames = [new OrganizationDisplayName(value: 'testme', XMLLang: 'en')] - it.organizationURLs = [new OrganizationURL(value: 'http://testme.org', XMLLang: 'en')] + it.organizationURLs = [new OrganizationURL(uri: 'http://testme.org', XMLLang: 'en')] it }) entityDescriptorRepository.saveAndFlush(ed) diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/OpenSamlResourceBackedMetadataResolverTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/OpenSamlResourceBackedMetadataResolverTests.groovy index 52ae52374..1240a92e8 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/OpenSamlResourceBackedMetadataResolverTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/OpenSamlResourceBackedMetadataResolverTests.groovy @@ -2,7 +2,7 @@ package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml.OpenSamlResourceBackedMetadataResolver import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects -import net.shibboleth.ext.spring.resource.ResourceHelper +import net.shibboleth.shared.spring.resource.ResourceHelper import org.springframework.core.io.ClassPathResource import spock.lang.Specification diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/service/UserServiceTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/service/UserServiceTests.groovy index df02e801c..8bb4734b9 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/service/UserServiceTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/service/UserServiceTests.groovy @@ -6,9 +6,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.model.Ownership import edu.internet2.tier.shibboleth.admin.ui.security.model.Role import edu.internet2.tier.shibboleth.admin.ui.security.model.User import edu.internet2.tier.shibboleth.admin.ui.security.model.UserLoginRecord -import org.apache.commons.lang.time.DateUtils - -import java.text.SimpleDateFormat +import org.apache.commons.lang3.time.DateUtils class UserServiceTests extends AbstractBaseDataJpaTest { Role userRole diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy index e1a8f4f59..9e73e3b89 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImplTests.groovy @@ -640,7 +640,7 @@ class JPAEntityDescriptorServiceImplTests extends AbstractBaseDataJpaTest { def representation = service.createRepresentationFromDescriptor(input) then: - !input.getContactPersons().empty && input.getContactPersons()[0].givenName.name == 'New Contact_EDIT' + !input.getContactPersons().empty && input.getContactPersons()[0].givenName.value == 'New Contact_EDIT' !representation.contacts.empty && representation.contacts[0].name == 'New Contact_EDIT' } diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy index a270c9519..c19bdb4a5 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImplTests.groovy @@ -28,8 +28,8 @@ import edu.internet2.tier.shibboleth.admin.ui.util.TestObjectGenerator import edu.internet2.tier.shibboleth.admin.util.AttributeUtility import groovy.xml.DOMBuilder import groovy.xml.MarkupBuilder -import net.shibboleth.ext.spring.resource.ResourceHelper -import net.shibboleth.utilities.java.support.resolver.CriteriaSet +import net.shibboleth.shared.resolver.CriteriaSet +import net.shibboleth.shared.spring.resource.ResourceHelper import org.opensaml.core.criterion.EntityIdCriterion import org.opensaml.saml.common.xml.SAMLConstants import org.opensaml.saml.metadata.resolver.MetadataResolver diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/EntityDescriptorConversionUtilsTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/EntityDescriptorConversionUtilsTests.groovy index e1038f2e0..72ef4e771 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/EntityDescriptorConversionUtilsTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/EntityDescriptorConversionUtilsTests.groovy @@ -219,11 +219,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.contactPersons = [openSAMLObjects.buildDefaultInstanceOfType(ContactPerson.class).with { it.type = ContactPersonTypeEnumeration.ADMINISTRATIVE it.givenName = openSAMLObjects.buildDefaultInstanceOfType(GivenName.class).with { - it.name = 'name' + it.value = 'name' it } it.emailAddresses.add(openSAMLObjects.buildDefaultInstanceOfType(EmailAddress.class).with { - it.address = 'test@test' + it.uri = 'test@test' it }) it @@ -245,11 +245,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.contactPersons = [openSAMLObjects.buildDefaultInstanceOfType(ContactPerson.class).with { it.type = ContactPersonTypeEnumeration.ADMINISTRATIVE it.givenName = openSAMLObjects.buildDefaultInstanceOfType(GivenName.class).with { - it.name = 'name' + it.value = 'name' it } it.emailAddresses.add(openSAMLObjects.buildDefaultInstanceOfType(EmailAddress.class).with { - it.address = 'test@test' + it.uri = 'test@test' it }) it @@ -261,11 +261,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { openSAMLObjects.buildDefaultInstanceOfType(ContactPerson.class).with { it.type = ContactPersonTypeEnumeration.ADMINISTRATIVE it.givenName = openSAMLObjects.buildDefaultInstanceOfType(GivenName.class).with { - it.name = 'name' + it.value = 'name' it } it.emailAddresses.add(openSAMLObjects.buildDefaultInstanceOfType(EmailAddress.class).with { - it.address = 'test@test' + it.uri = 'test@test' it }) it @@ -273,11 +273,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { openSAMLObjects.buildDefaultInstanceOfType(ContactPerson.class).with { it.type = ContactPersonTypeEnumeration.TECHNICAL it.givenName = openSAMLObjects.buildDefaultInstanceOfType(GivenName.class).with { - it.name = 'name2' + it.value = 'name2' it } it.emailAddresses.add(openSAMLObjects.buildDefaultInstanceOfType(EmailAddress.class).with { - it.address = 'test2@test' + it.uri = 'test2@test' it }) it @@ -296,11 +296,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.contactPersons = [openSAMLObjects.buildDefaultInstanceOfType(ContactPerson.class).with { it.type = ContactPersonTypeEnumeration.ADMINISTRATIVE it.givenName = openSAMLObjects.buildDefaultInstanceOfType(GivenName.class).with { - it.name = 'name' + it.value = 'name' it } it.emailAddresses.add(openSAMLObjects.buildDefaultInstanceOfType(EmailAddress.class).with { - it.address = 'test@test' + it.uri = 'test@test' it }) it @@ -311,11 +311,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.contactPersons = [openSAMLObjects.buildDefaultInstanceOfType(ContactPerson.class).with { it.type = ContactPersonTypeEnumeration.TECHNICAL it.givenName = openSAMLObjects.buildDefaultInstanceOfType(GivenName.class).with { - it.name = 'name2' + it.value = 'name2' it } it.emailAddresses.add(openSAMLObjects.buildDefaultInstanceOfType(EmailAddress.class).with { - it.address = 'test2@test' + it.uri = 'test2@test' it }) it @@ -331,11 +331,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.contactPersons = [openSAMLObjects.buildDefaultInstanceOfType(ContactPerson.class).with { it.type = ContactPersonTypeEnumeration.ADMINISTRATIVE it.givenName = openSAMLObjects.buildDefaultInstanceOfType(GivenName.class).with { - it.name = 'name' + it.value = 'name' it } it.emailAddresses.add(openSAMLObjects.buildDefaultInstanceOfType(EmailAddress.class).with { - it.address = 'test@test' + it.uri = 'test@test' it }) it @@ -424,7 +424,7 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.getRoleDescriptors().add( openSAMLObjects.buildDefaultInstanceOfType(SPSSODescriptor.class).with { it.nameIDFormats.add(openSAMLObjects.buildDefaultInstanceOfType(NameIDFormat.class).with { - it.format = 'testformat' + it.uri = 'testformat' it }) it @@ -447,7 +447,7 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.getRoleDescriptors().add( openSAMLObjects.buildDefaultInstanceOfType(SPSSODescriptor.class).with { it.nameIDFormats.add(openSAMLObjects.buildDefaultInstanceOfType(NameIDFormat.class).with { - it.format = 'testformat' + it.uri = 'testformat' it }) it @@ -459,11 +459,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.getRoleDescriptors().add( openSAMLObjects.buildDefaultInstanceOfType(SPSSODescriptor.class).with { it.nameIDFormats.add(openSAMLObjects.buildDefaultInstanceOfType(NameIDFormat.class).with { - it.format = 'testformat' + it.uri = 'testformat' it }) it.nameIDFormats.add(openSAMLObjects.buildDefaultInstanceOfType(NameIDFormat.class).with { - it.format = 'anotherformat' + it.uri = 'anotherformat' it }) it @@ -486,11 +486,11 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.getRoleDescriptors().add( openSAMLObjects.buildDefaultInstanceOfType(SPSSODescriptor.class).with { it.nameIDFormats.add(openSAMLObjects.buildDefaultInstanceOfType(NameIDFormat.class).with { - it.format = 'testformat' + it.uri = 'testformat' it }) it.nameIDFormats.add(openSAMLObjects.buildDefaultInstanceOfType(NameIDFormat.class).with { - it.format = 'anotherformat' + it.uri = 'anotherformat' it }) it @@ -502,7 +502,7 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.getRoleDescriptors().add( openSAMLObjects.buildDefaultInstanceOfType(SPSSODescriptor.class).with { it.nameIDFormats.add(openSAMLObjects.buildDefaultInstanceOfType(NameIDFormat.class).with { - it.format = 'anotherformat' + it.uri = 'anotherformat' it }) it @@ -804,7 +804,7 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.extensions = openSAMLObjects.buildDefaultInstanceOfType(Extensions).with { it.unknownXMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(UIInfo).with { it.XMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(InformationURL).with { - it.value = 'http://test' + it.URI = 'http://test' it.XMLLang = 'en' it }) @@ -831,7 +831,7 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.extensions = openSAMLObjects.buildDefaultInstanceOfType(Extensions).with { it.unknownXMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(UIInfo).with { it.XMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(InformationURL).with { - it.value = 'http://test' + it.URI = 'http://test' it.XMLLang = 'en' it }) @@ -869,7 +869,7 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.extensions = openSAMLObjects.buildDefaultInstanceOfType(Extensions).with { it.unknownXMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(UIInfo).with { it.XMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(PrivacyStatementURL).with { - it.value = 'http://test' + it.URI = 'http://test' it.XMLLang = 'en' it }) @@ -896,7 +896,7 @@ class EntityDescriptorConversionUtilsTests extends Specification { it.extensions = openSAMLObjects.buildDefaultInstanceOfType(Extensions).with { it.unknownXMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(UIInfo).with { it.XMLObjects.add(openSAMLObjects.buildDefaultInstanceOfType(PrivacyStatementURL).with { - it.value = 'http://test' + it.URI = 'http://test' it.XMLLang = 'en' it }) diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestHelpers.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestHelpers.groovy index ed8815127..4e7bb6af5 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestHelpers.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestHelpers.groovy @@ -3,7 +3,7 @@ package edu.internet2.tier.shibboleth.admin.ui.util import edu.internet2.tier.shibboleth.admin.ui.security.model.User import groovy.xml.XmlUtil import junit.framework.Assert -import org.apache.commons.lang.StringUtils +import org.apache.commons.lang3.StringUtils import org.w3c.dom.Document import org.w3c.dom.Node import org.xmlunit.assertj.XmlAssert @@ -20,9 +20,6 @@ import javax.xml.transform.TransformerFactory import javax.xml.transform.dom.DOMSource import javax.xml.transform.stream.StreamResult -/** - * @author Bill Smith (wsmith@unicon.net) - */ class TestHelpers { static int determineCountOfAttributesFromRelyingPartyOverrides(Map relyingPartyOverridesRepresentation) { int count = 0 diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestObjectGenerator.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestObjectGenerator.groovy index bfdf5ee63..800556355 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestObjectGenerator.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/util/TestObjectGenerator.groovy @@ -673,7 +673,7 @@ class TestObjectGenerator { if (newItemOfType instanceof LocalizedName) { newItemOfType.value = generator.randomString(10) } else if (newItemOfType instanceof OrganizationURL) { - newItemOfType.value = generator.randomString(10) + newItemOfType.uri = generator.randomString(10) } list.add(newItemOfType) } diff --git a/gradle.properties b/gradle.properties index 93855b8b1..7d2bdf961 100644 --- a/gradle.properties +++ b/gradle.properties @@ -14,14 +14,16 @@ log4JVersion=2.20.0 lombokVersion=6.6.2 nashornVersion=15.4 opencsvVersion=5.7.1 -opensamlVersion=4.2.0 +opensamlVersion=5.0.0-SNAPSHOT pac4JVersion=5.7.0 pac4jSpringSecurityVersion=9.0.0 seleneseRunnerVersion=4.3.0 # update shedlock to 5.x when updating to java 17+Spring 6 etc shedlockVersion=5.2.0 -shibbolethVersion=4.2.1 +shibbolethVersion=5.0.0-SNAPSHOT +shibExtSpringExtensionsVersion=6.3.1-SNAPSHOT shibOIDCVersion=2.1.0 +shibUtilitiesJavaSupportVersion=8.4.1-SNAPSHOT spockVersion=2.3-groovy-4.0 springbootVersion=3.0.4 ## Used for testing deps, match spring security version used diff --git a/pac4j-module/build.gradle b/pac4j-module/build.gradle index 9b82ddf7e..002b507c7 100644 --- a/pac4j-module/build.gradle +++ b/pac4j-module/build.gradle @@ -18,6 +18,10 @@ repositories { url 'https://build.shibboleth.net/nexus/content/groups/public' artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots'] } + // TODO remove snapshots after the versions become final + maven { + url 'https://build.shibboleth.net/maven/snapshots' + } maven { // for the springboot plugin url "https://plugins.gradle.org/m2/" } From bbabfe5db56db226443d583ab179788eff8e6b77 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 3 Aug 2023 11:19:16 -0700 Subject: [PATCH 2/7] SHIBUI-2510 All unit tests pass (envers, backend, pac4j) --- ...tityDescriptorEnversVersioningTests.groovy | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/backend/src/enversTest/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy b/backend/src/enversTest/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy index 8b444bdf8..f900f5599 100644 --- a/backend/src/enversTest/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy +++ b/backend/src/enversTest/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/envers/EntityDescriptorEnversVersioningTests.groovy @@ -104,9 +104,9 @@ class EntityDescriptorEnversVersioningTests extends Specification { then: entityDescriptorHistory.size() == 1 - getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].givenName.name == 'name' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].givenName.value == 'name' getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.ADMINISTRATIVE - getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].emailAddresses[0].address == 'test@test' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).contactPersons[0].emailAddresses[0].uri == 'test@test' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).timestamp > 0L getModifiedEntityNames(entityDescriptorHistory, 0).sort() == expectedModifiedPersistentEntities.sort() @@ -122,9 +122,9 @@ class EntityDescriptorEnversVersioningTests extends Specification { entityManager) then: entityDescriptorHistory.size() == 2 - getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.name == 'nameUPDATED' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.value == 'nameUPDATED' getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.ADMINISTRATIVE - getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].address == 'test@test' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].uri == 'test@test' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).timestamp > 0L getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort() @@ -142,17 +142,17 @@ class EntityDescriptorEnversVersioningTests extends Specification { then: entityDescriptorHistory.size() == 3 - getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].givenName.name == 'nameUPDATED2' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].givenName.value == 'nameUPDATED2' getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.OTHER - getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].emailAddresses[0].address == 'test@test.com' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 2).contactPersons[0].emailAddresses[0].uri == 'test@test.com' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 2).principalUserName == 'anonymousUser' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 2).timestamp > 0L getModifiedEntityNames(entityDescriptorHistory, 2).sort() == expectedModifiedPersistentEntities.sort() //Also make sure we have our original revision - getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.name == 'nameUPDATED' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].givenName.value == 'nameUPDATED' getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].type == org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration.ADMINISTRATIVE - getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].address == 'test@test' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).contactPersons[0].emailAddresses[0].uri == 'test@test' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).timestamp > 0L @@ -180,7 +180,7 @@ class EntityDescriptorEnversVersioningTests extends Specification { entityDescriptorHistory.size() == 1 getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.organizationNames[0].value == 'org' getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.displayNames[0].value == 'display org' - getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].value == 'http://org.edu' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].uri == 'http://org.edu' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).timestamp > 0L getModifiedEntityNames(entityDescriptorHistory, 0).sort() == expectedModifiedPersistentEntities.sort() @@ -202,7 +202,7 @@ class EntityDescriptorEnversVersioningTests extends Specification { entityDescriptorHistory.size() == 2 getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.organizationNames[0].value == 'orgUpdated' getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.displayNames[0].value == 'display org Updated' - getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.URLs[0].value == 'http://org2.edu' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).organization.URLs[0].uri == 'http://org2.edu' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).timestamp > 0L getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort() @@ -210,7 +210,7 @@ class EntityDescriptorEnversVersioningTests extends Specification { //Check the original revision is intact getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.organizationNames[0].value == 'org' getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.displayNames[0].value == 'display org' - getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].value == 'http://org.edu' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).organization.URLs[0].uri == 'http://org.edu' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).timestamp > 0L } @@ -237,7 +237,7 @@ class EntityDescriptorEnversVersioningTests extends Specification { then: entityDescriptorHistory.size() == 1 - getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].format == 'format' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].uri == 'format' getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[0] == 'urn:oasis:names:tc:SAML:1.1:protocol' getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[1] == null getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser' @@ -261,7 +261,7 @@ class EntityDescriptorEnversVersioningTests extends Specification { then: entityDescriptorHistory.size() == 2 - getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].nameIDFormats[0].format == 'formatUPDATED' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].nameIDFormats[0].uri == 'formatUPDATED' getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].supportedProtocols[0] == 'urn:oasis:names:tc:SAML:1.1:protocol' getTargetEntityForRevisionIndex(entityDescriptorHistory, 1).roleDescriptors[0].supportedProtocols[1] == 'urn:oasis:names:tc:SAML:2.0:protocol' getRevisionEntityForRevisionIndex(entityDescriptorHistory, 1).principalUserName == 'anonymousUser' @@ -269,7 +269,7 @@ class EntityDescriptorEnversVersioningTests extends Specification { getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort() //Check the original revision is intact - getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].format == 'format' + getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].nameIDFormats[0].uri == 'format' getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[0] == 'urn:oasis:names:tc:SAML:1.1:protocol' getTargetEntityForRevisionIndex(entityDescriptorHistory, 0).roleDescriptors[0].supportedProtocols[1] == null getRevisionEntityForRevisionIndex(entityDescriptorHistory, 0).principalUserName == 'anonymousUser' @@ -314,10 +314,10 @@ class EntityDescriptorEnversVersioningTests extends Specification { then: entityDescriptorHistory.size() == 1 uiinfo.displayNames[0].value == 'Initial display name' - uiinfo.informationURLs[0].value == 'http://info' - uiinfo.privacyStatementURLs[0].value == 'http://privacy' + uiinfo.informationURLs[0].URI == 'http://info' + uiinfo.privacyStatementURLs[0].URI == 'http://privacy' uiinfo.descriptions[0].value == 'Initial desc' - uiinfo.logos[0].URL == 'http://logo' + uiinfo.logos[0].URI == 'http://logo' uiinfo.logos[0].height == 20 uiinfo.logos[0].width == 30 getModifiedEntityNames(entityDescriptorHistory, 0).sort() == expectedModifiedPersistentEntities.sort() @@ -349,20 +349,20 @@ class EntityDescriptorEnversVersioningTests extends Specification { then: entityDescriptorHistory.size() == 2 uiinfo.displayNames[0].value == 'Display name UPDATED' - uiinfo.informationURLs[0].value == 'http://info.updated' - uiinfo.privacyStatementURLs[0].value == 'http://privacy.updated' + uiinfo.informationURLs[0].URI == 'http://info.updated' + uiinfo.privacyStatementURLs[0].URI == 'http://privacy.updated' uiinfo.descriptions[0].value == 'Desc UPDATED' - uiinfo.logos[0].URL == 'http://logo.updated' + uiinfo.logos[0].URI == 'http://logo.updated' uiinfo.logos[0].height == 30 uiinfo.logos[0].width == 40 getModifiedEntityNames(entityDescriptorHistory, 1).sort() == expectedModifiedPersistentEntities.sort() //Check the initial revision is still intact uiinfoInitialRevision.displayNames[0].value == 'Initial display name' - uiinfoInitialRevision.informationURLs[0].value == 'http://info' - uiinfoInitialRevision.privacyStatementURLs[0].value == 'http://privacy' + uiinfoInitialRevision.informationURLs[0].URI == 'http://info' + uiinfoInitialRevision.privacyStatementURLs[0].URI == 'http://privacy' uiinfoInitialRevision.descriptions[0].value == 'Initial desc' - uiinfoInitialRevision.logos[0].URL == 'http://logo' + uiinfoInitialRevision.logos[0].URI == 'http://logo' uiinfoInitialRevision.logos[0].height == 20 uiinfoInitialRevision.logos[0].width == 30 } From c4a4b369d1d6e291d3900cb4f6cdf216fbec059e Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 3 Aug 2023 12:39:42 -0700 Subject: [PATCH 3/7] SHIBUI-2510 Updated to a few newer dependencies --- backend/build.gradle | 6 +++--- gradle.properties | 5 ++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/backend/build.gradle b/backend/build.gradle index 7f2d2e06c..443bf9e8f 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -194,9 +194,9 @@ dependencies { implementation "net.shibboleth.ext:spring-extensions:6.2.0" // Spring Web classes requires Apache HttpComponents 5.1 or higher, as of Spring 6.0. - implementation "org.apache.httpcomponents.client5:httpclient5:5.1.4" - implementation "org.apache.httpcomponents.core5:httpcore5:5.1.5" - implementation "org.apache.httpcomponents.core5:httpcore5-h2:5.1.5" + implementation "org.apache.httpcomponents.client5:httpclient5:5.2.1" + implementation "org.apache.httpcomponents.core5:httpcore5:5.2.2" + implementation "org.apache.httpcomponents.core5:httpcore5-h2:5.2.2" // To override older version with security issue - https://www.lunasec.io/docs/blog/log4j-zero-day/ implementation "org.apache.logging.log4j:log4j-to-slf4j:${project.'log4JVersion'}" diff --git a/gradle.properties b/gradle.properties index 7d2bdf961..da7b6323d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -8,7 +8,7 @@ commonsCollections4Version=4.4 comsunjaxbVersion=4.0.2 cryptacularVersion=1.2.5 groovyVersion=4.0.9 -hibernateVersion=6.1.6.Final +hibernateVersion=6.2.6.Final luceneVersion=9.5.0 log4JVersion=2.20.0 lombokVersion=6.6.2 @@ -18,14 +18,13 @@ opensamlVersion=5.0.0-SNAPSHOT pac4JVersion=5.7.0 pac4jSpringSecurityVersion=9.0.0 seleneseRunnerVersion=4.3.0 -# update shedlock to 5.x when updating to java 17+Spring 6 etc shedlockVersion=5.2.0 shibbolethVersion=5.0.0-SNAPSHOT shibExtSpringExtensionsVersion=6.3.1-SNAPSHOT shibOIDCVersion=2.1.0 shibUtilitiesJavaSupportVersion=8.4.1-SNAPSHOT spockVersion=2.3-groovy-4.0 -springbootVersion=3.0.4 +springbootVersion=3.1.2 ## Used for testing deps, match spring security version used springSecurityVersion=6.0.2 From 1d9324882ce435a5184df72e93c612f313229367 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 8 Aug 2023 16:28:37 -0700 Subject: [PATCH 4/7] SHIBUI-2510 Updated spring security config to match more strict usage in newer spring version --- .../admin/ui/configuration/SpringSecurityConfig.java | 5 ++++- gradle.properties | 2 +- .../unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java | 9 +++++++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java index 5b2e5a98a..90194ede5 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java @@ -110,7 +110,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.csrf((csrf) -> csrf.csrfTokenRequestHandler(requestHandler)); http .authorizeHttpRequests() - .requestMatchers("/unsecured/**/*","/entities/**/*","/actuator/**", "/api/beacon/send").permitAll() + .requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/actuator/**"), + new AntPathRequestMatcher("/api/beacon/send")).permitAll() .anyRequest().hasAnyRole(acceptedAuthenticationRoles) .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html")) .and().authenticationProvider(new SimpleAuthenticationProvider(adminUserService())).formLogin() diff --git a/gradle.properties b/gradle.properties index da7b6323d..6978848ee 100644 --- a/gradle.properties +++ b/gradle.properties @@ -26,7 +26,7 @@ shibUtilitiesJavaSupportVersion=8.4.1-SNAPSHOT spockVersion=2.3-groovy-4.0 springbootVersion=3.1.2 ## Used for testing deps, match spring security version used -springSecurityVersion=6.0.2 +springSecurityVersion=6.1.2 ### DB Driver Versions ### mariadbVersion=3.1.2 diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java index a1bc022ca..2d725a83a 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java @@ -26,6 +26,7 @@ import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.firewall.StrictHttpFirewall; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import java.util.Optional; @@ -69,11 +70,15 @@ public AuditorAware pac4jAuditorAware() { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests().requestMatchers("/unsecured/**/*", "/entities/**/*", "/favicon.ico", "/assets/**/*.png", "/static/**/*", "/**/*.css").permitAll() + http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/favicon.ico"), + new AntPathRequestMatcher("/assets/**/*.png"), + new AntPathRequestMatcher("/static/**/*"), + new AntPathRequestMatcher("/**/*.css")).permitAll() .anyRequest().hasAnyRole(acceptedAuthenticationRoles) .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html")); - // If the post logout URL is configured, setup the logout filter if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())) { final ShibuiLogoutFilter logoutFilter = new ShibuiLogoutFilter(config); From 2e5a6b1aca825a61ef49693f9da93c0b2ce34004 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 14 Sep 2023 14:25:06 -0700 Subject: [PATCH 5/7] SHIBUI-2510 Update to use the release 5.0.0 versions of Shib and OpenSAML - removed all the SNAPSHOT versions of deps --- backend/build.gradle | 7 +------ gradle.properties | 12 ++++++------ pac4j-module/build.gradle | 5 ----- 3 files changed, 7 insertions(+), 17 deletions(-) diff --git a/backend/build.gradle b/backend/build.gradle index 443bf9e8f..71575911a 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -19,15 +19,10 @@ test { } repositories { - jcenter() maven { url 'https://build.shibboleth.net/nexus/content/groups/public' artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots'] } - // TODO remove snapshots after the versions become final - maven { - url 'https://build.shibboleth.net/maven/snapshots' - } maven { // for the springboot plugin url "https://plugins.gradle.org/m2/" } @@ -171,7 +166,7 @@ dependencies { } // shibboleth idp deps - ['idp-profile-spring', 'idp-profile-api'].each { + ['idp-profile-impl', 'idp-profile-api'].each { implementation "net.shibboleth.idp:${it}:${project.'shibbolethVersion'}" integrationTestImplementation "net.shibboleth.idp:${it}:${project.'shibbolethVersion'}" } diff --git a/gradle.properties b/gradle.properties index 6978848ee..beef423a4 100644 --- a/gradle.properties +++ b/gradle.properties @@ -14,15 +14,15 @@ log4JVersion=2.20.0 lombokVersion=6.6.2 nashornVersion=15.4 opencsvVersion=5.7.1 -opensamlVersion=5.0.0-SNAPSHOT +opensamlVersion=5.0.0 pac4JVersion=5.7.0 pac4jSpringSecurityVersion=9.0.0 seleneseRunnerVersion=4.3.0 shedlockVersion=5.2.0 -shibbolethVersion=5.0.0-SNAPSHOT -shibExtSpringExtensionsVersion=6.3.1-SNAPSHOT +shibbolethVersion=5.0.0 +shibExtSpringExtensionsVersion=6.2.0 shibOIDCVersion=2.1.0 -shibUtilitiesJavaSupportVersion=8.4.1-SNAPSHOT +shibUtilitiesJavaSupportVersion=8.1.0 spockVersion=2.3-groovy-4.0 springbootVersion=3.1.2 ## Used for testing deps, match spring security version used @@ -51,5 +51,5 @@ use.release.app.yml=false org.gradle.daemon=false ## NOTES -# pac4j spring security 7.0.3 here uses the pac4j 5.4.3 core, thus differences in versions (they used use the same versions, now -# keeping them in sync takes paying attention \ No newline at end of file +# pac4j spring security 7.0.3 here uses the pac4j 5.4.3 core, thus differences in versions (they used to use the same versions, now +# keeping them in sync takes paying attention) \ No newline at end of file diff --git a/pac4j-module/build.gradle b/pac4j-module/build.gradle index 002b507c7..70e420eb8 100644 --- a/pac4j-module/build.gradle +++ b/pac4j-module/build.gradle @@ -12,16 +12,11 @@ targetCompatibility = 17 bootJar.enabled = false repositories { - jcenter() mavenCentral() maven { url 'https://build.shibboleth.net/nexus/content/groups/public' artifactUrls = ['https://build.shibboleth.net/nexus/content/repositories/thirdparty-snapshots'] } - // TODO remove snapshots after the versions become final - maven { - url 'https://build.shibboleth.net/maven/snapshots' - } maven { // for the springboot plugin url "https://plugins.gradle.org/m2/" } From 0ec03d06b262f16093d91e26a700b9f81bd0921c Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 14 Sep 2023 14:28:35 -0700 Subject: [PATCH 6/7] SHIBUI-2510 Cleanup of all imports --- .../admin/ui/controller/BeaconController.java | 1 - .../controller/MetadataFiltersController.java | 1 - .../admin/ui/domain/Description.java | 1 - .../admin/ui/domain/EntityDescriptor.java | 1 - .../admin/ui/domain/X509Certificate.java | 1 - .../shibboleth/admin/ui/domain/XSAny.java | 1 - .../domain/oidc/DynamicRegistrationInfo.java | 1 - ...tionDrivenDynamicHTTPMetadataResolver.java | 1 - ...SamlMetadataResolverConstructorHelper.java | 1 - .../properties/ShibConfigurationProperty.java | 1 - .../admin/ui/domain/util/Shedlock.java | 1 + .../listener/GroupUpdatedEntityListener.java | 1 - .../listener/UserUpdatedEntityListener.java | 1 - .../ui/security/service/UserService.java | 1 - .../springsecurity/AdminUserService.java | 1 - .../ui/service/BeaconDataServiceImpl.java | 2 +- .../admin/ui/service/beacon/BeaconDetail.java | 2 - .../admin/ui/AbstractBaseDataJpaTest.groovy | 6 +- .../ui/configuration/TestConfiguration.groovy | 2 +- ...dataResolverValidationConfiguration.groovy | 1 - .../controller/ActivateControllerTests.groovy | 3 +- .../controller/ApproveControllerTests.groovy | 3 +- .../DynamicRegistrationControllerTests.groovy | 3 +- .../EntitiesControllerIntegrationTests.groovy | 3 +- .../controller/EntitiesControllerTests.groovy | 1 - .../EntityDescriptorControllerTests.groovy | 1 - ...lerSchemaValidationIntegrationTests.groovy | 8 -- ...lerSchemaValidationIntegrationTests.groovy | 3 - ...ResolversControllerIntegrationTests.groovy | 2 - .../domain/oidc/OAuthRPExtensionsTest.groovy | 3 +- ...yAttributeDefinitionRepositoryTests.groovy | 3 +- .../EntityDescriptorRepositoryTest.groovy | 2 +- .../MetadataResolverRepositoryTests.groovy | 3 +- .../ShibPropertySetRepositoryTests.groovy | 3 +- .../ui/service/EmailServiceImplTests.groovy | 2 +- ...DynamicRegistrationServiceImplTests.groovy | 95 ------------------- ...taResolverConverterServiceImplTests.groovy | 1 - .../ShibConfigurationServiceTests.groovy | 3 +- 38 files changed, 15 insertions(+), 155 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/BeaconController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/BeaconController.java index 9b047142b..8e38e1daa 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/BeaconController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/BeaconController.java @@ -7,7 +7,6 @@ import org.springframework.context.annotation.Profile; import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java index bab89c307..df35a86bc 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersController.java @@ -15,7 +15,6 @@ import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverService; import io.swagger.v3.oas.annotations.tags.Tag; import io.swagger.v3.oas.annotations.tags.Tags; -import net.shibboleth.shared.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.scripting.EvaluableScript; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/Description.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/Description.java index 3702576d4..42f22ce74 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/Description.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/Description.java @@ -2,7 +2,6 @@ import jakarta.persistence.Column; import jakarta.persistence.Entity; -import jakarta.persistence.Lob; import lombok.EqualsAndHashCode; import org.hibernate.Length; import org.hibernate.envers.Audited; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/EntityDescriptor.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/EntityDescriptor.java index 4db90392a..ed3f96389 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/EntityDescriptor.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/EntityDescriptor.java @@ -7,7 +7,6 @@ import edu.internet2.tier.shibboleth.admin.ui.security.model.Ownable; import edu.internet2.tier.shibboleth.admin.ui.security.model.OwnableType; import jakarta.persistence.CascadeType; -import jakarta.persistence.Column; import jakarta.persistence.ElementCollection; import jakarta.persistence.Entity; import jakarta.persistence.FetchType; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Certificate.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Certificate.java index 82e55d5f5..8d0dd62f8 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Certificate.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/X509Certificate.java @@ -3,7 +3,6 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.oidc.ValueXMLObject; import jakarta.persistence.Column; import jakarta.persistence.Entity; -import jakarta.persistence.Lob; import lombok.EqualsAndHashCode; import org.hibernate.Length; import org.hibernate.envers.Audited; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/XSAny.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/XSAny.java index b566a7fa4..5d3b65369 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/XSAny.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/XSAny.java @@ -2,7 +2,6 @@ import jakarta.persistence.Column; import jakarta.persistence.Entity; -import jakarta.persistence.Lob; import jakarta.persistence.Transient; import lombok.EqualsAndHashCode; import org.hibernate.Length; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/DynamicRegistrationInfo.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/DynamicRegistrationInfo.java index dcf81157e..bdc2093bb 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/DynamicRegistrationInfo.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/DynamicRegistrationInfo.java @@ -11,7 +11,6 @@ import jakarta.persistence.ElementCollection; import jakarta.persistence.Entity; import jakarta.persistence.FetchType; -import jakarta.persistence.Lob; import lombok.Data; import lombok.EqualsAndHashCode; import org.hibernate.Length; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java index c20e4c35f..281a3223e 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlFunctionDrivenDynamicHTTPMetadataResolver.java @@ -5,7 +5,6 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.RegexScheme; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.TemplateScheme; import net.shibboleth.shared.component.ComponentInitializationException; - import net.shibboleth.shared.xml.ParserPool; import org.apache.hc.client5.http.impl.classic.HttpClients; import org.apache.lucene.index.IndexWriter; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java index bb53d658a..7c5012072 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/opensaml/OpenSamlMetadataResolverConstructorHelper.java @@ -3,7 +3,6 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicMetadataResolverAttributes; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.HttpMetadataResolverAttributes; import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ReloadableMetadataResolverAttributes; - import net.shibboleth.shared.xml.ParserPool; import org.opensaml.saml.metadata.resolver.MetadataResolver; import org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/shib/properties/ShibConfigurationProperty.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/shib/properties/ShibConfigurationProperty.java index 89f622877..dae41153c 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/shib/properties/ShibConfigurationProperty.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/shib/properties/ShibConfigurationProperty.java @@ -6,7 +6,6 @@ import jakarta.persistence.Convert; import jakarta.persistence.Entity; import jakarta.persistence.Id; -import jakarta.persistence.Lob; import lombok.Data; import org.hibernate.Length; import org.hibernate.envers.Audited; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/util/Shedlock.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/util/Shedlock.java index b96dc79fc..bf38f6728 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/util/Shedlock.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/util/Shedlock.java @@ -2,6 +2,7 @@ import jakarta.persistence.Entity; import jakarta.persistence.Id; + import java.util.Date; /** diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/GroupUpdatedEntityListener.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/GroupUpdatedEntityListener.java index 450c6719a..ec3f177c9 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/GroupUpdatedEntityListener.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/GroupUpdatedEntityListener.java @@ -8,7 +8,6 @@ import jakarta.persistence.PostPersist; import jakarta.persistence.PostRemove; import jakarta.persistence.PostUpdate; -import org.springframework.beans.factory.annotation.Autowired; import java.util.List; import java.util.Set; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/UserUpdatedEntityListener.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/UserUpdatedEntityListener.java index a59e3468b..cbeb7cde9 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/UserUpdatedEntityListener.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/listener/UserUpdatedEntityListener.java @@ -9,7 +9,6 @@ import jakarta.persistence.PostPersist; import jakarta.persistence.PostRemove; import jakarta.persistence.PostUpdate; -import org.springframework.beans.factory.annotation.Autowired; import java.util.HashSet; import java.util.Set; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java index 8768d3386..adb1dd60b 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java @@ -25,7 +25,6 @@ import org.springframework.transaction.annotation.Transactional; import java.text.SimpleDateFormat; -import java.time.LocalDate; import java.util.ArrayList; import java.util.Date; import java.util.HashSet; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/springsecurity/AdminUserService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/springsecurity/AdminUserService.java index 02a468848..79d69edac 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/springsecurity/AdminUserService.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/springsecurity/AdminUserService.java @@ -10,7 +10,6 @@ import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; -import org.springframework.transaction.annotation.Transactional; import java.util.Set; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java index 538ee932a..4ccd615c0 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/BeaconDataServiceImpl.java @@ -16,8 +16,8 @@ import edu.internet2.tier.shibboleth.admin.ui.service.beacon.BeaconDetail; import edu.internet2.tier.shibboleth.admin.ui.service.beacon.ShibuiDetail; import lombok.SneakyThrows; -import org.apache.commons.lang3.time.DateUtils; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.time.DateUtils; import org.springframework.boot.actuate.health.HealthEndpoint; import org.springframework.boot.actuate.info.InfoEndpoint; diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/beacon/BeaconDetail.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/beacon/BeaconDetail.java index 78503cf50..9cbd8190f 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/beacon/BeaconDetail.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/beacon/BeaconDetail.java @@ -1,10 +1,8 @@ package edu.internet2.tier.shibboleth.admin.ui.service.beacon; -import edu.internet2.tier.shibboleth.admin.ui.domain.beacon.BeaconEvent; import lombok.Data; import lombok.experimental.Accessors; -import java.util.List; import java.util.Map; @Data diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy index 8db64d5f8..df74f0a0e 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/AbstractBaseDataJpaTest.groovy @@ -1,6 +1,5 @@ package edu.internet2.tier.shibboleth.admin.ui - import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorRepository import edu.internet2.tier.shibboleth.admin.ui.security.model.Role import edu.internet2.tier.shibboleth.admin.ui.security.model.User @@ -12,21 +11,18 @@ import edu.internet2.tier.shibboleth.admin.ui.security.repository.OwnershipRepos import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserLoginRecordRepository import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository -import edu.internet2.tier.shibboleth.admin.ui.security.service.GroupServiceForTesting import edu.internet2.tier.shibboleth.admin.ui.security.service.IGroupService import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService import edu.internet2.tier.shibboleth.admin.ui.service.DirectoryService +import jakarta.persistence.EntityManager import org.springframework.beans.factory.annotation.Autowired import org.springframework.boot.autoconfigure.domain.EntityScan import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest import org.springframework.data.jpa.repository.config.EnableJpaRepositories import org.springframework.test.context.ContextConfiguration -import org.springframework.test.web.servlet.MockMvc import org.springframework.transaction.annotation.Transactional import spock.lang.Specification -import jakarta.persistence.EntityManager - // The commented out lines show how to run the JPA tests using a file back h2 db - typically you'd switch if you want // to access the db during testing to see what is happening in the db. Additionally, you have to use the file version of h2 // if you want to use the reset, as the in mem version won't allow multiple different access connections to be created. diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy index 1ea0670ce..cf6ef66f6 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestConfiguration.groovy @@ -24,6 +24,7 @@ import org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver import org.slf4j.Logger import org.slf4j.LoggerFactory import org.springframework.beans.factory.annotation.Autowired +import org.springframework.boot.SpringBootConfiguration import org.springframework.boot.actuate.endpoint.annotation.Selector import org.springframework.boot.actuate.health.DefaultHealthContributorRegistry import org.springframework.boot.actuate.health.Health @@ -34,7 +35,6 @@ import org.springframework.boot.actuate.health.HealthEndpointGroups import org.springframework.boot.actuate.health.Status import org.springframework.boot.actuate.info.InfoContributor import org.springframework.boot.actuate.info.InfoEndpoint -import org.springframework.boot.SpringBootConfiguration import org.springframework.boot.web.client.RestTemplateBuilder import org.springframework.context.annotation.Bean import org.springframework.core.io.ClassPathResource diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestMetadataResolverValidationConfiguration.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestMetadataResolverValidationConfiguration.groovy index 4809dcffd..d163c36ed 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestMetadataResolverValidationConfiguration.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestMetadataResolverValidationConfiguration.groovy @@ -5,7 +5,6 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.Metadat import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.ResourceBackedIMetadataResolverValidator import org.springframework.boot.SpringBootConfiguration import org.springframework.context.annotation.Bean -import org.springframework.context.annotation.Configuration @SpringBootConfiguration class TestMetadataResolverValidationConfiguration { diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ActivateControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ActivateControllerTests.groovy index a5fefdc2c..338a39a7c 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ActivateControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ActivateControllerTests.groovy @@ -20,13 +20,12 @@ import edu.internet2.tier.shibboleth.admin.ui.service.EntityService import edu.internet2.tier.shibboleth.admin.ui.service.IBeaconDataService import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin import edu.internet2.tier.shibboleth.admin.util.EntityDescriptorConversionUtils +import jakarta.transaction.Transactional import org.springframework.beans.factory.annotation.Autowired import org.springframework.security.test.context.support.WithMockUser import org.springframework.test.web.servlet.setup.MockMvcBuilders import spock.lang.Subject -import jakarta.transaction.Transactional - import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ApproveControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ApproveControllerTests.groovy index d0a839513..44ffed9ad 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ApproveControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/ApproveControllerTests.groovy @@ -17,13 +17,12 @@ import edu.internet2.tier.shibboleth.admin.ui.service.DynamicRegistrationService import edu.internet2.tier.shibboleth.admin.ui.service.EntityDescriptorService import edu.internet2.tier.shibboleth.admin.ui.service.EntityService import edu.internet2.tier.shibboleth.admin.util.EntityDescriptorConversionUtils +import jakarta.transaction.Transactional import org.springframework.beans.factory.annotation.Autowired import org.springframework.security.test.context.support.WithMockUser import org.springframework.test.web.servlet.setup.MockMvcBuilders import spock.lang.Subject -import jakarta.transaction.Transactional - import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.patch import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/DynamicRegistrationControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/DynamicRegistrationControllerTests.groovy index 5d08bf895..0051b3033 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/DynamicRegistrationControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/DynamicRegistrationControllerTests.groovy @@ -14,6 +14,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.repository.DynamicRegistr import edu.internet2.tier.shibboleth.admin.ui.service.DynamicRegistrationService import edu.internet2.tier.shibboleth.admin.ui.service.EntityService import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin +import jakarta.persistence.EntityManager import org.hamcrest.Matchers import org.springframework.beans.factory.annotation.Autowired import org.springframework.security.test.context.support.WithMockUser @@ -22,8 +23,6 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders import org.springframework.transaction.annotation.Transactional import spock.lang.Subject -import jakarta.persistence.EntityManager - import static org.springframework.http.MediaType.APPLICATION_JSON import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerIntegrationTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerIntegrationTests.groovy index c9bacb09a..881212234 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerIntegrationTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerIntegrationTests.groovy @@ -17,6 +17,7 @@ import edu.internet2.tier.shibboleth.admin.ui.util.RandomGenerator import edu.internet2.tier.shibboleth.admin.ui.util.TestObjectGenerator import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin import edu.internet2.tier.shibboleth.admin.util.EntityDescriptorConversionUtils +import jakarta.persistence.EntityManager import org.springframework.beans.factory.annotation.Autowired import org.springframework.security.test.context.support.WithMockUser import org.springframework.test.web.servlet.setup.MockMvcBuilders @@ -24,8 +25,6 @@ import org.springframework.transaction.annotation.Transactional import org.springframework.web.client.RestTemplate import spock.lang.Subject -import jakarta.persistence.EntityManager - import static org.springframework.http.MediaType.APPLICATION_XML import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy index 825dcb480..7f0f16606 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntitiesControllerTests.groovy @@ -6,7 +6,6 @@ import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorReposit import edu.internet2.tier.shibboleth.admin.ui.service.JPAEntityDescriptorServiceImpl import net.shibboleth.shared.resolver.CriteriaSet import net.shibboleth.shared.spring.resource.ResourceHelper - import org.opensaml.core.criterion.EntityIdCriterion import org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver import org.spockframework.spring.SpringBean diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy index 12e659538..9e7caaa84 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorControllerTests.groovy @@ -42,7 +42,6 @@ import org.springframework.test.web.servlet.result.MockMvcResultHandlers import org.springframework.test.web.servlet.setup.MockMvcBuilders import org.springframework.transaction.annotation.Transactional import org.springframework.web.client.RestTemplate -import org.springframework.web.util.NestedServletException import spock.lang.Subject import java.nio.charset.StandardCharsets diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersControllerSchemaValidationIntegrationTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersControllerSchemaValidationIntegrationTests.groovy index 7148a0c60..4b5750d18 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersControllerSchemaValidationIntegrationTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataFiltersControllerSchemaValidationIntegrationTests.groovy @@ -17,27 +17,19 @@ import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin import groovy.json.JsonSlurper import org.opensaml.saml.metadata.resolver.MetadataResolver import org.springframework.beans.factory.annotation.Autowired -import org.springframework.boot.test.context.SpringBootTest import org.springframework.boot.test.context.TestConfiguration -import org.springframework.boot.test.web.client.TestRestTemplate import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Import import org.springframework.context.annotation.Profile -import org.springframework.http.HttpEntity -import org.springframework.http.HttpHeaders import org.springframework.http.converter.HttpMessageNotReadableException -import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter import org.springframework.test.context.ActiveProfiles import org.springframework.test.web.servlet.setup.MockMvcBuilders import org.springframework.transaction.annotation.EnableTransactionManagement -import spock.lang.Specification import spock.lang.Subject import static org.springframework.http.MediaType.APPLICATION_JSON import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.hamcrest.CoreMatchers.* @Import([PlaceholderResolverComponentsConfiguration.class, EntitiesVersioningConfiguration.class, TestMetadataResolverControllerConfiguration.class, MetadataResolverValidationConfiguration.class, MFCILocalConfig.class]) diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolverControllerSchemaValidationIntegrationTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolverControllerSchemaValidationIntegrationTests.groovy index 2b9a0aa84..f995068fe 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolverControllerSchemaValidationIntegrationTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolverControllerSchemaValidationIntegrationTests.groovy @@ -19,7 +19,6 @@ import edu.internet2.tier.shibboleth.admin.ui.security.model.Group import edu.internet2.tier.shibboleth.admin.ui.security.model.Role import edu.internet2.tier.shibboleth.admin.ui.security.model.User import edu.internet2.tier.shibboleth.admin.ui.security.service.GroupServiceForTesting -import edu.internet2.tier.shibboleth.admin.ui.security.service.IGroupService import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService import edu.internet2.tier.shibboleth.admin.ui.service.DefaultMetadataResolversPositionOrderContainerService import edu.internet2.tier.shibboleth.admin.ui.service.IndexWriterService @@ -28,14 +27,12 @@ import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverService import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverVersionService import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolversPositionOrderContainerService import edu.internet2.tier.shibboleth.admin.ui.util.TestObjectGenerator -import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin import edu.internet2.tier.shibboleth.admin.util.AttributeUtility import jakarta.servlet.ServletException import org.opensaml.saml.metadata.resolver.MetadataResolver import org.springframework.beans.factory.annotation.Autowired import org.springframework.boot.test.context.TestConfiguration import org.springframework.context.annotation.Bean -import org.springframework.http.converter.HttpMessageNotReadableException import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter import org.springframework.security.test.context.support.WithMockUser import org.springframework.test.context.ContextConfiguration diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversControllerIntegrationTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversControllerIntegrationTests.groovy index b3b5d29b3..74d7f8ae3 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversControllerIntegrationTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversControllerIntegrationTests.groovy @@ -19,8 +19,6 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.Metadat import edu.internet2.tier.shibboleth.admin.ui.repository.MetadataResolverRepository import edu.internet2.tier.shibboleth.admin.ui.repository.MetadataResolversPositionOrderContainerRepository import edu.internet2.tier.shibboleth.admin.ui.service.DefaultMetadataResolversPositionOrderContainerService -import edu.internet2.tier.shibboleth.admin.ui.service.DirectoryService -import edu.internet2.tier.shibboleth.admin.ui.service.DirectoryServiceImpl import edu.internet2.tier.shibboleth.admin.ui.service.IBeaconDataService import edu.internet2.tier.shibboleth.admin.ui.service.IndexWriterService import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverConverterService diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsTest.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsTest.groovy index fe9e234f6..440977100 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsTest.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/oidc/OAuthRPExtensionsTest.groovy @@ -8,11 +8,10 @@ import edu.internet2.tier.shibboleth.admin.ui.service.EntityService import edu.internet2.tier.shibboleth.admin.ui.service.JPAEntityDescriptorServiceImpl import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin import edu.internet2.tier.shibboleth.admin.util.EntityDescriptorConversionUtils +import jakarta.persistence.EntityManager import org.springframework.beans.factory.annotation.Autowired import org.springframework.context.annotation.PropertySource -import jakarta.persistence.EntityManager - @PropertySource("classpath:application.yml") class OAuthRPExtensionsTest extends AbstractBaseDataJpaTest { @Autowired diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/CustomEntityAttributeDefinitionRepositoryTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/CustomEntityAttributeDefinitionRepositoryTests.groovy index 0ba7c0e83..4a3f88e37 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/CustomEntityAttributeDefinitionRepositoryTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/CustomEntityAttributeDefinitionRepositoryTests.groovy @@ -2,11 +2,10 @@ package edu.internet2.tier.shibboleth.admin.ui.repository import edu.internet2.tier.shibboleth.admin.ui.AbstractBaseDataJpaTest import edu.internet2.tier.shibboleth.admin.ui.domain.CustomEntityAttributeDefinition +import jakarta.persistence.EntityManager import org.springframework.beans.factory.annotation.Autowired import org.springframework.dao.DataIntegrityViolationException -import jakarta.persistence.EntityManager - /** * Tests to validate the repo and model for custom entity attributes * @author chasegawa diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepositoryTest.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepositoryTest.groovy index 0ae014c63..ab135c84c 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepositoryTest.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepositoryTest.groovy @@ -9,6 +9,7 @@ import edu.internet2.tier.shibboleth.admin.ui.security.model.Group import edu.internet2.tier.shibboleth.admin.ui.service.CustomEntityAttributesDefinitionServiceImpl import edu.internet2.tier.shibboleth.admin.ui.service.EntityDescriptorService import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin +import jakarta.persistence.EntityManager import org.apache.lucene.analysis.Analyzer import org.apache.lucene.analysis.en.EnglishAnalyzer import org.opensaml.saml.metadata.resolver.MetadataResolver @@ -17,7 +18,6 @@ import org.springframework.boot.test.context.TestConfiguration import org.springframework.context.annotation.Bean import org.springframework.test.context.ContextConfiguration -import jakarta.persistence.EntityManager import java.util.stream.Stream @ContextConfiguration(classes = [EDRLocalConfig]) diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy index d71743095..bc5a06ace 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy @@ -8,11 +8,10 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.FileBackedHttpMet import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.LocalDynamicMetadataResolver import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver import edu.internet2.tier.shibboleth.admin.ui.service.EntityDescriptorService +import jakarta.persistence.EntityManager import org.springframework.beans.factory.annotation.Autowired import org.springframework.test.annotation.Rollback -import jakarta.persistence.EntityManager - import static edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityAttributesFilterTarget.EntityAttributesFilterTargetType.CONDITION_SCRIPT /** diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/ShibPropertySetRepositoryTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/ShibPropertySetRepositoryTests.groovy index 9c541641b..64683c990 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/ShibPropertySetRepositoryTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/ShibPropertySetRepositoryTests.groovy @@ -2,9 +2,8 @@ package edu.internet2.tier.shibboleth.admin.ui.repository import edu.internet2.tier.shibboleth.admin.ui.AbstractBaseDataJpaTest import edu.internet2.tier.shibboleth.admin.ui.domain.shib.properties.ShibPropertySet -import org.springframework.beans.factory.annotation.Autowired - import jakarta.persistence.EntityManager +import org.springframework.beans.factory.annotation.Autowired /** * Tests to validate the repo and model for ShibPropertySetRepository diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImplTests.groovy index 4384efa1d..3a7f416f0 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImplTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/EmailServiceImplTests.groovy @@ -2,10 +2,10 @@ package edu.internet2.tier.shibboleth.admin.ui.service import edu.internet2.tier.shibboleth.admin.ui.configuration.CoreShibUiConfiguration import edu.internet2.tier.shibboleth.admin.ui.configuration.DevConfig +import edu.internet2.tier.shibboleth.admin.ui.configuration.EmailConfiguration import edu.internet2.tier.shibboleth.admin.ui.configuration.InternationalizationConfiguration import edu.internet2.tier.shibboleth.admin.ui.configuration.SearchConfiguration import edu.internet2.tier.shibboleth.admin.ui.configuration.TestConfiguration -import edu.internet2.tier.shibboleth.admin.ui.configuration.EmailConfiguration import groovy.json.JsonOutput import groovy.json.JsonSlurper import org.springframework.beans.factory.annotation.Autowired diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPADynamicRegistrationServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPADynamicRegistrationServiceImplTests.groovy index 1bad8fd02..ecbb5c133 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPADynamicRegistrationServiceImplTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPADynamicRegistrationServiceImplTests.groovy @@ -2,111 +2,16 @@ package edu.internet2.tier.shibboleth.admin.ui.service import com.fasterxml.jackson.databind.ObjectMapper import edu.internet2.tier.shibboleth.admin.ui.AbstractBaseDataJpaTest -import edu.internet2.tier.shibboleth.admin.ui.configuration.JsonSchemaComponentsConfiguration -import edu.internet2.tier.shibboleth.admin.ui.controller.DynamicRegistrationController -import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor -import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptorProtocol -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.AssertionConsumerServiceRepresentation -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.ContactRepresentation import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.EntityDescriptorRepresentation -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.KeyDescriptorRepresentation -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.LogoutEndpointRepresentation -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.MduiRepresentation -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.OrganizationRepresentation -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.SecurityInfoRepresentation -import edu.internet2.tier.shibboleth.admin.ui.domain.frontend.ServiceProviderSsoDescriptorRepresentation import edu.internet2.tier.shibboleth.admin.ui.domain.oidc.DynamicRegistrationInfo import edu.internet2.tier.shibboleth.admin.ui.domain.oidc.GrantType -import edu.internet2.tier.shibboleth.admin.ui.domain.oidc.OAuthRPExtensions -import edu.internet2.tier.shibboleth.admin.ui.jsonschema.JsonSchemaResourceLocation -import edu.internet2.tier.shibboleth.admin.ui.jsonschema.LowLevelJsonSchemaValidator -import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects -import edu.internet2.tier.shibboleth.admin.ui.repository.EntityDescriptorRepository -import edu.internet2.tier.shibboleth.admin.ui.security.model.Approvers -import edu.internet2.tier.shibboleth.admin.ui.security.model.Group -import edu.internet2.tier.shibboleth.admin.ui.security.model.Role -import edu.internet2.tier.shibboleth.admin.ui.security.model.User import edu.internet2.tier.shibboleth.admin.ui.security.repository.DynamicRegistrationInfoRepository import edu.internet2.tier.shibboleth.admin.ui.util.RandomGenerator import edu.internet2.tier.shibboleth.admin.ui.util.TestObjectGenerator import edu.internet2.tier.shibboleth.admin.ui.util.WithMockAdmin -import edu.internet2.tier.shibboleth.admin.util.EntityDescriptorConversionUtils -import org.skyscreamer.jsonassert.JSONAssert import org.springframework.beans.factory.annotation.Autowired import org.springframework.boot.test.json.JacksonTester import org.springframework.context.annotation.PropertySource -import org.springframework.core.io.DefaultResourceLoader -import org.springframework.mock.http.MockHttpInputMessage -import org.springframework.security.test.context.support.WithMockUser -import org.springframework.test.web.servlet.result.MockMvcResultHandlers -import org.springframework.test.web.servlet.setup.MockMvcBuilders -import org.springframework.transaction.annotation.Transactional -import org.xmlunit.builder.DiffBuilder -import org.xmlunit.builder.Input -import org.xmlunit.diff.DefaultNodeMatcher -import org.xmlunit.diff.ElementSelectors -import spock.lang.Ignore - -import java.time.LocalDateTime - -import static edu.internet2.tier.shibboleth.admin.ui.jsonschema.JsonSchemaLocationLookup.metadataSourcesOIDCSchema -import static edu.internet2.tier.shibboleth.admin.ui.jsonschema.JsonSchemaLocationLookup.metadataSourcesSAMLSchema -import static org.springframework.http.MediaType.APPLICATION_JSON -import static org.springframework.http.MediaType.APPLICATION_JSON -import static org.springframework.http.MediaType.APPLICATION_JSON -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status @PropertySource("classpath:application.yml") class JPADynamicRegistrationServiceImplTests extends AbstractBaseDataJpaTest { diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImplTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImplTests.groovy index b192651be..58ad2c21a 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImplTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/MetadataResolverConverterServiceImplTests.groovy @@ -6,7 +6,6 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicMetadataRe import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.LocalDynamicMetadataResolver import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects import org.springframework.beans.factory.annotation.Autowired -import org.springframework.beans.factory.annotation.Value import org.springframework.boot.test.context.TestConfiguration import org.springframework.context.annotation.Bean import org.springframework.test.context.ContextConfiguration diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceTests.groovy index 2856a2338..f121d469d 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceTests.groovy @@ -6,10 +6,9 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.shib.properties.ShibPropert import edu.internet2.tier.shibboleth.admin.ui.domain.shib.properties.ShibPropertySetting import edu.internet2.tier.shibboleth.admin.ui.repository.ShibPropertySetRepository import edu.internet2.tier.shibboleth.admin.ui.repository.ShibPropertySettingRepository -import org.springframework.beans.factory.annotation.Autowired - import jakarta.persistence.EntityManager import jakarta.transaction.Transactional +import org.springframework.beans.factory.annotation.Autowired class ShibConfigurationServiceTests extends AbstractBaseDataJpaTest { @Autowired From cdfd5c1672790670f6e56859e72e7d23f4c44e45 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Fri, 15 Sep 2023 12:03:26 -0700 Subject: [PATCH 7/7] SHIBUI-2510 Updated the SHIB properties list --- .../ui/service/ShibPropertiesBootstrap.groovy | 4 +- .../resources/shib_configuration_prop.csv | 1322 +++++++++-------- 2 files changed, 668 insertions(+), 658 deletions(-) diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy index 4227b09e7..608790af1 100644 --- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy +++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy @@ -23,7 +23,7 @@ class ShibPropertiesBootstrap { @Transactional @EventListener - void bootstrapUsersAndRoles(ApplicationStartedEvent e) { + void bootstrapShibPropertiesList(ApplicationStartedEvent e) { log.info("Ensuring base Shibboleth properties configuration has loaded") Resource resource = new ClassPathResource('shib_configuration_prop.csv') @@ -31,7 +31,7 @@ class ShibPropertiesBootstrap { // Read in the defaults in the configuration file new CSVReader(new InputStreamReader(resource.inputStream)).each { fields -> - def (resource_id,category,config_file,description,idp_version,module,module_version,note,default_value,property_name,property_type,selection_items,property_value) = fields + def (resource_id,category,config_file,description,idp_version,module,module_version,note,default_value,property_name,property_type,selection_items) = fields ShibConfigurationProperty prop = new ShibConfigurationProperty().with { it.resourceId = resource_id it.category = category diff --git a/backend/src/main/resources/shib_configuration_prop.csv b/backend/src/main/resources/shib_configuration_prop.csv index fd6b84a33..aa6fb1d02 100644 --- a/backend/src/main/resources/shib_configuration_prop.csv +++ b/backend/src/main/resources/shib_configuration_prop.csv @@ -1,656 +1,666 @@ -474,?,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.storage.authenticated,BOOLEAN,, -472,?,admin/admin.properties,Audit log identifier for flow,4.1,,,,Storage,idp.storage.logging,STRING,, -476,?,admin/admin.properties,?,4.1,,,,,idp.storage.defaultAuthenticationMethods,STRING,, -473,?,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.storage.accessPolicy,STRING,, -475,?,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.storage.nonBrowserSupported,BOOLEAN,, -442,AACLI,admin/admin.properties,?,4.1,,,,,idp.resolvertest.defaultAuthenticationMethods,STRING,, -443,AACLI,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.resolvertest.resolveAttributes,BOOLEAN,, -439,AACLI,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.resolvertest.accessPolicy,STRING,, -438,AACLI,admin/admin.properties,Audit log identifier for flow,4.1,,,,ResolverTest,idp.resolvertest.logging,STRING,, -441,AACLI,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.resolvertest.nonBrowserSupported,BOOLEAN,, -444,AACLI,admin/admin.properties,?,4.1,,,,,idp.resolvertest.postAuthenticationFlows,STRING,, -440,AACLI,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.resolvertest.authenticated,BOOLEAN,, -466,AccountLockoutManagement,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.lockout.accessPolicy,STRING,, -467,AccountLockoutManagement,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.lockout.authenticated,BOOLEAN,, -470,AccountLockoutManagement,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.lockout.resolveAttributes,BOOLEAN,, -468,AccountLockoutManagement,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.lockout.nonBrowserSupported,BOOLEAN,, -469,AccountLockoutManagement,admin/admin.properties,?,4.1,,,,,idp.lockout.defaultAuthenticationMethods,STRING,, -471,AccountLockoutManagement,admin/admin.properties,?,4.1,,,,,idp.lockout.postAuthenticationFlows,STRING,, -465,AccountLockoutManagement,admin/admin.properties,Audit log identifier for flow,4.1,,,,Lockout,idp.lockout.logging,STRING,, -479,AttendedRestartConfiguration,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.unlock-keys.accessPolicy,STRING,, -480,AttendedRestartConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,true,idp.unlock-keys.authenticated,BOOLEAN,, -478,AttendedRestartConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,UnlockKeys,idp.unlock-keys.logging,STRING,, -477,AttendedRestartConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.storage.resolveAttributes,BOOLEAN,, -483,AttendedRestartConfiguration,admin/admin.properties,?,4.1,,,,,idp.unlock-keys.postAuthenticationFlows,STRING,, -481,AttendedRestartConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.unlock-keys.nonBrowserSupported,BOOLEAN,, -482,AttendedRestartConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.unlock-keys.resolveAttributes,BOOLEAN,, -491,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attributes to search for in the results looking for a StringAttributeValue or ScopedStringAttributeValue,4.1,,,,,idp.c14n.attribute.attributeSourceIds,STRING,, -492,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to examine the input Subject for IdPAttributePrincipal objects to pull from directly instead of from the output of the Attribute Resolver service,4.1,,,,false,idp.c14n.attribute.resolveFromSubject,BOOLEAN,, -487,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.attribute.lowercase,BOOLEAN,, -493,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Bean ID of a Predicate to evaluate to determine whether to run the Attribute Resolver or go directly to the Subject alone,4.1,,,,shibboleth.Conditions.TRUE,idp.c14n.attribute.resolutionCondition,SPRING_BEAN_ID,, -488,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.attribute.uppercase,BOOLEAN,, -489,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.attribute.trim,BOOLEAN,, -490,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attributes to resolve (an empty list directs the resolver to resolve everything it can),4.1,,,,,idp.c14n.attribute.attributesToResolve,STRING,, -512,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Status,idp.service.logging.status,STRING,, -511,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.cas,STRING,, -514,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Reload,idp.service.logging.serviceReload,STRING,, -515,AuditLoggingConfiguration,services.properties,Hash algorithm to apply to various hashed fields,4.1,,,,SHA-256,idp.audit.hashAlgorithm,STRING,, -510,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Logout,idp.service.logging.logout,STRING,, -516,AuditLoggingConfiguration,services.properties,Salt to apply to hashed fields must be set to use those fields,4.1,,,,,idp.audit.salt,STRING,, -509,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Logout,idp.service.logging.saml2slo,STRING,, -504,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,AttributeQuery,idp.service.logging.saml1attrquery,STRING,, -508,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ArtifactResolution,idp.service.logging.saml2artifact,STRING,, -507,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,AttributeQuery,idp.service.logging.saml2attrquery,STRING,, -506,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.saml2sso,STRING,, -118,AuditLoggingConfiguration,services.properties,"Set false if you want SAML bindings ""spelled out"" in audit log",all,,,,true,idp.audit.shortenBindings,BOOLEAN,, -503,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.saml1sso,STRING,, -513,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ResolverTest,idp.service.logging.resolvertest,STRING,, -505,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ArtifactResolution,idp.service.logging.saml1artifact,STRING,, -78,AuthenticationConfiguration,authn/authn.properties,Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication,4.1,,,,true,idp.authn.proxyRestrictionsEnforced,BOOLEAN,, -79,AuthenticationConfiguration,authn/authn.properties,Whether to prioritize prior authentication results when an SP requests more than one possible matching method,all,,,,false,idp.authn.favorSSO,BOOLEAN,, -82,AuthenticationConfiguration,authn/authn.properties,Provides a static discovery URL to use for external discovery this property replaces the need for the XML-defined bean used in V4.0 for this purpose,4.1,,,,,idp.authn.discoveryURL,STRING,, -80,AuthenticationConfiguration,authn/authn.properties,Whether to populate information about the relying party into the tree for user interfaces during login and interceptors,all,,,,true,idp.authn.rpui,BOOLEAN,, -81,AuthenticationConfiguration,authn/authn.properties,Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session.,all,,,,false,idp.authn.identitySwitchIsError,BOOLEAN,, -76,AuthenticationConfiguration,authn/authn.properties,Default amount of time to allow reuse prior authentication flows,all,,,measured since first usage,PT60M,idp.authn.defaultLifetime,DURATION,, -77,AuthenticationConfiguration,authn/authn.properties,Default inactivity timeout to prevent reuse of prior authentication flows,all,,,measured since last usage,PT30M,idp.authn.defaultTimeout,DURATION,, -75,AuthenticationConfiguration,authn/authn.properties,Required expression that identifies the login flows to globally enable,all,,,"ex. Password, MA, DUO",,idp.authn.flows,STRING,, -83,AuthenticationConfiguration,authn/authn.properties,Whether to override an explicit element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global set,4,,,,false,idp.authn.overrideRequestedAuthnContext,BOOLEAN,, -110,CasProtocolConfiguration,idp.properties,CAS service registry implementation class,all,,,,net.shibboleth.idp.cas.service.PatternServiceRegistry,idp.cas.serviceRegistryClass,STRING,, -109,CasProtocolConfiguration,idp.properties,"Storage service used by CAS protocol for chained proxy-granting tickets and when using server-managed ""simple"" TicketService. MUST be server-side storage (e.g. in-memory, memcached, database)",all,,,,shibboleth.StorageService,idp.cas.StorageService,SPRING_BEAN_ID,, -111,CasProtocolConfiguration,idp.properties,If true CAS services provisioned with SAML metadata are identified via entityID,all,,,,false,idp.cas.relyingPartyIdFromMetadata,BOOLEAN,, -89,ConsentConfiguration,idp.properties,Name of function used to return the String storage key representing a user defaults to the principal name,all,,,,shibboleth.consent.PrincipalConsentStorageKey,idp.consent.terms-of-use.userStorageKey,SPRING_BEAN_ID,, -96,ConsentConfiguration,idp.properties,Whether per-attribute consent is allowed,all,,,,false,idp.consent.allowPerAttribute,BOOLEAN,, -97,ConsentConfiguration,idp.properties,Whether attribute values and terms of use text are stored and compared for equality,all,,,,false,idp.consent.compareValues,BOOLEAN,, -94,ConsentConfiguration,idp.properties,Whether not remembering/storing consent is allowed,all,,,,true,idp.consent.allowDoNotRemember,BOOLEAN,, -95,ConsentConfiguration,idp.properties,Whether consent to any attribute and to any relying party is allowed,all,,,,true,idp.consent.allowGlobal,BOOLEAN,, -86,ConsentConfiguration,idp.properties,Attribute whose value is the storage key representing a user,all,,,,uid,idp.consent.attribute-release.userStorageKeyAttribute,STRING,, -98,ConsentConfiguration,idp.properties,"Maximum number of records stored when using space-limited storage (e.g. cookies), 0 = no limit",all,,,,10,idp.consent.maxStoredRecords,INTEGER,, -100,ConsentConfiguration,idp.properties,Time in milliseconds to expire consent storage records,4.x,,,"(v4.0=P1Y,v4.1=infinite)",,idp.consent.storageRecordLifetime,DURATION,, -90,ConsentConfiguration,idp.properties,Attribute whose value is the storage key representing a user,all,,,,uid,idp.consent.terms-of-use.userStorageKeyAttribute,STRING,, -91,ConsentConfiguration,idp.properties,Suffix of message property used as value of consent storage records when idp.consent.compareValues is true,all,,,,.text,idp.consent.terms-of-use.consentValueMessageCodeSuffix,STRING,, -84,ConsentConfiguration,idp.properties,Name of storage service used to store users' consent choices,all,,,,shibboleth.ClientPersistentStorageService,idp.consent.StorageService,SPRING_BEAN_ID,, -85,ConsentConfiguration,idp.properties,Name of function used to return the String storage key representing a user defaults to the principal name,all,,,,shibboleth.consent.PrincipalConsentStorageKey,idp.consent.attribute-release.userStorageKey,SPRING_BEAN_ID,, -99,ConsentConfiguration,idp.properties,"Maximum number of records stored when using larger/server-side storage, 0 = no limit",all,,,,0,idp.consent.expandedMaxStoredRecords,INTEGER,, -88,ConsentConfiguration,idp.properties,Default consent auditing formats,all,,,Logback logging pattern,%T|%SP|%e|%u|%CCI|%CCV|%CCA,idp.consent.attribute-release.auditFormat,STRING,, -93,ConsentConfiguration,idp.properties,Default consent auditing formats,all,,,Logback logging pattern,%T|%SP|%e|%u|%CCI|%CCV|%CCA,idp.consent.terms-of-use.auditFormat,STRING,, -92,ConsentConfiguration,idp.properties,Optional condition to apply to control activation of terms-of-use flow,4.1,,,,shibboleth.Conditions.TRUE,idp.consent.terms-of-use.activationCondition,SPRING_BEAN_ID,, -87,ConsentConfiguration,idp.properties,Optional condition to apply to control activation of attribute-release flow along with system default behavior,4.1,,,,shibboleth.Conditions.TRUE,idp.consent.attribute-release.activationCondition,SPRING_BEAN_ID,, -11,Core,idp.properties,applies a (fixed) scope typically a domain-valued suffix to an input attribute's values,all,,,,,idp.scope,STRING,, -2,Core,idp.properties,Used to point to additional property files to load. All properties must be unique and are ultimately pooled into a single unordered set.,all,,,"Comma seperated list of values ex. /conf/ldap.properties, /conf/services.properties",,idp.additionalProperties,STRING,, -4,Core,idp.properties,Identifies the file to serve for requests to the IdP's well-known metadata location,all,,,,%{idp.home}/metadata/idp-metadata.xml,idp.entityID.metadataFile,STRING,, -47,Core,idp.properties,Auto-configures an HSTS response header,all,,,,max-age=0,idp.hsts,STRING,, -51,Core,idp.properties,"Location from which to load user-modifiable Velocity view templates. This can be set to include ""classpath*:/META-INF/net/shibboleth/idp/views"" (or equivalent) to load templates from the classpath, such as from extension jars, but doing so disables suppor",all,,,Comma seperated list of values,%{idp.home}/views,idp.views,STRING,, -107,Core,idp.properties,Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP),all,,,Bean ID of HttpClient to use for SOAP-based logout,SOAPClient.HttpClient,idp.soap.httpClient,SPRING_BEAN_ID,, -119,Core,idp.properties,Set to true to fail on velocity syntax errors,all,,,,false,idp.velocity.runtime.strictmode,BOOLEAN,, -122,Core,idp.properties,Policies to use with Impersonate interceptor flow,all,,,Policy ID,SpecificImpersonationPolicy,idp.impersonate.specificPolicy,STRING,, -50,Core,idp.properties,Location from which to load user-supplied webflows from,all,,,resource path,%{idp.home}/flows,idp.webflows,STRING,, -121,Core,idp.properties,Policies to use with Impersonate interceptor flow,all,,,Policy ID,GeneralImpersonationPolicy,idp.impersonate.generalPolicy,STRING,, -1,Core,idp.properties,Auto-load all files matching conf/**/*.properties,4,,,,true,idp.searchForProperties,BOOLEAN,, -10,Core,idp.properties,Identifies the file to serve for requests to the IdP's well-known metadata location,all,,,file pathname,%{idp.home}/metadata/idp-metadata.xml,idp.entityID.metadataFile,STRING,, -120,Core,idp.properties,Path to use with External interceptor flow,all,,,,contextRelative:intercept.jsp,idp.intercept.External.externalPath,STRING,, -108,Core,idp.properties,languages to use if no match can be found with the browser-supported languages,all,,,"Comma seperated list of values ex. en, fr, de",,idp.ui.fallbackLanguages,STRING,, -48,Core,idp.properties,Auto-configures an X-Frame-Options response header,all,,,,DENY,idp.frameoptions,SELECTION_LIST,"DENY,SAMEORIGIN", -49,Core,idp.properties,Auto-configures a Content Security Policy response header,all,,,,frame-ancestors 'none',idp.csp,STRING,, -45,CSRF,idp.properties,Enables CSRF protection,4,,,,true,idp.csrf.enabled,BOOLEAN,, -46,CSRF,idp.properties,Name of the HTTP parameter that stores the CSRF token,4,,,,csrf_token,idp.csrf.token.parameter,STRING,, -317,DuoAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.Duo,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.Duo.lifetime,DURATION,, -305,DuoAuthnConfiguration,authn/duo.properties,Name of HTTP request header for Duo AuthAPI factor,4.1,idp.authn.Duo,,this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key,X-Shibboleth-Duo-Factor,idp.duo.nonbrowser.header.factor,STRING,, -311,DuoAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.Duo,,,false,idp.authn.Duo.nonBrowserSupported,BOOLEAN,, -314,DuoAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.Duo,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.Duo.proxyRestrictionsEnforced,BOOLEAN,, -320,DuoAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.Duo,,,shibboleth.Conditions.TRUE,idp.authn.Duo.activationCondition,SPRING_BEAN_ID,, -319,DuoAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.Duo,,,shibboleth.Conditions.TRUE,idp.authn.Duo.reuseCondition,SPRING_BEAN_ID,, -310,DuoAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.Duo,,,1000,idp.authn.Duo.order,INTEGER,, -302,DuoAuthnConfiguration,authn/duo.properties,Duo AuthAPI hostname assigned to the integration,4.1,idp.authn.Duo,,this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key,${idp.duo.apiHost},idp.duo.nonbrowser.apiHost,STRING,, -298,DuoAuthnConfiguration,authn/duo.properties,DuoWeb API hostname assigned to the integration,4.1,idp.authn.Duo,,this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key,,idp.duo.apiHost,STRING,, -318,DuoAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.Duo,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.Duo.inactivityTimeout,DURATION,, -313,DuoAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.Duo,,,false,idp.authn.Duo.forcedAuthenticationSupported,BOOLEAN,, -321,DuoAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer:/idp/profile/Authn/Duo/2FA/duo-callback,,idp.duo.oidc.redirectURL,STRING,, -608,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI integration key supplied by Duo,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.nonbrowser.integrationKey,STRING,, -598,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token).,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.secretKey,STRING,, -617,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum period inactivity between two consecutive data packets,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.socketTimeout,DURATION,, -616,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum length of time to wait for a connection to be returned from the connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.connectionRequestTimeout,DURATION,, -612,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI passcode,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Passcode,idp.duo.oidc.nonbrowser.header.passcode,STRING,, -615,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum length of time to wait for the connection to be established,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.connectionTimeout,DURATION,, -581,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.nonBrowserSupported,BOOLEAN,, -602,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Leeway allowed in token expiry calculations,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.clockSkew,DURATION,, -618,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Max total simultaneous connections allowed by the pooling connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,100,idp.duo.oidc.maxConnectionsTotal,INTEGER,, -590,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Bean ID ofPredicate determining whether flow is usable for request,4.1,idp.authn.DuoOIDC,1,,shibboleth.Conditions.TRUE,idp.authn.DuoOIDC.activationCondition,SPRING_BEAN_ID,, -589,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Bean ID ofPredicate controlling result reuse for SSO,4.1,idp.authn.DuoOIDC,1,,shibboleth.Conditions.TRUE,idp.authn.DuoOIDC.reuseCondition,SPRING_BEAN_ID,, -591,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Bean ID ofBiConsumer for subject customization",4.1,idp.authn.DuoOIDC,1,,,idp.authn.DuoOIDC.subjectDecorator,SPRING_BEAN_ID,, -619,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Max simultaneous connections per route allowed by the pooling connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,100,idp.duo.oidc.maxConnectionsPerRoute,INTEGER,, -588,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.defaultTimeout:PT30M},idp.authn.DuoOIDC.inactivityTimeout,DURATION,, -587,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Lifetime of results produced by this flow,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.defaultLifetime:PT1H},idp.authn.DuoOIDC.lifetime,DURATION,, -580,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.DuoOIDC,1,,1000,idp.authn.DuoOIDC.order,INTEGER,, -610,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI factor,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Factor,idp.duo.oidc.nonbrowser.header.factor,STRING,, -584,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow enforces upstream IdP-imposed restrictions on proxying,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.DuoOIDC.proxyRestrictionsEnforced,BOOLEAN,, -593,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.addDefaultPrincipals,BOOLEAN,, -594,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,DuoOIDC API hostname assigned to the integration,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.apiHost,STRING,, -582,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow allows for passive authentication,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.passiveAuthenticationSupported,BOOLEAN,, -585,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow considers itself to be proxying,4.1,idp.authn.DuoOIDC,1,and therefore enforces SP-signaled restrictions on proxying,false,idp.authn.DuoOIDC.proxyScopingEnforced,BOOLEAN,, -595,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The OAuth 2.0 Client Identifier valid at the Authorization Server,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.clientId,STRING,, -614,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Pass client address to Duo in API calls to support logging,4.1,idp.authn.DuoOIDC,1,push display,true,idp.duo.oidc.nonbrowser.clientAddressTrusted,BOOLEAN,, -592,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Comma-delimited list of protocol-specific Principalstrings associated with flow,4.1,idp.authn.DuoOIDC,1,,"saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa",idp.authn.DuoOIDC.supportedPrincipals,STRING,, -597,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,If the idp.duo.oidc.redirectURL is not set one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection.,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.redirecturl.allowedOrigins,STRING,, -599,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 health check endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/health_check,idp.duo.oidc.endpoint.health,STRING,, -600,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 token endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/token,idp.duo.oidc.endpoint.token,STRING,, -601,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 authorization endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/authorize,idp.duo.oidc.endpoint.authorize,STRING,, -604,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://+,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/token,idp.duo.oidc.jwt.verifier.issuerPath,STRING,, -605,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request.,4.1,idp.authn.DuoOIDC,1,,preferred_username,idp.duo.oidc.jwt.verifier.preferredUsername,STRING,, -583,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow supports forced authentication,4.1,idp.authn.DuoOIDC,1,,true,idp.authn.DuoOIDC.forcedAuthenticationSupported,BOOLEAN,, -613,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Allow the factor to be defaulted in as ""auto"" if no headers are received",4.1,idp.authn.DuoOIDC,1,,true,idp.duo.oidc.nonbrowser.auto,BOOLEAN,, -607,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI hostname assigned to the integration,4.1,idp.authn.DuoOIDC,1,,%{idp.duo.oidc.apiHost},idp.duo.oidc.nonbrowser.apiHost,STRING,, -609,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI secret key supplied by Duo,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.nonbrowser.secretKey,STRING,, -611,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI device ID or name,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Device,idp.duo.oidc.nonbrowser.header.device,STRING,, -606,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,How long the authentication is valid. Only applies to forced authentication requests.,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.authLifetime,DURATION,, -620,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,To enable certificate revocation checking,4.1,idp.authn.DuoOIDC,1 (nimbus),,false,idp.duo.oidc.nimbus.checkRevocation,BOOLEAN,, -603,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum amount (in either direction from now) of duration for which a token is valid after it is issued,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.iatWindow,DURATION,, -586,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether to invoke IdP-discovery prior to running flow,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.discoveryRequired,BOOLEAN,, -55,ErrorHandlingConfiguration,idp.properties,"Bean defing Properties mapping exception class names to error views. The matching by class name does not support wildcards, but does do substring matches (so it's not necessary to fully qualify the class).",all,,,Bean ID of Properties (java.util.Properties),,idp.errors.excludedExceptions,SPRING_BEAN_ID,, -52,ErrorHandlingConfiguration,idp.properties,Whether to expose detailed error causes in status information provided to outside parties,all,,,,false,idp.errors.detailed,BOOLEAN,, -54,ErrorHandlingConfiguration,idp.properties,The default view name to render for exceptions and events,all,,,,error,idp.errors.defaultView,STRING,, -56,ErrorHandlingConfiguration,idp.properties,"Bean defining Collection identifying exception classes to ignore (causing them to bubble outward, so use with caution)",all,,,Bean ID of Collection (java.util),,idp.errors.exceptionMappings,SPRING_BEAN_ID,, -53,ErrorHandlingConfiguration,idp.properties,"Whether to digitally sign error responses in SAML or similar protocols, if signing is otherwise warranted (this can prevent a simple denial of service vector, since errors are simple to trigger)",all,,,,true,idp.errors.signed,BOOLEAN,, -168,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.External,,,false,idp.authn.External.passiveAuthenticationSupported,BOOLEAN,, -170,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.External,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.External.proxyRestrictionsEnforced,BOOLEAN,, -176,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.External,,,shibboleth.Conditions.TRUE,idp.authn.External.activationCondition,SPRING_BEAN_ID,, -169,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.External,,,false,idp.authn.External.forcedAuthenticationSupported,BOOLEAN,, -173,ExternalAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.External,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.External.lifetime,DURATION,, -166,ExternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.External,,,1000,idp.authn.External.order,INTEGER,, -175,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.External,,,shibboleth.Conditions.TRUE,idp.authn.External.reuseCondition,SPRING_BEAN_ID,, -167,ExternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.External,,,false,idp.authn.External.nonBrowserSupported,BOOLEAN,, -178,ExternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.External,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password",idp.authn.External.supportedPrincipals,STRING,, -164,ExternalAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.External,,,contextRelative:external.jsp,idp.authn.External.externalAuthnPath,STRING,, -179,ExternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.External,,,true,idp.authn.External.addDefaultPrincipals,BOOLEAN,, -165,ExternalAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.External,,regex expected,,idp.authn.External.matchExpression,STRING,, -172,ExternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.External,,,false,idp.authn.External.discoveryRequired,BOOLEAN,, -174,ExternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.External,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.External.inactivityTimeout,DURATION,, -171,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.External,,,false,idp.authn.External.proxyScopingEnforced,BOOLEAN,, -177,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer to use to decide whether to run,4.1,,,,,idp.fticks.condition,SPRING_BEAN_ID,, -114,FTICKSLoggingConfiguration,idp.properties,Digest algorithm used to obscure usernames,all,,,,SHA-2,idp.fticks.algorithm,STRING,, -115,FTICKSLoggingConfiguration,idp.properties,"A salt to apply when digesting usernames (if not specified, the username will not be included)",all,,,,,idp.fticks.salt,STRING,, -297,FunctionAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.Function,,,true,idp.authn.Function.addDefaultPrincipals,BOOLEAN,, -289,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.Function,,,false,idp.authn.Function.proxyScopingEnforced,BOOLEAN,, -294,FunctionAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.Function,,,shibboleth.Conditions.TRUE,idp.authn.Function.activationCondition,SPRING_BEAN_ID,, -286,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.Function,,,false,idp.authn.Function.passiveAuthenticationSupported,BOOLEAN,, -285,FunctionAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.Function,,,false,idp.authn.Function.nonBrowserSupported,BOOLEAN,, -295,FunctionAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer controlling result reuse for SSO,4.1,idp.authn.Function,,,shibboleth.Conditions.TRUE,idp.authn.Function.reuseCondition,SPRING_BEAN_ID,, -459,HelloWorldConfiguration,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByAdminUser,idp.hello.accessPolicy,STRING,, -461,HelloWorldConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.hello.nonBrowserSupported,BOOLEAN,, -458,HelloWorldConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,Hello,idp.hello.logging,STRING,, -462,HelloWorldConfiguration,admin/admin.properties,?,4.1,,,,,idp.hello.defaultAuthenticationMethods,STRING,, -463,HelloWorldConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,true,idp.hello.resolveAttributes,BOOLEAN,, -460,HelloWorldConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,true,idp.hello.authenticated,BOOLEAN,, -464,HelloWorldConfiguration,admin/admin.properties,?,4.1,,,,,idp.hello.postAuthenticationFlows,STRING,, -280,IPAddressAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.IPAddress,,,shibboleth.Conditions.TRUE,idp.authn.IPAddress.activationCondition,SPRING_BEAN_ID,, -278,IPAddressAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.IPAddress,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.IPAddress.inactivityTimeout,DURATION,, -283,IPAddressAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.IPAddress,,,true,idp.authn.IPAddress.addDefaultPrincipals,BOOLEAN,, -273,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.forcedAuthenticationSupported,BOOLEAN,, -275,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.proxyScopingEnforced,BOOLEAN,, -276,IPAddressAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.discoveryRequired,BOOLEAN,, -272,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.passiveAuthenticationSupported,BOOLEAN,, -270,IPAddressAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.IPAddress,,,1000,idp.authn.IPAddress.order,INTEGER,, -281,IPAddressAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer controlling result reuse for SSO,4.1,idp.authn.IPAddress,,,shibboleth.Conditions.TRUE,idp.authn.IPAddress.reuseCondition,SPRING_BEAN_ID,, -277,IPAddressAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.IPAddress,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.IPAddress.lifetime,DURATION,, -274,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.IPAddress,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.IPAddress.proxyRestrictionsEnforced,BOOLEAN,, -271,IPAddressAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.nonBrowserSupported,BOOLEAN,, -158,JAASAuthnConfiguration,authn/authn.properties,Comma-delimited set of JAAS application configuration names to use,4.1,,,,ShibUserPassAuth,idp.authn.JAAS.loginConfigNames,STRING,, -159,JAASAuthnConfiguration,authn/authn.properties,Location of JAAS configuration file,4.1,,,resource path,%{idp.home}/conf/authn/jaas.config,idp.authn.JAAS.loginConfig,STRING,, -161,KerberosAuthnConfiguration,authn/authn.properties,Whether to preserve the resulting Kerberos TGT in the Java Subject's private credential set,4.1,,,,false,idp.authn.Krb5.preserveTicket,BOOLEAN,, -163,KerberosAuthnConfiguration,authn/authn.properties,Path to a keytab file containing keys belonging to the service principal defined in idp.authn.Krb5.servicePrincipal,4.1,,,,,idp.authn.Krb5.keytab,STRING,, -160,KerberosAuthnConfiguration,authn/authn.properties,Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt,4.1,,,,false,idp.authn.Krb5.refreshConfig,BOOLEAN,, -162,KerberosAuthnConfiguration,authn/authn.properties,Name of a service principal to use to verify the KDC supplying the TGT by requesting and verifying a service ticket issued for it,4.1,,,,,idp.authn.Krb5.servicePrincipal,STRING,, -144,LDAPAuthnConfiguration,authn/authn.properties,If you are using the FreeIPA LDAP this switch will attempt to use the account states defined by that product.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.freeIPADirectory,BOOLEAN,, -134,LDAPAuthnConfiguration,authn/authn.properties,Whether to search recursively when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.subtreeSearch,BOOLEAN,, -135,LDAPAuthnConfiguration,authn/authn.properties,LDAP search filter when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.userFilter,STRING,, -132,LDAPAuthnConfiguration,authn/authn.properties,List of attributes to request during authentication,all,,,"Comma seperated list of values. The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.returnAttributes,STRING,, -133,LDAPAuthnConfiguration,authn/authn.properties,Base DN to search against when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.baseDN,STRING,, -139,LDAPAuthnConfiguration,authn/authn.properties,Whether the user's LDAP entry should be returned in the authentication response even when the user bind fails.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.resolveEntryOnFailure,BOOLEAN,, -136,LDAPAuthnConfiguration,authn/authn.properties,DN to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.bindDN,STRING,, -123,LDAPAuthnConfiguration,authn/authn.properties,"Controls the workflow for how authentication occurs against LDAP: one of anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator",all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",anonSearchAuthenticator,idp.authn.LDAP.authenticator,STRING,, -127,LDAPAuthnConfiguration,authn/authn.properties,Time to wait for an LDAP response message,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT3S,idp.authn.LDAP.responseTimeout,DURATION,, -128,LDAPAuthnConfiguration,authn/authn.properties,"Connection strategy to use when multiple URLs are supplied: one of ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM",all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",ACTIVE_PASSIVE,idp.authn.LDAP.connectionStrategy,STRING,, -157,LDAPAuthnConfiguration,authn/authn.properties,Controls how connections in the bind pool are passivated. Connections in the bind pool may be in an authenticated state that will not allow validation searches to succeed. This property controls how bind connections are placed back into the pool. If your ,4.0.1,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.bindPoolPassivator,STRING,, -126,LDAPAuthnConfiguration,authn/authn.properties,Time to wait for the TCP connection to occur.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT3S,idp.authn.LDAP.connectTimeout,DURATION,, -145,LDAPAuthnConfiguration,authn/authn.properties,If you are using the EDirectory LDAP this switch will attempt to use the account states defined by that product.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.eDirectory,BOOLEAN,, -146,LDAPAuthnConfiguration,authn/authn.properties,Whether connection pools should be used for LDAP authentication and DN resolution,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.disablePooling,BOOLEAN,, -143,LDAPAuthnConfiguration,authn/authn.properties,If you are using Active Directory this switch will attempt to use the account states defined by AD. Note that this flag is unnecessary if you are using the 'adAuthenticator'. It is meant to be specified with one of the other authenticator types.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.activeDirectory,BOOLEAN,, -149,LDAPAuthnConfiguration,authn/authn.properties,Whether to validate connections when checking them out of the pool,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.pool.LDAP.validateOnCheckout,BOOLEAN,, -125,LDAPAuthnConfiguration,authn/authn.properties,Whether StartTLS should be used after connecting with LDAP alone.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",true,idp.authn.LDAP.useStartTLS,BOOLEAN,, -129,LDAPAuthnConfiguration,authn/authn.properties,"How to establish trust in the server's TLS certificate: one of jvmTrust, certificateTrust, or keyStoreTrust",all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",certificateTrust,idp.authn.LDAP.sslConfig,STRING,, -140,LDAPAuthnConfiguration,authn/authn.properties,Whether the user's LDAP entry should be resolved with the bindDN credentials rather than as the authenticated user.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.resolveEntryWithBindDN,BOOLEAN,, -142,LDAPAuthnConfiguration,authn/authn.properties,Whether to use the Password Expired Control.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.usePasswordExpiration,BOOLEAN,, -150,LDAPAuthnConfiguration,authn/authn.properties,Whether to validate connections in the background,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",true,idp.pool.LDAP.validatePeriodically,BOOLEAN,, -130,LDAPAuthnConfiguration,authn/authn.properties,A resource to load trust anchors from when using sslConfig = certificateTrust,all,,,"resource path ex. %{idp.home}/credentials/ldap-server.crt - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.trustCertificates,STRING,, -131,LDAPAuthnConfiguration,authn/authn.properties,A resource to load a Java keystore containing trust anchors when using sslConfig = keyStoreTrust,all,,,"resource path ex. %{idp.home}/credentials/ldap-server.truststore - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.trustStore,STRING,, -152,LDAPAuthnConfiguration,authn/authn.properties,DN to search with the validateFilter: defaults to the rootDSE,4.0.1,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.pool.LDAP.validateDN,STRING,, -124,LDAPAuthnConfiguration,authn/authn.properties,Connection URI for LDAP directory,all,,,"LDAP URI ex. ldap://localhost or ldaps://localhost - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.ldapURL,STRING,, -137,LDAPAuthnConfiguration,authn/authn.properties,Password to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator usually set via %{idp.home}/credentials/secrets.properties,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.bindDNCredential,STRING,, -138,LDAPAuthnConfiguration,authn/authn.properties,A formatting string to generate the user DNs to authenticate when using an LDAP.authenticator of directAuthenticator or adAuthenticator,all,,,"ex. uid=%s,ou=people,dc=example,dc=org or for AD %s@domain.com - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.dnFormat,STRING,, -154,LDAPAuthnConfiguration,authn/authn.properties,Duration between looking for idle connections to reduce the pool back to its minimum size,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT5M,idp.pool.LDAP.prunePeriod,DURATION,, -151,LDAPAuthnConfiguration,authn/authn.properties,Duration between validation if idp.pool.LDAP.validatePeriodically is true,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT5M,idp.pool.LDAP.validatePeriod,DURATION,, -141,LDAPAuthnConfiguration,authn/authn.properties,Whether to use the Password Policy Control.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.usePasswordPolicy,BOOLEAN,, -155,LDAPAuthnConfiguration,authn/authn.properties,Duration connections must be idle to be eligible for pruning,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT10M,idp.pool.LDAP.idleTime,DURATION,, -148,LDAPAuthnConfiguration,authn/authn.properties,Maximum LDAP connection pool size,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",10,idp.pool.LDAP.maxSize,INTEGER,, -147,LDAPAuthnConfiguration,authn/authn.properties,Minimum LDAP connection pool size,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",3,idp.pool.LDAP.minSize,INTEGER,, -156,LDAPAuthnConfiguration,authn/authn.properties,Duration to wait for a free connection in the pool,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT3S,idp.pool.LDAP.blockWaitTime,DURATION,, -153,LDAPAuthnConfiguration,authn/authn.properties,Search filter to execute in order to validate a pooled connection,4.0.1,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",(objectClass=*),idp.pool.LDAP.validateFilter,STRING,, -104,LogoutConfiguration,idp.properties,Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic,4.1,,,,false,idp.logout.preserveQuery,BOOLEAN,, -101,LogoutConfiguration,idp.properties,Whether to search metadata for user interface information associated with every service involved in logout propagation,all,,,,false,idp.logout.elaboration,BOOLEAN,, -105,LogoutConfiguration,idp.properties,When true allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints,4.2,,,,false,idp.logout.assumeAsync,BOOLEAN,, -106,LogoutConfiguration,idp.properties,"Applies the ""display:none"" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user",4.2,,,,false,idp.logout.propagationHidden,BOOLEAN,, -102,LogoutConfiguration,idp.properties,Whether to require signed logout messages in accordance with the SAML 2.0 standard,all,,,,true,idp.logout.authenticated,BOOLEAN,, -103,LogoutConfiguration,idp.properties,If the bean returns true the user is given the option to actually cancel the IdP logout outright and prevent removal of the session,all,,,Bean ID of Predicate,false,idp.logout.promptUser,SPRING_BEAN_ID,, -642,Metadatagen,mdgen.properties,The width of the logo in pixels,4.1,idp.metadatagen,1,,80,idp.metadata.idpsso.mdui.logo.width,INTEGER,, -638,Metadatagen,mdgen.properties,Supplies the DNS name used within the URLs specifying the end points. This should not be used in conjunction with the --DNSName qualifier,4.1,idp.metadatagen,1,,,idp.metadata.dnsname,STRING,, -639,Metadatagen,mdgen.properties,Specifies the path to the certificate protecting the back channel. This should not be used in conjunction with the --backChannel qualifier.,4.1,idp.metadatagen,1,,,idp.metadata.backchannel.cert,STRING,, -640,Metadatagen,mdgen.properties,Specifies the path part of the URL which describes a logo for the IdP. The protocol is hard wired to be https:// and the DNS name is used for the host. The is always emitted. If this is absent then then a fixed path ('/path/to/logo') is use,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.logo.path,STRING,, -643,Metadatagen,mdgen.properties,A space separated list of languages used to lookup values formed appending each one to the name and description properties idp.metadata.idpsso.mdui.displayname. and idp.metadata.idpsso.mdui.description.. If this is absent then an is emitted for that language,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.displayname.,STRING,, -641,Metadatagen,mdgen.properties,The height of the logo in pixels.,4.1,idp.metadatagen,1,,80,idp.metadata.idpsso.mdui.logo.height,INTEGER,, -645,Metadatagen,mdgen.properties,Description for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.description.,STRING,, -450,MetadataQuery,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.mdquery.resolveAttributes,BOOLEAN,, -451,MetadataQuery,admin/admin.properties,?,4.1,,,,,idp.mdquery.postAuthenticationFlows,STRING,, -445,MetadataQuery,admin/admin.properties,Audit log identifier for flow,4.1,,,,MetadataQuery,idp.mdquery.logging,STRING,, -446,MetadataQuery,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.mdquery.accessPolicy,STRING,, -449,MetadataQuery,admin/admin.properties,?,4.1,,,,,idp.mdquery.defaultAuthenticationMethods,STRING,, -448,MetadataQuery,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.mdquery.nonBrowserSupported,BOOLEAN,, -447,MetadataQuery,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.mdquery.authenticated,BOOLEAN,, -437,MetadataReload,admin/admin.properties,?,4.1,,,,,idp.reload.postAuthenticationFlows,STRING,, -436,MetadataReload,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.reload.resolveAttributes,BOOLEAN,, -432,MetadataReload,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.reload.accessPolicy,STRING,, -433,MetadataReload,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.reload.authenticated,BOOLEAN,, -434,MetadataReload,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.reload.nonBrowserSupported,BOOLEAN,, -431,MetadataReload,admin/admin.properties,Audit log identifier for flow,4.1,,,,Reload,idp.reload.logging,STRING,, -435,MetadataReload,admin/admin.properties,?,4.1,,,,,idp.reload.defaultAuthenticationMethods,STRING,, -454,MetricsConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.metrics.nonBrowserSupported,BOOLEAN,, -456,MetricsConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.metrics.resolveAttributes,BOOLEAN,, -455,MetricsConfiguration,admin/admin.properties,?,4.1,,,,,idp.metrics.defaultAuthenticationMethods,STRING,, -452,MetricsConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,Metrics,idp.metrics.logging,STRING,, -457,MetricsConfiguration,admin/admin.properties,?,4.1,,,,,idp.metrics.postAuthenticationFlows,STRING,, -453,MetricsConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.metrics.authenticated,BOOLEAN,, -344,MultiFactorAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.MFA,,,1000,idp.authn.MFA.order,INTEGER,, -343,MultiFactorAuthnConfiguration,authn/authn.properties,Whether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions,4.1,,,,true,idp.authn.MFA.validateLoginTransitions,BOOLEAN,, -355,MultiFactorAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.MFA,,,shibboleth.Conditions.TRUE,idp.authn.MFA.activationCondition,SPRING_BEAN_ID,, -345,MultiFactorAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.MFA,,,false,idp.authn.MFA.nonBrowserSupported,BOOLEAN,, -351,MultiFactorAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.MFA,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.MFA.lifetime,DURATION,, -353,MultiFactorAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.MFA,,,shibboleth.Conditions.TRUE,idp.authn.MFA.reuseCondition,SPRING_BEAN_ID,, -352,MultiFactorAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.MFA,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.MFA.inactivityTimeout,DURATION,, -347,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.MFA,,,false,idp.authn.MFA.forcedAuthenticationSupported,BOOLEAN,, -357,MultiFactorAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.MFA,,,true,idp.authn.MFA.addDefaultPrincipals,BOOLEAN,, -346,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.MFA,,,false,idp.authn.MFA.passiveAuthenticationSupported,BOOLEAN,, -356,MultiFactorAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.MFA,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password",idp.authn.MFA.supportedPrincipals,STRING,, -350,MultiFactorAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.MFA,,,false,idp.authn.MFA.discoveryRequired,BOOLEAN,, -349,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.MFA,,,false,idp.authn.MFA.proxyScopingEnforced,BOOLEAN,, -501,NameIDConsumptionConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.saml.lowercase,BOOLEAN,, -502,NameIDConsumptionConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.saml.uppercase,BOOLEAN,, -358,NameIDGenerationConfiguration,saml-nameid.properties,Identifies the strategy plugin for generating transient IDs,all,,,Bean ID of a TransientIdGenerationStrategy,shibboleth.CryptoTransientIdGenerator,idp.transientId.generator,SPRING_BEAN_ID,, -359,NameIDGenerationConfiguration,saml-nameid.properties,Default Format to generate if nothing else is indicated,all,,,,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,idp.nameid.saml2.default,STRING,, -360,NameIDGenerationConfiguration,saml-nameid.properties,Default Format to generate if nothing else is indicated,all,,,,urn:mace:shibboleth:1.0:nameIdentifier,idp.nameid.saml1.default,STRING,, -553,OAuth2ClientAuthnConfiguration,oidc.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.oidc.OP,3,,1000,idp.authn.OAuth2Client.order,INTEGER,, -557,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.oidc.OP,3,,true,idp.authn.OAuth2Client.addDefaultPrincipals,BOOLEAN,, -551,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to remove the object holding the password from the request's active state after validating it (to avoid it being preserved in the session any longer than needed),4.1,idp.oidc.OP,3,,true,idp.authn.OAuth2Client.removeAfterValidation,BOOLEAN,, -552,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to keep the password around as a private credential in the Java Subject for use in later stages such as attribute resolution,4.1,idp.oidc.OP,3,use with caution as it retains the password and makes it available in plaintext from within server memory at various stages.,false,idp.authn.OAuth2Client.retainAsPrivateCredential,BOOLEAN,, -550,OAuth2ClientAuthnConfiguration,oidc.properties,Whether all validators must succeed or just one,4.1,idp.oidc.OP,3,,false,idp.authn.OAuth2Client.requireAll,BOOLEAN,, -554,OAuth2ClientAuthnConfiguration,oidc.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.oidc.OP,3,,shibboleth.Conditions.TRUE,idp.authn.OAuth2Client.activationCondition,SPRING_BEAN_ID,, -556,OAuth2ClientAuthnConfiguration,oidc.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.oidc.OP,3,,,idp.authn.OAuth2Client.supportedPrincipals,STRING,, -555,OAuth2ClientAuthnConfiguration,oidc.properties,Bean ID of BiConsumer> called shibboleth.oidc.AllowedAudienceStrategy",4.1,idp.oidc.OP,3,,,idp.oauth2.defaultAllowedAudience,SPRING_BEAN_ID,, -574,OPClientCredentialsGrant,oidc.properties,"bean of type Function called shibboleth.oidc.AllowedScopeStrategy",4.1,idp.oidc.OP,3,,,idp.oauth2.defaultAllowedScope,SPRING_BEAN_ID,, -572,OPClientResolution,oidc.properties,When non-zero enables monitoring of resources for service reload,4.1,idp.oidc.OP,3,,PT0S,idp.service.clientinfo.checkInterval,DURATION,, -571,OPClientResolution,oidc.properties,If true any failures during initialization of any resolvers result in IdP startup failure,4.1,idp.oidc.OP,3,,false,idp.service.clientinfo.failFast,BOOLEAN,, -573,OPClientResolution,oidc.properties,Name of bean used to define the resources to use in configuring this service,4.1,idp.oidc.OP,3,,shibboleth.ClientInformationResolverResources,idp.service.clientinfo.resources,SPRING_BEAN_ID,, -558,OPCustomFilterRegistration,oidc.properties,"By default this configures the values defined by the idp.hsts, idp.frameoptions and idp.csp properties into the corresponding HTTP headers and applies them to the OP plugin as well as the original IdP endpoints",4.1,idp.oidc.OP,3,,shibboleth.ResponseHeaderFilter,idp.oidc.ResponseHeaderFilter,SPRING_BEAN_ID,, -559,OPDiscovery,oidc.properties,Location of discovery template to use,4.1,idp.oidc.OP,3,,%{idp.home}/static/openid-configuration.json,idp.oidc.discovery.template,STRING,, -560,OPDiscovery,oidc.properties,Implementation bean for discovery shouldn't require alteration,4.1,idp.oidc.OP,3,,shibboleth.oidc.DefaultOpenIdConfigurationResolver,idp.oidc.discovery.resolver,SPRING_BEAN_ID,, -564,OPDynamicClientRegistration,oidc.properties,Whether to resolve attributes if authentication is enabled,4.1,idp.oidc.OP,3,,false,idp.oidc.admin.registration.resolveAttributes,BOOLEAN,, -566,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to all requests,4.1,idp.oidc.OP,3,,AccessByIPAddress,idp.oidc.admin.registration.accessPolicy,STRING,, -570,OPDynamicClientRegistration,oidc.properties,"Bean ID of type Function>, used to locate metadata policy based on the policyLocation parameter. Defaults to a caching resolver locating server resources to load based on policyLocation parameter.",4.1,idp.oidc.OP,3,,shibboleth.oidc.admin.DefaultMetadataPolicyLookupStrategy,idp.oidc.admin.registration.lookup.policy,SPRING_BEAN_ID,, -562,OPDynamicClientRegistration,oidc.properties,Enables support for non-browser-based authentication,4.1,idp.oidc.OP,3,,true,idp.oidc.admin.registration.nonBrowserSupported,BOOLEAN,, -537,OPDynamicClientRegistration,oidc.properties,Registration lifetime,4.1,idp.oidc.OP,3,,PT24H,idp.oidc.dynreg.defaultRegistrationValidity,DURATION,, -569,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a clientId,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.clientIdPolicy,STRING,, -568,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a policyId,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.policyIdPolicy,STRING,, -567,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a policyLocation,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.policyLocationPolicy,STRING,, -563,OPDynamicClientRegistration,oidc.properties,Whether to enable user authentication for requests,4.1,idp.oidc.OP,3,,false,idp.oidc.admin.registration.authenticated,BOOLEAN,, -541,OPDynamicClientRegistration,oidc.properties,The acceptable client authentication methods when using dynamic registration,4.1,idp.oidc.OP,3,Comma seperated list of values,"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt",idp.oidc.dynreg.tokenEndpointAuthMethods,STRING,, -539,OPDynamicClientRegistration,oidc.properties,The default subject type if not set by client in request. Maybe set to pairwise or public.,4.1,idp.oidc.OP,3,,public,idp.oidc.dynreg.defaultSubjectType,STRING,, -565,OPDynamicClientRegistration,oidc.properties,Default access token lifetime if not specified,4.1,idp.oidc.OP,3,,P1D,idp.oidc.admin.registration.defaultTokenLifetime,DURATION,, -538,OPDynamicClientRegistration,oidc.properties,The default scopes accepted in dynamic registration,4.1,idp.oidc.OP,3,,openid profile email address phone offline_access,idp.oidc.dynreg.defaultScope,STRING,, -561,OPDynamicClientRegistration,oidc.properties,Audit logging label for this profile,4.1,idp.oidc.OP,3,,IssueRegistrationAccessToken,idp.oidc.admin.registration.logging,STRING,, -540,OPMetadataPolicies,oidc.properties,Full path to the file containing default metadata policy used for dynamic client registration,4.1,idp.oidc.OP,3,,,idp.oidc.dynreg.defaultMetadataPolicyFile,STRING,, -536,OPRevocation,oidc.properties,The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens). TOKEN refers to revoking single token,4.1,idp.oidc.OP,3,,CHAIN,idp.oauth2.revocationMethod,STRING,, -528,OPRevocation,oidc.properties,Lifetime of entries in revocation cache for authorize code,4.1,idp.oidc.OP,3,,PT6H,idp.oidc.revocationCache.authorizeCode.lifetime,DURATION,, -543,OPSecurity,oidc.properties,JWK EC signing keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-signing-es.jwk,idp.signing.oidc.es.key,STRING,, -547,OPSecurity,oidc.properties,Allows override of default request decryption configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.requestObjectDecryptionConfiguration,idp.oidc.rodecrypt.config,SPRING_BEAN_ID,, -544,OPSecurity,oidc.properties,JWK RSA decryption keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-encryption-rsa.jwk,idp.signing.oidc.rsa.enc.key,STRING,, -546,OPSecurity,oidc.properties,Allows override of default encryption configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.EncryptionConfiguration,idp.oidc.encryption.config,SPRING_BEAN_ID,, -545,OPSecurity,oidc.properties,Allows override of default signing configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.SigningConfiguration,idp.oidc.signing.config,SPRING_BEAN_ID,, -542,OPSecurity,oidc.properties,JWK RSA signing keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-signing-rs.jwk,idp.signing.oidc.rs.key,STRING,, -548,OPSecurity,oidc.properties,Allows override of default request signature validation configuration,4.1,idp.oidc.OP,3,one of these has the wrong name,shibboleth.oidc.requestObjectSignatureValidationConfiguration,idp.oidc.rovalid.config,SPRING_BEAN_ID,, -549,OPSecurity,oidc.properties,Allows override of default JWT token validation configuration,4.1,idp.oidc.OP,3,one of these has the wrong name,shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration,idp.oidc.rovalid.config,SPRING_BEAN_ID,, -577,OPSubClaim,oidc.properties,The source attribute used in generating the sub claim,4.1,idp.oidc.OP,3,,,idp.oidc.subject.sourceAttribute,STRING,, -578,OPSubClaim,oidc.properties,The digest algorithm used in generating the sub claim,4.1,idp.oidc.OP,3,,SHA,idp.oidc.subject.algorithm,STRING,, -579,OPSubClaim,oidc.properties,Salt to inject for randomness should generally be moved into credentials/secrets.properties to avoid committing to configuration repository,4.1,idp.oidc.OP,3,,,idp.oidc.subject.salt,STRING,, -535,OPToken,oidc.properties,Lifetime of access token issued to client for resource server,4.1,idp.oidc.OP,3,,PT10M,idp.oauth2.accessToken.defaultLifetime,DURATION,, -521,OPToken,oidc.properties,Lifetime of refresh token,4.1,idp.oidc.OP,3,,PT2H,idp.oidc.refreshToken.defaultLifetime,DURATION,, -530,OPToken,oidc.properties,The acceptable client authentication methods,4.1,idp.oidc.OP,3,Comma seperated list of values,"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt",idp.oidc.tokenEndpointAuthMethods,STRING,, -531,OPToken,oidc.properties,OAuth grant types to allow,4.1,idp.oidc.OP,3,Comma seperated list of values,"authorization_code,refresh_token",idp.oauth2.grantTypes,STRING,, -519,OPToken,oidc.properties,Lifetime of access token,4.1,idp.oidc.OP,3,,PT10M,idp.oidc.accessToken.defaultLifetime,DURATION,, -523,OPToken,oidc.properties,Whether client is allowed to use PKCE code challenge method plain,4.1,idp.oidc.OP,3,,false,idp.oidc.allowPKCEPlain,BOOLEAN,, -522,OPToken,oidc.properties,Whether client is required to use PKCE,4.1,idp.oidc.OP,3,,false,idp.oidc.forcePKCE,BOOLEAN,, -518,OPToken,oidc.properties,Lifetime of ID token,4.1,idp.oidc.OP,3,,PT1H,idp.oidc.idToken.defaultLifetime,DURATION,, -533,OPToken,oidc.properties,Format of access token. Supported values are JWT or nothing.,4.1,idp.oidc.OP,3.2,,,idp.oauth2.accessToken.type,STRING,, -534,OPToken,oidc.properties,Whether the absence of encryption details in a resource server’s metadata should fail when issuing an access token,4.1,idp.oidc.OP,3,,false,idp.oauth2.encryptionOptional,BOOLEAN,, -532,OPToken,oidc.properties,Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token.,4.1,idp.oidc.OP,3.2,,false,idp.oauth2.enforceRefreshTokenRotation,BOOLEAN,, -371,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Query timeout for database access,4.1,,,,PT5S,idp.persistentId.queryTimeout,DURATION,, -373,PersistentNameIDGenerationConfiguration,saml-nameid.properties,List of error strings to identify as retryable failures,4.1,,,,"23000,23505",idp.persistentId.retryableErrors,STRING,, -369,PersistentNameIDGenerationConfiguration,saml-nameid.properties,The final encoding applied to the hash generated when using computed persistent IDs: one of BASE32 or BASE64,all,,,,BASE64,idp.persistentId.encoding,STRING,, -370,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Advanced feature allowing revocation or regeneration of computed persistent IDs for specific subjects or services,all,,,,shibboleth.ComputedIdExceptionMap,idp.persistentId.exceptionMap,SPRING_BEAN_ID,, -367,PersistentNameIDGenerationConfiguration,saml-nameid.properties,An encoded form of the persistentId.salt,all,,,,,idp.persistentId.encodedSalt,STRING,, -362,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies a data source for storage-based management of persistent IDs,all,,,Bean ID of a JDBC DataSource,,idp.persistentId.dataSource,SPRING_BEAN_ID,, -361,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies the strategy plugin for sourcing persistent IDs,all,,,Bean ID of a PairwiseIdStore,shibboleth.ComputedPersistentIdGenerator,idp.persistentId.generator,SPRING_BEAN_ID,, -368,PersistentNameIDGenerationConfiguration,saml-nameid.properties,The hash algorithm used when using computed persistent IDs,all,,,,SHA,idp.persistentId.algorithm,STRING,, -366,PersistentNameIDGenerationConfiguration,saml-nameid.properties,A secret salt for the hash when using computed persistent IDs,all,,,,,idp.persistentId.salt,STRING,, -383,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,deactivationDate,idp.persistentId.deactivationTimeColumn,STRING,, -382,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,creationDate,idp.persistentId.createTimeColumn,STRING,, -374,PersistentNameIDGenerationConfiguration,saml-nameid.properties,When true the connection and layout of the database is verified at bean initialization time and any failures are fatal.,4.1,,,,true,idp.persistentId.verifyDatabase,BOOLEAN,, -365,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Whether or not the previous property has access to unreleased attributes,all,,,,true,idp.persistentId.useUnfilteredAttributes,BOOLEAN,, -381,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,peerProvidedId,idp.persistentId.peerProvidedIdColumn,STRING,, -380,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,persistentId,idp.persistentId.persistentIdColumn,STRING,, -379,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,localId,idp.persistentId.sourceIdColumn,STRING,, -378,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,principalName,idp.persistentId.principalNameColumn,STRING,, -377,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,peerEntity,idp.persistentId.peerEntityColumn,STRING,, -376,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,localEntity,idp.persistentId.localEntityColumn,STRING,, -375,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides the name of the table in the database,4.1,,,,shibpid,idp.persistentId.tableName,STRING,, -364,PersistentNameIDGenerationConfiguration,saml-nameid.properties,List of attributes to search for a value to uniquely identify the subject of a persistent identifier that MUST be stable long-lived and non-reassignable,all,,,,,idp.persistentId.sourceAttribute,STRING,, -363,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies a strategy plugin to use to generate the first persistent identifier for each subject,all,,,used to migrate from the computed to stored strategies: can be null,shibboleth.ComputedPersistentIdGenerator,idp.persistentId.computed,SPRING_BEAN_ID,, -372,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Number of retries in the event database locking bugs cause retryable failures,4.1,,,,3,idp.persistentId.transactionRetries,INTEGER,, -412,ReloadableServices,services.properties,Time to notice changes to NameIDGenerationConfiguration and reload service,all,,,,0,idp.service.nameidGeneration.checkInterval,DURATION,, -422,ReloadableServices,services.properties,Name of Spring bean identifying Spring message property resources,all,,,,shibboleth.MessageSourceResources,idp.message.resources,SPRING_BEAN_ID,, -419,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for ManagedBeanConfiguration,all,,,,shibboleth.ManagedBeanResources,idp.service.managedBean.resources,SPRING_BEAN_ID,, -417,ReloadableServices,services.properties,Fail at startup if CASServiceRegistry configuration is invalid,all,,,,false,idp.service.cas.registry.failFast,BOOLEAN,, -411,ReloadableServices,services.properties,Fail at startup if NameIDGenerationConfiguration is invalid,all,,,,false,idp.service.nameidGeneration.failFast,BOOLEAN,, -407,ReloadableServices,services.properties,Fail at startup if AttributeFilterConfiguration is invalid,all,,,,false,idp.service.attribute.filter.failFast,BOOLEAN,, -404,ReloadableServices,services.properties,"Whether null values should be stripped from the results of the attribute resolution. This filtering happens prior to filtering and encoding, but after attribute resolution is complete. To strip nulls during attribute resolution (so that they will be invis",all,,,,false,idp.service.attribute.resolver.stripNulls,BOOLEAN,, -401,ReloadableServices,services.properties,Fail at startup if AttributeResolverConfiguration is invalid,all,,,,false,idp.service.attribute.resolver.failFast,BOOLEAN,, -397,ReloadableServices,services.properties,Fail at startup if AttributeRegistryConfiguration is invalid,all,,,,false,idp.service.attribute.registry.failFast,BOOLEAN,, -421,ReloadableServices,services.properties,Time to notice ManagedBeanConfiguration changes and reload service,all,,,,0,idp.service.managedBean.checkInterval,DURATION,, -418,ReloadableServices,services.properties,Time to notice CASServiceRegistry configuration changes and reload service,all,,,,0,idp.service.cas.registry.checkInterval,DURATION,, -415,ReloadableServices,services.properties,Time to notice changes to AccessControlConfiguration and reload service,all,,,,0,idp.service.access.checkInterval,DURATION,, -408,ReloadableServices,services.properties,Time to notice changes to AttributeFilterConfiguration and reload service A value of 0 indicates that the attribute filter configuration never reloads,all,,,,0,idp.service.attribute.filter.checkInterval,DURATION,, -416,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for CASServiceRegistry configuration,all,,,,shibboleth.CASServiceRegistryResources,idp.service.cas.registry.resources,SPRING_BEAN_ID,, -413,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AccessControlConfiguration,all,,,,shibboleth.AccessControlResource,idp.service.access.resources,SPRING_BEAN_ID,, -410,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for NameIDGenerationConfiguration,all,,,,shibboleth.NameIdentifierGenerationResources,idp.service.nameidGeneration.resources,SPRING_BEAN_ID,, -402,ReloadableServices,services.properties,Time to notice changes to AttributeResolverConfiguration and reload service. A value of 0 indicates that the service configuration never reloads,all,,,,0,idp.service.attribute.resolver.checkInterval,DURATION,, -406,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeFilterConfiguration,all,,,,shibboleth.AttributeFilterResources,idp.service.attribute.filter.resources,SPRING_BEAN_ID,, -398,ReloadableServices,services.properties,Time to notice changes to AttributeRegistryConfiguration and reload service. A value of 0 indicates that the service configuration never reloads,all,,,,0,idp.service.attribute.registry.checkInterval,DURATION,, -400,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeResolverConfiguration,all,,,,shibboleth.AttributeResolverResources,idp.service.attribute.resolver.resources,SPRING_BEAN_ID,, -396,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeRegistryConfiguration,all,,,,shibboleth.AttributeRegistryResources,idp.service.attribute.registry.resources,SPRING_BEAN_ID,, -392,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for MetadataConfiguration,all,,,,shibboleth.MetadataResolverResources,idp.service.metadata.resources,SPRING_BEAN_ID,, -423,ReloadableServices,services.properties,Seconds between reloads of message property resources,all,,,,300,idp.message.cacheSeconds,INTEGER,, -393,ReloadableServices,services.properties,Fail at startup if MetadataConfiguration is invalid,all,,,,false,idp.service.metadata.failFast,BOOLEAN,, -391,ReloadableServices,services.properties,See MetadataDrivenConfiguration SAML Attribute Name Format Usage,all,,,,false,idp.service.relyingparty.ignoreUnmappedEntityAttributes,BOOLEAN,, -389,ReloadableServices,services.properties,Fail at startup if RelyingPartyConfiguration is invalid,all,,,,false,idp.service.relyingparty.failFast,BOOLEAN,, -388,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for RelyingPartyConfiguration,all,,,,shibboleth.RelyingPartyResolverResources,idp.service.relyingparty.resources,SPRING_BEAN_ID,, -385,ReloadableServices,services.properties,Logging configuration resource to use (the reloadable service ID is shibboleth.LoggingService),all,,,resource path,%{idp.home}/conf/logback.xml,idp.service.logging.resource,STRING,, -390,ReloadableServices,services.properties,Time to notice changes to RelyingPartyConfiguration and reload service. A value of 0 indicates that the relying party configuration never reloads,all,,,,0,idp.service.relyingparty.checkInterval,DURATION,, -387,ReloadableServices,services.properties,Time to notice changes to logging configuration and reload service. A value of 0 indicates that the logging configuration never reloads,all,,,,0,idp.service.logging.checkInterval,DURATION,, -394,ReloadableServices,services.properties,Time to notice changes to MetadataConfiguration and reload service. A value of 0 indicates that the metadata configuration never reloads,all,,,,0,idp.service.metadata.checkInterval,DURATION,, -384,ReloadableServices,services.properties,Set default fail-fast behavior of all services unless overridden by service,all,,,,false,idp.service.failFast,BOOLEAN,, -414,ReloadableServices,services.properties,Fail at startup if AccessControlConfiguration is invalid,all,,,,true,idp.service.access.failFast,BOOLEAN,, -409,ReloadableServices,services.properties,Whether attribute filtering failure should silently produce no attributes or causes an overall profile request failure event,all,,,,true,idp.service.attribute.filter.maskFailures,BOOLEAN,, -395,ReloadableServices,services.properties,Disabling this turns off internal support for the ByReferenceFilter feature which provides a very small performance boost,all,,,,true,idp.service.metadata.enableByReferenceFilters,BOOLEAN,, -386,ReloadableServices,services.properties,Fail at startup if logging configuration is invalid,all,,,,true,idp.service.logging.failFast,BOOLEAN,, -420,ReloadableServices,services.properties,Fail at startup if ManagedBeanConfiguration is invalid,all,,,,false,idp.service.managedBean.failFast,BOOLEAN,, -405,ReloadableServices,services.properties,Setting this to false re-enables the legacy behavior of looking up the display information for the resolved attributes during resolution. As from 4.2 this the display information is looked up at point of use (during the attribute consent flow) and so ther,4.2,,,,true,idp.service.attribute.resolver.suppressDisplayInfo,BOOLEAN,, -403,ReloadableServices,services.properties,Whether attribute resolution failure should silently produce no attributes or cause an overall profile request failure event,all,,,,true,idp.service.attribute.resolver.maskFailures,BOOLEAN,, -399,ReloadableServices,services.properties,Shortcut for controlling the encoding of xsi:type information for all SAML transcoding rules in the registry,all,,,,true,idp.service.attribute.registry.encodeType,BOOLEAN,, -6,RelyingPartyConfiguration,idp.properties,Whether preparation of messages to be communicated via SAML artifact should assume use of a secure channel (allowing signing and encryption to be skipped),all,,,,true,idp.artifact.secureChannel,BOOLEAN,, -9,RelyingPartyConfiguration,idp.properties,"Controls whether the outbound binding selection is ordered by the SP's metadata or the IdP's preferred bindings (the inbuilt default order is Redirect -> POST -> Artifact -> SOAP). Set to false to leave artifact support on, but favor use of POST. Set also",4.1,,,,true,idp.bindings.inMetadataOrder,BOOLEAN,, -3,RelyingPartyConfiguration,idp.properties,The unique name of the IdP used as the iisuer in all SAML profiles,all,,,ex. https://unicon.net/idp/shibboleth,,idp.entityID,STRING,, -7,RelyingPartyConfiguration,idp.properties,Identifies the endpoint in SAML metadata associated with artifacts issued by a server node,all,,,,2,idp.artifact.endpointIndex,INTEGER,, -5,RelyingPartyConfiguration,idp.properties,Whether to allow use of the SAML artifact bindings when sending messages,all,,,,true,idp.artifact.enabled,BOOLEAN,, -186,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.RemoteUser,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.RemoteUser.proxyRestrictionsEnforced,BOOLEAN,, -191,RemoteUserAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.RemoteUser,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUser.reuseCondition,SPRING_BEAN_ID,, -188,RemoteUserAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.discoveryRequired,BOOLEAN,, -183,RemoteUserAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.nonBrowserSupported,BOOLEAN,, -184,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.passiveAuthenticationSupported,BOOLEAN,, -193,RemoteUserAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.RemoteUser,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUser.activationCondition,SPRING_BEAN_ID,, -195,RemoteUserAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.RemoteUser,,,true,idp.authn.RemoteUser.addDefaultPrincipals,BOOLEAN,, -189,RemoteUserAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.RemoteUser,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.RemoteUser.lifetime,DURATION,, -208,RemoteUserInternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.nonBrowserSupported,BOOLEAN,, -219,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.RemoteUserInternal,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password",idp.authn.RemoteUserInternal.supportedPrincipals,STRING,, -210,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.forcedAuthenticationSupported,BOOLEAN,, -204,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of usernames to deny while accepting all others,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.deniedUsernames,STRING,, -209,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.passiveAuthenticationSupported,BOOLEAN,, -203,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of usernames to accept while blocking all others,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.allowedUsernames,STRING,, -202,RemoteUserInternalAuthnConfiguration,authn/authn.properties,A regular expression that must match the username,4.1,idp.authn.RemoteUserInternal,,regex expected,,idp.authn.RemoteUserInternal.matchExpression,STRING,, -198,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of request headers to check for a username,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.checkHeaders,STRING,, -207,RemoteUserInternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.RemoteUserInternal,,,1000,idp.authn.RemoteUserInternal.order,INTEGER,, -211,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.RemoteUserInternal.proxyRestrictionsEnforced,BOOLEAN,, -220,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.addDefaultPrincipals,BOOLEAN,, -199,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to trim leading and trailing whitespace from the username before validating it,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.trim,BOOLEAN,, -201,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to uppercase the username before validating it,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.uppercase,BOOLEAN,, -196,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to check REMOTE_USER for a username,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.checkRemoteUser,BOOLEAN,, -206,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.RemoteUserInternal,,regex expected,,idp.authn.RemoteUserInternal.matchExpression,STRING,, -214,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.RemoteUserInternal.lifetime,DURATION,, -216,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.RemoteUserInternal,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUserInternal.reuseCondition,SPRING_BEAN_ID,, -217,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.RemoteUserInternal,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUserInternal.activationCondition,SPRING_BEAN_ID,, -215,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.RemoteUserInternal.inactivityTimeout,DURATION,, -205,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.RemoteUserInternal,,,contextRelative:external.jsp,idp.authn.RemoteUserInternal.externalAuthnPath,STRING,, -213,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.discoveryRequired,BOOLEAN,, -197,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited lists of request attributes to check for a username,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.checkAttributes,STRING,, -212,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.proxyScopingEnforced,BOOLEAN,, -218,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.SAML.activationCondition,SPRING_BEAN_ID,, -338,SAMLAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.SAML.reuseCondition,SPRING_BEAN_ID,, -328,SAMLAuthnConfiguration,authn/authn.properties,Optional bean ID of AssertionValidator to run,4.1,,,,,idp.authn.SAML.assertionValidator,SPRING_BEAN_ID,, -327,SAMLAuthnConfiguration,authn/authn.properties,"Optional bean ID of Function to run at the late stages of Response decoding/processing",4.1,,,,,idp.authn.SAML.inboundMessageHandlerFunction,SPRING_BEAN_ID,, -329,SAMLAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,,,,1000,idp.authn.SAML.order,INTEGER,, -333,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.SAML.proxyRestrictionsEnforced,BOOLEAN,, -336,SAMLAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.SAML.lifetime,DURATION,, -340,SAMLAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer to run just prior to AuthnRequest signing/encoding step",4.1,,,,,idp.authn.SAML.outboundMessageHandlerFunction,SPRING_BEAN_ID,, -325,SAMLAuthnConfiguration,authn/authn.properties,Statically-defined entityID of IdP to use for authentication,4.1,,,,,idp.authn.SAML.proxyEntityID,STRING,, -334,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,,,,false,idp.authn.SAML.proxyScopingEnforced,BOOLEAN,, -17,SecurityConfiguration,idp.properties,Default SameSite value to apply to cookies via servlet filter if no explicit rule for the named cookie is specified,all,,,,,idp.cookie.sameSite,SELECTION_LIST,"None,Lax,Strict", -16,SecurityConfiguration,idp.properties,Lifetime in seconds of cookies issued by the IdP that are meant to span sessions (365 days),all,,,,31536000,idp.cookie.maxAge,INTEGER,, -21,SecurityConfiguration,idp.properties,Time between checks for a new AES key version,all,,,,PT15M,idp.sealer.updateInterval,DURATION,, -23,SecurityConfiguration,idp.properties,Keystore resource containing AES encryption key usually a file path,all,,,resource path,,idp.sealer.storeResource,STRING,, -12,SecurityConfiguration,idp.properties,If true all cookies issued by the IdP (not including the container) will be limited to TLS,all,,,,false,idp.cookie.secure,BOOLEAN,, -14,SecurityConfiguration,idp.properties,Overrides the domain of any cookies issued by the IdP (not including the container),all,,,,,idp.cookie.domain,STRING,, -33,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default SecurityConfiguration,all,,,Bean ID of SecurityConfiguration (net.shibboleth.idp.profile.config.SecurityConfiguration),shibboleth.DefaultSecurityConfiguration,idp.security.config,SPRING_BEAN_ID,, -34,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default SignatureSigningConfiguration,all,,,Bean ID of SignatureSigningConfiguration (org.opensaml.xmlsec),shibboleth.SigningConfiguration.SHA256,idp.signing.config,SPRING_BEAN_ID,, -18,SecurityConfiguration,idp.properties,Predicate condition bean controlling whether SameSite filter runs,all,,,Bean ID of Predicate,shibboleth.Conditions.FALSE,idp.cookie.sameSiteCondition,SPRING_BEAN_ID,, -15,SecurityConfiguration,idp.properties,Overrides the path of any cookies issued by the IdP (not including the container),all,,,,,idp.cookie.path,STRING,, -20,SecurityConfiguration,idp.properties,Type of Java keystore used for IdP's internal AES encryption key,all,,,,JCEKS,idp.sealer.storeType,STRING,, -40,SecurityConfiguration,idp.properties,Default freshness window for accepting timestamped messages,all,,,,PT3M,idp.policy.messageLifetime,DURATION,, -41,SecurityConfiguration,idp.properties,Default freshness window for accepting timestamped assertions,all,,,,PT3M,idp.policy.assertionLifetime,DURATION,, -42,SecurityConfiguration,idp.properties,Default allowance for clock differences between systems,all,,,,PT3M,idp.policy.clockSkew,DURATION,, -24,SecurityConfiguration,idp.properties,Resource that tracks the active AES encryption key version usually a file path,all,,,,,idp.sealer.versionResource,STRING,, -27,SecurityConfiguration,idp.properties,Resource containing private key for signing typically a file in the credentials directory,all,,,,,idp.signing.key,STRING,, -22,SecurityConfiguration,idp.properties,Case insensitive name of keystore alias prefix used in AES keystore (the entries will be suffixed by the key version number),all,,,,secret,idp.sealer.aliasBase,STRING,, -37,SecurityConfiguration,idp.properties,Sets the default strategy for key agreement key wrap usage for credentials from metadata if not otherwise configured on the security configuration,all,,,,Default,idp.encryption.keyagreement.metadata.defaultUseKeyWrap,STRING,, -38,SecurityConfiguration,idp.properties,Name of Spring bean for the trust engine used to verify signatures,all,,,Bean ID of SignatureTrustEngine (org.opensaml.xmlsec.signature.support),shibboleth.ChainingSignatureTrustEngine,idp.trust.signatures,SPRING_BEAN_ID,, -36,SecurityConfiguration,idp.properties,If true failure to locate an encryption key to use won't result in request failure,all,,,,false,idp.encryption.optional,BOOLEAN,, -25,SecurityConfiguration,idp.properties,Keystore password unlocking AES encryption keystore typically set during installation,all,,,,,idp.sealer.storePassword,STRING,, -28,SecurityConfiguration,idp.properties,Resource containing the public key certificate inserted into signed messages typically a file in the credentials directory,all,,,,,idp.signing.cert,STRING,, -31,SecurityConfiguration,idp.properties,Resource containing an alternate private key for decryption generally unused except while changing decryption keys,all,,,,,idp.encryption.key.2,STRING,, -32,SecurityConfiguration,idp.properties,Resource containing an alternate public key certificate generally unused except while changing decryption keys,all,,,,,idp.encryption.cert.2,STRING,, -30,SecurityConfiguration,idp.properties,Resource containing a public key certificate given to others needing to encrypt data for the IdP typically a file in the credentials directory,all,,,resource path,,idp.encryption.cert,STRING,, -29,SecurityConfiguration,idp.properties,Resource containing a private key for decryption typically a file in the credentials directory,all,,,resource path,,idp.encryption.key,STRING,, -26,SecurityConfiguration,idp.properties,Key password unlocking AES encryption key typically set to the same as the previous property and set during installation,all,,,,,idp.sealer.keyPassword,STRING,, -19,SecurityConfiguration,idp.properties,Bean ID supporting the DataSealerKeyStrategy interface to use in place of the built-in option.,all,,,Bean ID of DataSealerKeyStrategy,shibboleth.DataSealerKeyStrategy,idp.sealer.keyStrategy,SPRING_BEAN_ID,, -44,SecurityConfiguration,idp.properties,Overrides the X509KeyInfoGeneratorFactory used by default,4.1,,,Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager),shibboleth.X509KeyInfoGeneratorFactory,idp.security.x509KeyInfoFactory,SPRING_BEAN_ID,, -35,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default EncryptionConfiguration,all,,,Bean ID of EncryptionConfiguration (org.opensaml.xmlsec),shibboleth.EncryptionConfiguration.CBC,idp.encryption.config,SPRING_BEAN_ID,, -43,SecurityConfiguration,idp.properties,Overrides the BasicKeyInfoGeneratorFactory used by default,4.1,,,Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager),shibboleth.BasicKeyInfoGeneratorFactory,idp.security.basicKeyInfoFactory,SPRING_BEAN_ID,, -39,SecurityConfiguration,idp.properties,Name of Spring bean for the trust engine used to verify TLS certificates,all,,,Bean ID of TrustEngine (org.opensaml.security.trust),shibboleth.ChainingX509TrustEngine,idp.trust.certificates,SPRING_BEAN_ID,, -13,SecurityConfiguration,idp.properties,If true all cookies issued by the IdP (not including the container) will contain the HttpOnly property,all,,,,true,idp.cookie.httpOnly,BOOLEAN,, -65,SessionConfiguration,idp.properties,Name of cookie containing IdP session ID (note this is not the same as the cookie the Java container uses to track its own sessions),4.2,,,,shib_idp_session,idp.session.cookieName,STRING,, -67,SessionConfiguration,idp.properties,Whether to bind IdP sessions to IP addresses,all,,,,true,idp.session.consistentAddress,BOOLEAN,, -63,SessionConfiguration,idp.properties,Whether to enable the IdP's session tracking feature,all,,,,true,idp.session.enabled,BOOLEAN,, -74,SessionConfiguration,idp.properties,"Default length of time to maintain record of an SP session (must be non-zero), overridable by relying-party-specific setting",all,,,,PT2H,idp.session.defaultSPlifetime,DURATION,, -71,SessionConfiguration,idp.properties,Whether to hide storage failures from users during session cache reads/writes,all,,,,false,idp.session.maskStorageFailure,BOOLEAN,, -66,SessionConfiguration,idp.properties,Number of characters in IdP session identifiers,all,,,,32,idp.session.idSize,INTEGER,, -69,SessionConfiguration,idp.properties,Inactivity timeout policy for IdP sessions (must be non-zero),all,,,,PT60M,idp.session.timeout,DURATION,, -70,SessionConfiguration,idp.properties,Extra time after expiration before removing SP sessions in case a logout is invoked,all,,,,0,idp.session.slop,DURATION,, -64,SessionConfiguration,idp.properties,Bean name of a storage implementation/configuration to use for IdP sessions,all,,,Bean ID of StorageService (org.opensaml.storage),shibboleth.ClientSessionStorageService,idp.session.StorageService,SPRING_BEAN_ID,, -73,SessionConfiguration,idp.properties,"Whether to track SPs on the basis of the SAML subject ID used, for logout purposes (requires SP session tracking be on)",all,,,,false,idp.session.secondaryServiceIndex,BOOLEAN,, -72,SessionConfiguration,idp.properties,Whether to save a record of every SP accessed during an IdP session (requires a server-side session store or HTML LocalStorage),all,,,,false,idp.session.trackSPSessions,BOOLEAN,, -68,SessionConfiguration,idp.properties,A 2-argument predicate that compares a bound session's address to a client address,all,,,"BiPredicate",Direct string comparison,idp.session.consistentAddressCondition,STRING,, -485,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.simple.uppercase,BOOLEAN,, -486,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.simple.trim,BOOLEAN,, -484,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.simple.lowercase,BOOLEAN,, -222,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to always try to run SPNEGO independent of the user's auto-login setting,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.enforceRun,BOOLEAN,, -221,SPNEGOAuthnConfiguration,authn/authn.properties,Servlet-relative path to the SPNEGO external authentication implementation,4.1,idp.authn.SPNEGO,,URL path,/Authn/SPNEGO,idp.authn.SPNEGO.externalAuthnPath,STRING,, -224,SPNEGOAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.SPNEGO,,regex expected,,idp.authn.SPNEGO.matchExpression,STRING,, -238,SPNEGOAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.SPNEGO,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, saml1/urn:ietf:rfc:1510",idp.authn.SPNEGO.supportedPrincipals,STRING,, -230,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.SPNEGO,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.SPNEGO.proxyRestrictionsEnforced,BOOLEAN,, -225,SPNEGOAuthnConfiguration,authn/authn.properties,Name of cookie used to track auto-login state of client,4.2,idp.authn.SPNEGO,,,_idp_spnego_autologin,idp.authn.SPNEGO.cookieName,STRING,, -226,SPNEGOAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.SPNEGO,,,1000,idp.authn.SPNEGO.order,INTEGER,, -237,SPNEGOAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer controlling result reuse for SSO,4.1,idp.authn.SPNEGO,,,shibboleth.Conditions.TRUE,idp.authn.SPNEGO.reuseCondition,SPRING_BEAN_ID,, -236,SPNEGOAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.SPNEGO,,,shibboleth.Conditions.TRUE,idp.authn.SPNEGO.activationCondition,SPRING_BEAN_ID,, -234,SPNEGOAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.SPNEGO,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.SPNEGO.inactivityTimeout,DURATION,, -239,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.SPNEGO,,,true,idp.authn.SPNEGO.addDefaultPrincipals,BOOLEAN,, -233,SPNEGOAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.SPNEGO,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.SPNEGO.lifetime,DURATION,, -223,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.refreshKrbConfig,BOOLEAN,, -227,SPNEGOAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.nonBrowserSupported,BOOLEAN,, -228,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.passiveAuthenticationSupported,BOOLEAN,, -229,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.forcedAuthenticationSupported,BOOLEAN,, -231,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.proxyScopingEnforced,BOOLEAN,, -232,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.discoveryRequired,BOOLEAN,, -430,Status,admin/admin.properties,?,4.1,,,,,idp.status.postAuthenticationFlows,STRING,, -428,Status,admin/admin.properties,?,4.1,,,,,idp.status.defaultAuthenticationMethods,STRING,, -426,Status,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.status.authenticated,BOOLEAN,, -425,Status,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.status.accessPolicy,STRING,, -429,Status,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.status.resolveAttributes,BOOLEAN,, -427,Status,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.status.nonBrowserSupported,BOOLEAN,, -424,Status,admin/admin.properties,Audit log identifier for flow,4.1,,,,Status,idp.status.logging,STRING,, -57,StorageConfiguration,idp.properties,Interval of background thread sweeping server-side storage for expired records,all,,,,PT10M,idp.storage.cleanupInterval,DURATION,, -8,StorageConfiguration,idp.properties,Storage back-end to use for short-lived SAML Artifact mappings (must be server-side),all,,,Bean ID of a StorageService (org.opensaml.storage),shibboleth.StorageService,idp.artifact.StorageService,SPRING_BEAN_ID,, -60,StorageConfiguration,idp.properties,Name of cookie or HTML storage key used by the default persistent instance of the client storage service,all,,,,shib_idp_persistent_ss,idp.storage.clientPersistentStorageName,STRING,, -61,StorageConfiguration,idp.properties,Storage back-end to use for message replay checking (must be server-side),all,,,Bean ID of a StorageService (org.opensaml.storage),shibboleth.StorageService,idp.replayCache.StorageService,SPRING_BEAN_ID,, -58,StorageConfiguration,idp.properties,Whether to use HTML Local Storage (if available) instead of cookies,all,,,,false,idp.storage.htmlLocalStorage,BOOLEAN,, -59,StorageConfiguration,idp.properties,Name of cookie or HTML storage key used by the default per-session instance of the client storage service,all,,,,shib_idp_session_ss,idp.storage.clientSessionStorageName,STRING,, -62,StorageConfiguration,idp.properties,Whether storage errors during replay checks should be treated as a replay,all,,,,true,idp.replayCache.strict,BOOLEAN,, -622,TOTP,authn/authn.properties,Name of HTML form field to use for locating browser-submitted token codes,4.1,idp.authn.TOTP,1,,tokencode,idp.authn.TOTP.fieldName,STRING,, -627,TOTP,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.TOTP,1,,true,idp.authn.TOTP.forcedAuthenticationSupported,BOOLEAN,, -636,TOTP,authn/authn.properties,Comma-delimited list of protocol-specific Principalstrings associated with flow,4.1,idp.authn.TOTP,1,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken",idp.authn.TOTP.supportedPrincipals,STRING,, -623,TOTP,authn/authn.properties,Name of IdPAttribute to resolve to obtain token seeds for users,4.1,idp.authn.TOTP,1,,tokenSeeds,idp.authn.TOTP.tokenSeedAttribute,STRING,, -621,TOTP,authn/authn.properties,Name of request header to use for extracting non-browser submitted token codes,4.1,idp.authn.TOTP,1,,X-Shibboleth-TOTP,idp.authn.TOTP.headerName,STRING,, -624,TOTP,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.TOTP,1,,1000,idp.authn.TOTP.order,INTEGER,, -626,TOTP,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.passiveAuthenticationSupported,BOOLEAN,, -625,TOTP,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.nonBrowserSupported,BOOLEAN,, -628,TOTP,authn/authn.properties,Whether the flow enforces upstream IdP-imposed restrictions on proxying,4.1,idp.authn.TOTP,1,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.TOTP.proxyRestrictionsEnforced,BOOLEAN,, -634,TOTP,authn/authn.properties,Bean ID ofPredicate determining whether flow is usable for request,4.1,idp.authn.TOTP,1,,shibboleth.Conditions.TRUE,idp.authn.TOTP.activationCondition,SPRING_BEAN_ID,, -632,TOTP,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.TOTP,1,,%{idp.authn.defaultTimeout:PT30M},idp.authn.TOTP.inactivityTimeout,DURATION,, -631,TOTP,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.TOTP,1,,%{idp.authn.defaultLifetime:PT1H},idp.authn.TOTP.lifetime,DURATION,, -633,TOTP,authn/authn.properties,Bean ID ofPredicate controlling result reuse for SSO,4.1,idp.authn.TOTP,1,,shibboleth.Conditions.TRUE,idp.authn.TOTP.reuseCondition,SPRING_BEAN_ID,, -635,TOTP,authn/authn.properties,"Bean ID ofBiConsumer for subject customization",4.1,idp.authn.TOTP,1,,,idp.authn.TOTP.subjectDecorator,SPRING_BEAN_ID,, -629,TOTP,authn/authn.properties,Whether the flow considers itself to be proxying,4.1,idp.authn.TOTP,1,and therefore enforces SP-signaled restrictions on proxying,false,idp.authn.TOTP.proxyScopingEnforced,BOOLEAN,, -630,TOTP,authn/authn.properties,Whether to invoke IdP-discovery prior to running flow,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.discoveryRequired,BOOLEAN,, -637,TOTP,authn/authn.properties,Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.addDefaultPrincipals,BOOLEAN,, -496,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.x500.trim,BOOLEAN,, -498,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attribute OIDs to search for in the subject DN,4.1,,,Comma seperated list of integer values,"2,5,4,3",idp.c14n.x500.objectIDs,STRING,, -495,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.x500.uppercase,BOOLEAN,, -494,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.x500.lowercase,BOOLEAN,, -497,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of subjectAltName extension types to look for,4.1,,,Comma seperated list of integer values,,idp.c14n.x500.subjectAltNameTypes,STRING,, -241,X509AuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.X509,,,1000,idp.authn.X509.order,INTEGER,, -245,X509AuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.X509,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.X509.proxyRestrictionsEnforced,BOOLEAN,, -252,X509AuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.X509,,,shibboleth.Conditions.TRUE,idp.authn.X509.activationCondition,SPRING_BEAN_ID,, -250,X509AuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.X509,,,shibboleth.Conditions.TRUE,idp.authn.X509.reuseCondition,SPRING_BEAN_ID,, -253,X509AuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.X509,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, saml1/urn:ietf:rfc:2246",idp.authn.X509.supportedPrincipals,STRING,, -247,X509AuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.X509,,,false,idp.authn.X509.discoveryRequired,BOOLEAN,, -246,X509AuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.X509,,,false,idp.authn.X509.proxyScopingEnforced,BOOLEAN,, -254,X509AuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.X509,,,true,idp.authn.X509.addDefaultPrincipals,BOOLEAN,, -244,X509AuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.X509,,,false,idp.authn.X509.forcedAuthenticationSupported,BOOLEAN,, -243,X509AuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.X509,,,false,idp.authn.X509.passiveAuthenticationSupported,BOOLEAN,, -261,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,,,,false,idp.authn.X509Internal.proxyScopingEnforced,BOOLEAN,, -259,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,,,,false,idp.authn.X509Internal.forcedAuthenticationSupported,BOOLEAN,, -258,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,,,,false,idp.authn.X509Internal.passiveAuthenticationSupported,BOOLEAN,, -257,X509InternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,,,,false,idp.authn.X509Internal.nonBrowserSupported,BOOLEAN,, -255,X509InternalAuthnConfiguration,authn/authn.properties,Whether to save the certificate into the Subject's public credential set. Disable to reduce the size if not relying on the certificate for subject c14n.,4.1,,,,true,idp.authn.X509Internal.saveCertificateToCredentialSet,BOOLEAN,, -269,X509InternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,,,,true,idp.authn.X509Internal.addDefaultPrincipals,BOOLEAN,, -260,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.X509Internal.proxyRestrictionsEnforced,BOOLEAN,, -256,X509InternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,,,,1000,idp.authn.X509Internal.order,INTEGER,, -264,X509InternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.X509Internal.inactivityTimeout,DURATION,, -267,X509InternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.X509Internal.activationCondition,SPRING_BEAN_ID,, -265,X509InternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.X509Internal.reuseCondition,SPRING_BEAN_ID,, -262,X509InternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,,,,false,idp.authn.X509Internal.discoveryRequired,BOOLEAN,, \ No newline at end of file +473,?,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.storage.accessPolicy,STRING, +474,?,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.storage.authenticated,BOOLEAN, +476,?,admin/admin.properties,?,4.1,,,,,idp.storage.defaultAuthenticationMethods,STRING, +472,?,admin/admin.properties,Audit log identifier for flow,4.1,,,,Storage,idp.storage.logging,STRING, +475,?,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.storage.nonBrowserSupported,BOOLEAN, +439,AACLI,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.resolvertest.accessPolicy,STRING, +440,AACLI,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.resolvertest.authenticated,BOOLEAN, +442,AACLI,admin/admin.properties,?,4.1,,,,,idp.resolvertest.defaultAuthenticationMethods,STRING, +438,AACLI,admin/admin.properties,Audit log identifier for flow,4.1,,,,ResolverTest,idp.resolvertest.logging,STRING, +441,AACLI,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.resolvertest.nonBrowserSupported,BOOLEAN, +444,AACLI,admin/admin.properties,?,4.1,,,,,idp.resolvertest.postAuthenticationFlows,STRING, +443,AACLI,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.resolvertest.resolveAttributes,BOOLEAN, +466,AccountLockoutManagement,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.lockout.accessPolicy,STRING, +467,AccountLockoutManagement,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.lockout.authenticated,BOOLEAN, +469,AccountLockoutManagement,admin/admin.properties,?,4.1,,,,,idp.lockout.defaultAuthenticationMethods,STRING, +465,AccountLockoutManagement,admin/admin.properties,Audit log identifier for flow,4.1,,,,Lockout,idp.lockout.logging,STRING, +468,AccountLockoutManagement,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.lockout.nonBrowserSupported,BOOLEAN, +471,AccountLockoutManagement,admin/admin.properties,?,4.1,,,,,idp.lockout.postAuthenticationFlows,STRING, +470,AccountLockoutManagement,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.lockout.resolveAttributes,BOOLEAN, +477,AttendedRestartConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.storage.resolveAttributes,BOOLEAN, +479,AttendedRestartConfiguration,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.unlock-keys.accessPolicy,STRING, +480,AttendedRestartConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,true,idp.unlock-keys.authenticated,BOOLEAN, +478,AttendedRestartConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,UnlockKeys,idp.unlock-keys.logging,STRING, +481,AttendedRestartConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.unlock-keys.nonBrowserSupported,BOOLEAN, +483,AttendedRestartConfiguration,admin/admin.properties,?,4.1,,,,,idp.unlock-keys.postAuthenticationFlows,STRING, +482,AttendedRestartConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.unlock-keys.resolveAttributes,BOOLEAN, +491,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attributes to search for in the results looking for a StringAttributeValue or ScopedStringAttributeValue,4.1,,,,,idp.c14n.attribute.attributeSourceIds,STRING, +490,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attributes to resolve (an empty list directs the resolver to resolve everything it can),4.1,,,,,idp.c14n.attribute.attributesToResolve,STRING, +487,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.attribute.lowercase,BOOLEAN, +493,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Bean ID of a Predicate to evaluate to determine whether to run the Attribute Resolver or go directly to the Subject alone,4.1,,,,shibboleth.Conditions.TRUE,idp.c14n.attribute.resolutionCondition,SPRING_BEAN_ID, +492,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to examine the input Subject for IdPAttributePrincipal objects to pull from directly instead of from the output of the Attribute Resolver service,4.1,,,,false,idp.c14n.attribute.resolveFromSubject,BOOLEAN, +489,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.attribute.trim,BOOLEAN, +488,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.attribute.uppercase,BOOLEAN, +515,AuditLoggingConfiguration,services.properties,Hash algorithm to apply to various hashed fields,4.1,,,,SHA-256,idp.audit.hashAlgorithm,STRING, +516,AuditLoggingConfiguration,services.properties,Salt to apply to hashed fields must be set to use those fields,4.1,,,,,idp.audit.salt,STRING, +118,AuditLoggingConfiguration,services.properties,"Set false if you want SAML bindings ""spelled out"" in audit log",all,,,,true,idp.audit.shortenBindings,BOOLEAN, +511,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.cas,STRING, +510,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Logout,idp.service.logging.logout,STRING, +513,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ResolverTest,idp.service.logging.resolvertest,STRING, +505,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ArtifactResolution,idp.service.logging.saml1artifact,STRING, +504,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,AttributeQuery,idp.service.logging.saml1attrquery,STRING, +503,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.saml1sso,STRING, +508,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ArtifactResolution,idp.service.logging.saml2artifact,STRING, +507,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,AttributeQuery,idp.service.logging.saml2attrquery,STRING, +509,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Logout,idp.service.logging.saml2slo,STRING, +506,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.saml2sso,STRING, +514,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Reload,idp.service.logging.serviceReload,STRING, +512,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Status,idp.service.logging.status,STRING, +76,AuthenticationConfiguration,authn/authn.properties,Default amount of time to allow reuse prior authentication flows,all,,,measured since first usage,PT60M,idp.authn.defaultLifetime,DURATION, +77,AuthenticationConfiguration,authn/authn.properties,Default inactivity timeout to prevent reuse of prior authentication flows,all,,,measured since last usage,PT30M,idp.authn.defaultTimeout,DURATION, +82,AuthenticationConfiguration,authn/authn.properties,Provides a static discovery URL to use for external discovery this property replaces the need for the XML-defined bean used in V4.0 for this purpose,4.1,,,,,idp.authn.discoveryURL,STRING, +79,AuthenticationConfiguration,authn/authn.properties,Whether to prioritize prior authentication results when an SP requests more than one possible matching method,all,,,,false,idp.authn.favorSSO,BOOLEAN, +75,AuthenticationConfiguration,authn/authn.properties,Required expression that identifies the login flows to globally enable,all,,,"ex. Password, MA, DUO",,idp.authn.flows,STRING, +81,AuthenticationConfiguration,authn/authn.properties,Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session.,all,,,,false,idp.authn.identitySwitchIsError,BOOLEAN, +83,AuthenticationConfiguration,authn/authn.properties,Whether to override an explicit element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global set,4,,,,false,idp.authn.overrideRequestedAuthnContext,BOOLEAN, +78,AuthenticationConfiguration,authn/authn.properties,Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication,4.1,,,,true,idp.authn.proxyRestrictionsEnforced,BOOLEAN, +80,AuthenticationConfiguration,authn/authn.properties,Whether to populate information about the relying party into the tree for user interfaces during login and interceptors,all,,,,true,idp.authn.rpui,BOOLEAN, +111,CasProtocolConfiguration,idp.properties,If true CAS services provisioned with SAML metadata are identified via entityID,all,,,,false,idp.cas.relyingPartyIdFromMetadata,BOOLEAN, +110,CasProtocolConfiguration,idp.properties,CAS service registry implementation class,all,,,,net.shibboleth.idp.cas.service.PatternServiceRegistry,idp.cas.serviceRegistryClass,STRING, +109,CasProtocolConfiguration,idp.properties,"Storage service used by CAS protocol for chained proxy-granting tickets and when using server-managed ""simple"" TicketService. MUST be server-side storage (e.g. in-memory, memcached, database)",all,,,,shibboleth.StorageService,idp.cas.StorageService,SPRING_BEAN_ID, +94,ConsentConfiguration,idp.properties,Whether not remembering/storing consent is allowed,all,,,,true,idp.consent.allowDoNotRemember,BOOLEAN, +95,ConsentConfiguration,idp.properties,Whether consent to any attribute and to any relying party is allowed,all,,,,true,idp.consent.allowGlobal,BOOLEAN, +96,ConsentConfiguration,idp.properties,Whether per-attribute consent is allowed,all,,,,false,idp.consent.allowPerAttribute,BOOLEAN, +87,ConsentConfiguration,idp.properties,Optional condition to apply to control activation of attribute-release flow along with system default behavior,4.1,,,,shibboleth.Conditions.TRUE,idp.consent.attribute-release.activationCondition,SPRING_BEAN_ID, +88,ConsentConfiguration,idp.properties,Default consent auditing formats,all,,,Logback logging pattern,%T|%SP|%e|%u|%CCI|%CCV|%CCA,idp.consent.attribute-release.auditFormat,STRING, +85,ConsentConfiguration,idp.properties,Name of function used to return the String storage key representing a user defaults to the principal name,all,,,,shibboleth.consent.PrincipalConsentStorageKey,idp.consent.attribute-release.userStorageKey,SPRING_BEAN_ID, +86,ConsentConfiguration,idp.properties,Attribute whose value is the storage key representing a user,all,,,,uid,idp.consent.attribute-release.userStorageKeyAttribute,STRING, +97,ConsentConfiguration,idp.properties,Whether attribute values and terms of use text are stored and compared for equality,all,,,,false,idp.consent.compareValues,BOOLEAN, +99,ConsentConfiguration,idp.properties,"Maximum number of records stored when using larger/server-side storage, 0 = no limit",all,,,,0,idp.consent.expandedMaxStoredRecords,INTEGER, +98,ConsentConfiguration,idp.properties,"Maximum number of records stored when using space-limited storage (e.g. cookies), 0 = no limit",all,,,,10,idp.consent.maxStoredRecords,INTEGER, +100,ConsentConfiguration,idp.properties,Time in milliseconds to expire consent storage records,4.x,,,"(v4.0=P1Y,v4.1=infinite)",,idp.consent.storageRecordLifetime,DURATION, +84,ConsentConfiguration,idp.properties,Name of storage service used to store users' consent choices,all,,,,shibboleth.ClientPersistentStorageService,idp.consent.StorageService,SPRING_BEAN_ID, +92,ConsentConfiguration,idp.properties,Optional condition to apply to control activation of terms-of-use flow,4.1,,,,shibboleth.Conditions.TRUE,idp.consent.terms-of-use.activationCondition,SPRING_BEAN_ID, +93,ConsentConfiguration,idp.properties,Default consent auditing formats,all,,,Logback logging pattern,%T|%SP|%e|%u|%CCI|%CCV|%CCA,idp.consent.terms-of-use.auditFormat,STRING, +91,ConsentConfiguration,idp.properties,Suffix of message property used as value of consent storage records when idp.consent.compareValues is true,all,,,,.text,idp.consent.terms-of-use.consentValueMessageCodeSuffix,STRING, +89,ConsentConfiguration,idp.properties,Name of function used to return the String storage key representing a user defaults to the principal name,all,,,,shibboleth.consent.PrincipalConsentStorageKey,idp.consent.terms-of-use.userStorageKey,SPRING_BEAN_ID, +90,ConsentConfiguration,idp.properties,Attribute whose value is the storage key representing a user,all,,,,uid,idp.consent.terms-of-use.userStorageKeyAttribute,STRING, +2,Core,idp.properties,Used to point to additional property files to load. All properties must be unique and are ultimately pooled into a single unordered set.,all,,,"Comma seperated list of values ex. /conf/ldap.properties, /conf/services.properties",,idp.additionalProperties,STRING, +49,Core,idp.properties,Auto-configures a Content Security Policy response header,all,,,,frame-ancestors 'none',idp.csp,STRING, +4,Core,idp.properties,Identifies the file to serve for requests to the IdP's well-known metadata location,all,,,,%{idp.home}/metadata/idp-metadata.xml,idp.entityID.metadataFile,STRING, +10,Core,idp.properties,Identifies the file to serve for requests to the IdP's well-known metadata location,all,,,file pathname,%{idp.home}/metadata/idp-metadata.xml,idp.entityID.metadataFile,STRING, +48,Core,idp.properties,Auto-configures an X-Frame-Options response header,all,,,,DENY,idp.frameoptions,SELECTION_LIST,"DENY,SAMEORIGIN" +47,Core,idp.properties,Auto-configures an HSTS response header,all,,,,max-age=0,idp.hsts,STRING, +121,Core,idp.properties,Policies to use with Impersonate interceptor flow,all,,,Policy ID,GeneralImpersonationPolicy,idp.impersonate.generalPolicy,STRING, +122,Core,idp.properties,Policies to use with Impersonate interceptor flow,all,,,Policy ID,SpecificImpersonationPolicy,idp.impersonate.specificPolicy,STRING, +120,Core,idp.properties,Path to use with External interceptor flow,all,,,,contextRelative:intercept.jsp,idp.intercept.External.externalPath,STRING, +660,Core,idp.properties,???????,5.0,,,New in Shibboleth 5.0,,idp.responseHeaderCondition,SPRING_BEAN_ID, +11,Core,idp.properties,applies a (fixed) scope typically a domain-valued suffix to an input attribute's values,all,,,,,idp.scope,STRING, +1,Core,idp.properties,Auto-load all files matching conf/**/*.properties,4,,,,true,idp.searchForProperties,BOOLEAN, +107,Core,idp.properties,Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP),all,,,Bean ID of HttpClient to use for SOAP-based logout,SOAPClient.HttpClient,idp.soap.httpClient,SPRING_BEAN_ID, +108,Core,idp.properties,languages to use if no match can be found with the browser-supported languages,all,,,"Comma seperated list of values ex. en, fr, de",,idp.ui.fallbackLanguages,STRING, +658,Core,idp.properties,???????,5.0,,,New in Shibboleth 5.0,,idp.updateCheck.enable,BOOLEAN, +119,Core,idp.properties,Set to true to fail on velocity syntax errors,all,,,,false,idp.velocity.runtime.strictmode,BOOLEAN, +51,Core,idp.properties,"Location from which to load user-modifiable Velocity view templates. This can be set to include ""classpath*:/META-INF/net/shibboleth/idp/views"" (or equivalent) to load templates from the classpath, such as from extension jars, but doing so disables suppor",all,,,Comma seperated list of values,%{idp.home}/views,idp.views,STRING, +50,Core,idp.properties,Location from which to load user-supplied webflows from,all,,,resource path,%{idp.home}/flows,idp.webflows,STRING, +657,Core,idp.properties,???????,5.0,,,New in Shibboleth 5.0,,opensaml.config.xml.unmarshall.strictMode,BOOLEAN, +45,CSRF,idp.properties,Enables CSRF protection,4,,,,true,idp.csrf.enabled,BOOLEAN, +46,CSRF,idp.properties,Name of the HTTP parameter that stores the CSRF token,4,,,,csrf_token,idp.csrf.token.parameter,STRING, +320,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,shibboleth.Conditions.TRUE,idp.authn.Duo.activationCondition,SPRING_BEAN_ID, +323,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,true,idp.authn.Duo.addDefaultPrincipals,BOOLEAN, +316,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,false,idp.authn.Duo.discoveryRequired,BOOLEAN, +313,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Whether the flow supports forced authentication,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,false,idp.authn.Duo.forcedAuthenticationSupported,BOOLEAN, +318,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Inactivity timeout of results produced by this flow,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,%{idp.authn.defaultTimeout:PT30M},idp.authn.Duo.inactivityTimeout,DURATION, +317,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Lifetime of results produced by this flow,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,%{idp.authn.defaultLifetime:PT1H},idp.authn.Duo.lifetime,DURATION, +311,DuoAuthnConfiguration,authn/authn.properties,"(REMOVED v5 IDP) Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,false,idp.authn.Duo.nonBrowserSupported,BOOLEAN, +310,DuoAuthnConfiguration,authn/authn.properties,"(REMOVED v5 IDP) Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,1000,idp.authn.Duo.order,INTEGER, +312,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Whether the flow allows for passive authentication,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,false,idp.authn.Duo.passiveAuthenticationSupported,BOOLEAN, +314,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,%{idp.authn.enforceProxyRestrictions:true},idp.authn.Duo.proxyRestrictionsEnforced,BOOLEAN, +315,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,false,idp.authn.Duo.proxyScopingEnforced,BOOLEAN, +319,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.Duo,,Removed from Shibboleth 5.0,shibboleth.Conditions.TRUE,idp.authn.Duo.reuseCondition,SPRING_BEAN_ID, +321,DuoAuthnConfiguration,authn/authn.properties,(REMOVED v5 IDP) Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.DuoOIDC,1,,shibboleth.Conditions.TRUE,idp.authn.DuoOIDC.activationCondition,SPRING_BEAN_ID, +593,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.addDefaultPrincipals,BOOLEAN, +586,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether to invoke IdP-discovery prior to running flow,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.discoveryRequired,BOOLEAN, +583,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow supports forced authentication,4.1,idp.authn.DuoOIDC,1,,true,idp.authn.DuoOIDC.forcedAuthenticationSupported,BOOLEAN, +588,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.defaultTimeout:PT30M},idp.authn.DuoOIDC.inactivityTimeout,DURATION, +587,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Lifetime of results produced by this flow,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.defaultLifetime:PT1H},idp.authn.DuoOIDC.lifetime,DURATION, +581,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.nonBrowserSupported,BOOLEAN, +580,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.DuoOIDC,1,,1000,idp.authn.DuoOIDC.order,INTEGER, +582,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow allows for passive authentication,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.passiveAuthenticationSupported,BOOLEAN, +584,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow enforces upstream IdP-imposed restrictions on proxying,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.DuoOIDC.proxyRestrictionsEnforced,BOOLEAN, +585,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow considers itself to be proxying,4.1,idp.authn.DuoOIDC,1,and therefore enforces SP-signaled restrictions on proxying,false,idp.authn.DuoOIDC.proxyScopingEnforced,BOOLEAN, +589,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Bean ID ofPredicate controlling result reuse for SSO,4.1,idp.authn.DuoOIDC,1,,shibboleth.Conditions.TRUE,idp.authn.DuoOIDC.reuseCondition,SPRING_BEAN_ID, +591,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Bean ID ofBiConsumer for subject customization",4.1,idp.authn.DuoOIDC,1,,,idp.authn.DuoOIDC.subjectDecorator,SPRING_BEAN_ID, +592,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Comma-delimited list of protocol-specific Principalstrings associated with flow,4.1,idp.authn.DuoOIDC,1,,"saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa",idp.authn.DuoOIDC.supportedPrincipals,STRING, +594,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,DuoOIDC API hostname assigned to the integration,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.apiHost,STRING, +595,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The OAuth 2.0 Client Identifier valid at the Authorization Server,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.clientId,STRING, +616,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum length of time to wait for a connection to be returned from the connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.connectionRequestTimeout,DURATION, +615,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum length of time to wait for the connection to be established,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.connectionTimeout,DURATION, +601,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 authorization endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/authorize,idp.duo.oidc.endpoint.authorize,STRING, +599,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 health check endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/health_check,idp.duo.oidc.endpoint.health,STRING, +600,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 token endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/token,idp.duo.oidc.endpoint.token,STRING, +606,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,How long the authentication is valid. Only applies to forced authentication requests.,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.authLifetime,DURATION, +602,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Leeway allowed in token expiry calculations,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.clockSkew,DURATION, +603,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum amount (in either direction from now) of duration for which a token is valid after it is issued,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.iatWindow,DURATION, +604,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://+,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/token,idp.duo.oidc.jwt.verifier.issuerPath,STRING, +605,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request.,4.1,idp.authn.DuoOIDC,1,,preferred_username,idp.duo.oidc.jwt.verifier.preferredUsername,STRING, +619,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Max simultaneous connections per route allowed by the pooling connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,100,idp.duo.oidc.maxConnectionsPerRoute,INTEGER, +618,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Max total simultaneous connections allowed by the pooling connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,100,idp.duo.oidc.maxConnectionsTotal,INTEGER, +620,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,To enable certificate revocation checking,4.1,idp.authn.DuoOIDC,1 (nimbus),,false,idp.duo.oidc.nimbus.checkRevocation,BOOLEAN, +607,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI hostname assigned to the integration,4.1,idp.authn.DuoOIDC,1,,%{idp.duo.oidc.apiHost},idp.duo.oidc.nonbrowser.apiHost,STRING, +613,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Allow the factor to be defaulted in as ""auto"" if no headers are received",4.1,idp.authn.DuoOIDC,1,,true,idp.duo.oidc.nonbrowser.auto,BOOLEAN, +614,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Pass client address to Duo in API calls to support logging,4.1,idp.authn.DuoOIDC,1,push display,true,idp.duo.oidc.nonbrowser.clientAddressTrusted,BOOLEAN, +611,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI device ID or name,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Device,idp.duo.oidc.nonbrowser.header.device,STRING, +610,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI factor,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Factor,idp.duo.oidc.nonbrowser.header.factor,STRING, +612,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI passcode,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Passcode,idp.duo.oidc.nonbrowser.header.passcode,STRING, +608,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI integration key supplied by Duo,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.nonbrowser.integrationKey,STRING, +609,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI secret key supplied by Duo,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.nonbrowser.secretKey,STRING, +596,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Redirection URI to which the 2FA response will be sent,4.1,idp.authn.DuoOIDC,1,ex. https://:/idp/profile/Authn/Duo/2FA/duo-callback,,idp.duo.oidc.redirectURL,STRING, +597,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,If the idp.duo.oidc.redirectURL is not set one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection.,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.redirecturl.allowedOrigins,STRING, +598,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token).,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.secretKey,STRING, +617,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum period inactivity between two consecutive data packets,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.socketTimeout,DURATION, +54,ErrorHandlingConfiguration,idp.properties,The default view name to render for exceptions and events,all,,,,error,idp.errors.defaultView,STRING, +52,ErrorHandlingConfiguration,idp.properties,Whether to expose detailed error causes in status information provided to outside parties,all,,,,false,idp.errors.detailed,BOOLEAN, +56,ErrorHandlingConfiguration,idp.properties,"Bean defining Collection identifying exception classes to ignore (causing them to bubble outward, so use with caution)",all,,,Bean ID of Collection (java.util),,idp.errors.exceptionMappings,SPRING_BEAN_ID, +55,ErrorHandlingConfiguration,idp.properties,"Bean defing Properties mapping exception class names to error views. The matching by class name does not support wildcards, but does do substring matches (so it's not necessary to fully qualify the class).",all,,,Bean ID of Properties (java.util.Properties),,idp.errors.excludedExceptions,SPRING_BEAN_ID, +53,ErrorHandlingConfiguration,idp.properties,"Whether to digitally sign error responses in SAML or similar protocols, if signing is otherwise warranted (this can prevent a simple denial of service vector, since errors are simple to trigger)",all,,,,true,idp.errors.signed,BOOLEAN, +176,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.External,,,shibboleth.Conditions.TRUE,idp.authn.External.activationCondition,SPRING_BEAN_ID, +179,ExternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.External,,,true,idp.authn.External.addDefaultPrincipals,BOOLEAN, +172,ExternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.External,,,false,idp.authn.External.discoveryRequired,BOOLEAN, +164,ExternalAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.External,,,contextRelative:external.jsp,idp.authn.External.externalAuthnPath,STRING, +169,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.External,,,false,idp.authn.External.forcedAuthenticationSupported,BOOLEAN, +174,ExternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.External,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.External.inactivityTimeout,DURATION, +173,ExternalAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.External,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.External.lifetime,DURATION, +165,ExternalAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.External,,regex expected,,idp.authn.External.matchExpression,STRING, +167,ExternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.External,,,false,idp.authn.External.nonBrowserSupported,BOOLEAN, +166,ExternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.External,,,1000,idp.authn.External.order,INTEGER, +168,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.External,,,false,idp.authn.External.passiveAuthenticationSupported,BOOLEAN, +170,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.External,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.External.proxyRestrictionsEnforced,BOOLEAN, +171,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.External,,,false,idp.authn.External.proxyScopingEnforced,BOOLEAN, +175,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.External,,,shibboleth.Conditions.TRUE,idp.authn.External.reuseCondition,SPRING_BEAN_ID, +177,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer to use to decide whether to run,4.1,,,,,idp.fticks.condition,SPRING_BEAN_ID, +112,FTICKSLoggingConfiguration,idp.properties,Enables F-TICKS output and specifies the value of the federation-identifier field,all,,,,,idp.fticks.federation,STRING, +116,FTICKSLoggingConfiguration,idp.properties,The remote syslog host,all,,,,localhost,idp.fticks.loghost,STRING, +117,FTICKSLoggingConfiguration,idp.properties,The remote syslog port,all,,,,514,idp.fticks.logport,INTEGER, +115,FTICKSLoggingConfiguration,idp.properties,"A salt to apply when digesting usernames (if not specified, the username will not be included)",all,,,,,idp.fticks.salt,STRING, +294,FunctionAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.Function,,,shibboleth.Conditions.TRUE,idp.authn.Function.activationCondition,SPRING_BEAN_ID, +297,FunctionAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.Function,,,true,idp.authn.Function.addDefaultPrincipals,BOOLEAN, +290,FunctionAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.Function,,,false,idp.authn.Function.discoveryRequired,BOOLEAN, +287,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.Function,,,false,idp.authn.Function.forcedAuthenticationSupported,BOOLEAN, +292,FunctionAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.Function,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.Function.inactivityTimeout,DURATION, +291,FunctionAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.Function,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.Function.lifetime,DURATION, +285,FunctionAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.Function,,,false,idp.authn.Function.nonBrowserSupported,BOOLEAN, +284,FunctionAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.Function,,,1000,idp.authn.Function.order,INTEGER, +286,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.Function,,,false,idp.authn.Function.passiveAuthenticationSupported,BOOLEAN, +288,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.Function,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.Function.proxyRestrictionsEnforced,BOOLEAN, +289,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.Function,,,false,idp.authn.Function.proxyScopingEnforced,BOOLEAN, +293,FunctionAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.Function,,,shibboleth.Conditions.TRUE,idp.authn.Function.reuseCondition,SPRING_BEAN_ID, +295,FunctionAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.IPAddress,,,shibboleth.Conditions.TRUE,idp.authn.IPAddress.activationCondition,SPRING_BEAN_ID, +283,IPAddressAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.IPAddress,,,true,idp.authn.IPAddress.addDefaultPrincipals,BOOLEAN, +276,IPAddressAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.discoveryRequired,BOOLEAN, +273,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.forcedAuthenticationSupported,BOOLEAN, +278,IPAddressAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.IPAddress,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.IPAddress.inactivityTimeout,DURATION, +277,IPAddressAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.IPAddress,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.IPAddress.lifetime,DURATION, +271,IPAddressAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.nonBrowserSupported,BOOLEAN, +270,IPAddressAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.IPAddress,,,1000,idp.authn.IPAddress.order,INTEGER, +272,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.passiveAuthenticationSupported,BOOLEAN, +274,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.IPAddress,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.IPAddress.proxyRestrictionsEnforced,BOOLEAN, +275,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.proxyScopingEnforced,BOOLEAN, +279,IPAddressAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.IPAddress,,,shibboleth.Conditions.TRUE,idp.authn.IPAddress.reuseCondition,SPRING_BEAN_ID, +281,IPAddressAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer,false,idp.logout.promptUser,SPRING_BEAN_ID, +106,LogoutConfiguration,idp.properties,"Applies the ""display:none"" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user",4.2,,,,false,idp.logout.propagationHidden,BOOLEAN, +639,Metadatagen,mdgen.properties,Specifies the path to the certificate protecting the back channel. This should not be used in conjunction with the --backChannel qualifier.,4.1,idp.metadatagen,1,,,idp.metadata.backchannel.cert,STRING, +638,Metadatagen,mdgen.properties,Supplies the DNS name used within the URLs specifying the end points. This should not be used in conjunction with the --DNSName qualifier,4.1,idp.metadatagen,1,,,idp.metadata.dnsname,STRING, +645,Metadatagen,mdgen.properties,Description for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.description.,STRING, +644,Metadatagen,mdgen.properties,Display name for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.displayname.,STRING, +643,Metadatagen,mdgen.properties,A space separated list of languages used to lookup values formed appending each one to the name and description properties idp.metadata.idpsso.mdui.displayname. and idp.metadata.idpsso.mdui.description.. If this is absent then an is always emitted. If this is absent then then a fixed path ('/path/to/logo') is use,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.logo.path,STRING, +642,Metadatagen,mdgen.properties,The width of the logo in pixels,4.1,idp.metadatagen,1,,80,idp.metadata.idpsso.mdui.logo.width,INTEGER, +446,MetadataQuery,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.mdquery.accessPolicy,STRING, +447,MetadataQuery,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.mdquery.authenticated,BOOLEAN, +449,MetadataQuery,admin/admin.properties,?,4.1,,,,,idp.mdquery.defaultAuthenticationMethods,STRING, +445,MetadataQuery,admin/admin.properties,Audit log identifier for flow,4.1,,,,MetadataQuery,idp.mdquery.logging,STRING, +448,MetadataQuery,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.mdquery.nonBrowserSupported,BOOLEAN, +451,MetadataQuery,admin/admin.properties,?,4.1,,,,,idp.mdquery.postAuthenticationFlows,STRING, +450,MetadataQuery,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.mdquery.resolveAttributes,BOOLEAN, +432,MetadataReload,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.reload.accessPolicy,STRING, +433,MetadataReload,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.reload.authenticated,BOOLEAN, +435,MetadataReload,admin/admin.properties,?,4.1,,,,,idp.reload.defaultAuthenticationMethods,STRING, +431,MetadataReload,admin/admin.properties,Audit log identifier for flow,4.1,,,,Reload,idp.reload.logging,STRING, +434,MetadataReload,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.reload.nonBrowserSupported,BOOLEAN, +437,MetadataReload,admin/admin.properties,?,4.1,,,,,idp.reload.postAuthenticationFlows,STRING, +436,MetadataReload,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.reload.resolveAttributes,BOOLEAN, +453,MetricsConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.metrics.authenticated,BOOLEAN, +455,MetricsConfiguration,admin/admin.properties,?,4.1,,,,,idp.metrics.defaultAuthenticationMethods,STRING, +452,MetricsConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,Metrics,idp.metrics.logging,STRING, +454,MetricsConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.metrics.nonBrowserSupported,BOOLEAN, +457,MetricsConfiguration,admin/admin.properties,?,4.1,,,,,idp.metrics.postAuthenticationFlows,STRING, +456,MetricsConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.metrics.resolveAttributes,BOOLEAN, +354,MultiFactorAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.MFA,,,shibboleth.Conditions.TRUE,idp.authn.MFA.activationCondition,SPRING_BEAN_ID, +357,MultiFactorAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.MFA,,,true,idp.authn.MFA.addDefaultPrincipals,BOOLEAN, +350,MultiFactorAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.MFA,,,false,idp.authn.MFA.discoveryRequired,BOOLEAN, +347,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.MFA,,,false,idp.authn.MFA.forcedAuthenticationSupported,BOOLEAN, +352,MultiFactorAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.MFA,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.MFA.inactivityTimeout,DURATION, +351,MultiFactorAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.MFA,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.MFA.lifetime,DURATION, +345,MultiFactorAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.MFA,,,false,idp.authn.MFA.nonBrowserSupported,BOOLEAN, +344,MultiFactorAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.MFA,,,1000,idp.authn.MFA.order,INTEGER, +346,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.MFA,,,false,idp.authn.MFA.passiveAuthenticationSupported,BOOLEAN, +348,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.MFA,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.MFA.proxyRestrictionsEnforced,BOOLEAN, +349,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.MFA,,,false,idp.authn.MFA.proxyScopingEnforced,BOOLEAN, +353,MultiFactorAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.MFA,,,shibboleth.Conditions.TRUE,idp.authn.MFA.reuseCondition,SPRING_BEAN_ID, +355,MultiFactorAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.oidc.OP,3,,shibboleth.Conditions.TRUE,idp.authn.OAuth2Client.activationCondition,SPRING_BEAN_ID, +557,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.oidc.OP,3,,true,idp.authn.OAuth2Client.addDefaultPrincipals,BOOLEAN, +553,OAuth2ClientAuthnConfiguration,oidc.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.oidc.OP,3,,1000,idp.authn.OAuth2Client.order,INTEGER, +551,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to remove the object holding the password from the request's active state after validating it (to avoid it being preserved in the session any longer than needed),4.1,idp.oidc.OP,3,,true,idp.authn.OAuth2Client.removeAfterValidation,BOOLEAN, +550,OAuth2ClientAuthnConfiguration,oidc.properties,Whether all validators must succeed or just one,4.1,idp.oidc.OP,3,,false,idp.authn.OAuth2Client.requireAll,BOOLEAN, +552,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to keep the password around as a private credential in the Java Subject for use in later stages such as attribute resolution,4.1,idp.oidc.OP,3,use with caution as it retains the password and makes it available in plaintext from within server memory at various stages.,false,idp.authn.OAuth2Client.retainAsPrivateCredential,BOOLEAN, +555,OAuth2ClientAuthnConfiguration,oidc.properties,Bean ID of BiConsumer> called shibboleth.oidc.AllowedAudienceStrategy",4.1,idp.oidc.OP,3,,,idp.oauth2.defaultAllowedAudience,SPRING_BEAN_ID, +574,OPClientCredentialsGrant,oidc.properties,"bean of type Function called shibboleth.oidc.AllowedScopeStrategy",4.1,idp.oidc.OP,3,,,idp.oauth2.defaultAllowedScope,SPRING_BEAN_ID, +572,OPClientResolution,oidc.properties,When non-zero enables monitoring of resources for service reload,4.1,idp.oidc.OP,3,,PT0S,idp.service.clientinfo.checkInterval,DURATION, +571,OPClientResolution,oidc.properties,If true any failures during initialization of any resolvers result in IdP startup failure,4.1,idp.oidc.OP,3,,false,idp.service.clientinfo.failFast,BOOLEAN, +573,OPClientResolution,oidc.properties,Name of bean used to define the resources to use in configuring this service,4.1,idp.oidc.OP,3,,shibboleth.ClientInformationResolverResources,idp.service.clientinfo.resources,SPRING_BEAN_ID, +558,OPCustomFilterRegistration,oidc.properties,"By default this configures the values defined by the idp.hsts, idp.frameoptions and idp.csp properties into the corresponding HTTP headers and applies them to the OP plugin as well as the original IdP endpoints",4.1,idp.oidc.OP,3,,shibboleth.ResponseHeaderFilter,idp.oidc.ResponseHeaderFilter,SPRING_BEAN_ID, +560,OPDiscovery,oidc.properties,Implementation bean for discovery shouldn't require alteration,4.1,idp.oidc.OP,3,,shibboleth.oidc.DefaultOpenIdConfigurationResolver,idp.oidc.discovery.resolver,SPRING_BEAN_ID, +559,OPDiscovery,oidc.properties,Location of discovery template to use,4.1,idp.oidc.OP,3,,%{idp.home}/static/openid-configuration.json,idp.oidc.discovery.template,STRING, +566,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to all requests,4.1,idp.oidc.OP,3,,AccessByIPAddress,idp.oidc.admin.registration.accessPolicy,STRING, +563,OPDynamicClientRegistration,oidc.properties,Whether to enable user authentication for requests,4.1,idp.oidc.OP,3,,false,idp.oidc.admin.registration.authenticated,BOOLEAN, +569,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a clientId,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.clientIdPolicy,STRING, +565,OPDynamicClientRegistration,oidc.properties,Default access token lifetime if not specified,4.1,idp.oidc.OP,3,,P1D,idp.oidc.admin.registration.defaultTokenLifetime,DURATION, +561,OPDynamicClientRegistration,oidc.properties,Audit logging label for this profile,4.1,idp.oidc.OP,3,,IssueRegistrationAccessToken,idp.oidc.admin.registration.logging,STRING, +570,OPDynamicClientRegistration,oidc.properties,"Bean ID of type Function>, used to locate metadata policy based on the policyLocation parameter. Defaults to a caching resolver locating server resources to load based on policyLocation parameter.",4.1,idp.oidc.OP,3,,shibboleth.oidc.admin.DefaultMetadataPolicyLookupStrategy,idp.oidc.admin.registration.lookup.policy,SPRING_BEAN_ID, +562,OPDynamicClientRegistration,oidc.properties,Enables support for non-browser-based authentication,4.1,idp.oidc.OP,3,,true,idp.oidc.admin.registration.nonBrowserSupported,BOOLEAN, +568,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a policyId,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.policyIdPolicy,STRING, +567,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a policyLocation,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.policyLocationPolicy,STRING, +564,OPDynamicClientRegistration,oidc.properties,Whether to resolve attributes if authentication is enabled,4.1,idp.oidc.OP,3,,false,idp.oidc.admin.registration.resolveAttributes,BOOLEAN, +537,OPDynamicClientRegistration,oidc.properties,Registration lifetime,4.1,idp.oidc.OP,3,,PT24H,idp.oidc.dynreg.defaultRegistrationValidity,DURATION, +538,OPDynamicClientRegistration,oidc.properties,The default scopes accepted in dynamic registration,4.1,idp.oidc.OP,3,,openid profile email address phone offline_access,idp.oidc.dynreg.defaultScope,STRING, +539,OPDynamicClientRegistration,oidc.properties,The default subject type if not set by client in request. Maybe set to pairwise or public.,4.1,idp.oidc.OP,3,,public,idp.oidc.dynreg.defaultSubjectType,STRING, +541,OPDynamicClientRegistration,oidc.properties,The acceptable client authentication methods when using dynamic registration,4.1,idp.oidc.OP,3,Comma seperated list of values,"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt",idp.oidc.dynreg.tokenEndpointAuthMethods,STRING, +540,OPMetadataPolicies,oidc.properties,Full path to the file containing default metadata policy used for dynamic client registration,4.1,idp.oidc.OP,3,,,idp.oidc.dynreg.defaultMetadataPolicyFile,STRING, +536,OPRevocation,oidc.properties,The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens). TOKEN refers to revoking single token,4.1,idp.oidc.OP,3,,CHAIN,idp.oauth2.revocationMethod,STRING, +528,OPRevocation,oidc.properties,Lifetime of entries in revocation cache for authorize code,4.1,idp.oidc.OP,3,,PT6H,idp.oidc.revocationCache.authorizeCode.lifetime,DURATION, +546,OPSecurity,oidc.properties,Allows override of default encryption configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.EncryptionConfiguration,idp.oidc.encryption.config,SPRING_BEAN_ID, +547,OPSecurity,oidc.properties,Allows override of default request decryption configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.requestObjectDecryptionConfiguration,idp.oidc.rodecrypt.config,SPRING_BEAN_ID, +548,OPSecurity,oidc.properties,Allows override of default request signature validation configuration,4.1,idp.oidc.OP,3,one of these has the wrong name,shibboleth.oidc.requestObjectSignatureValidationConfiguration,idp.oidc.rovalid.config,SPRING_BEAN_ID, +549,OPSecurity,oidc.properties,Allows override of default JWT token validation configuration,4.1,idp.oidc.OP,3,one of these has the wrong name,shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration,idp.oidc.rovalid.config,SPRING_BEAN_ID, +545,OPSecurity,oidc.properties,Allows override of default signing configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.SigningConfiguration,idp.oidc.signing.config,SPRING_BEAN_ID, +543,OPSecurity,oidc.properties,JWK EC signing keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-signing-es.jwk,idp.signing.oidc.es.key,STRING, +542,OPSecurity,oidc.properties,JWK RSA signing keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-signing-rs.jwk,idp.signing.oidc.rs.key,STRING, +544,OPSecurity,oidc.properties,JWK RSA decryption keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-encryption-rsa.jwk,idp.signing.oidc.rsa.enc.key,STRING, +578,OPSubClaim,oidc.properties,The digest algorithm used in generating the sub claim,4.1,idp.oidc.OP,3,,SHA,idp.oidc.subject.algorithm,STRING, +579,OPSubClaim,oidc.properties,Salt to inject for randomness should generally be moved into credentials/secrets.properties to avoid committing to configuration repository,4.1,idp.oidc.OP,3,,,idp.oidc.subject.salt,STRING, +577,OPSubClaim,oidc.properties,The source attribute used in generating the sub claim,4.1,idp.oidc.OP,3,,,idp.oidc.subject.sourceAttribute,STRING, +535,OPToken,oidc.properties,Lifetime of access token issued to client for resource server,4.1,idp.oidc.OP,3,,PT10M,idp.oauth2.accessToken.defaultLifetime,DURATION, +533,OPToken,oidc.properties,Format of access token. Supported values are JWT or nothing.,4.1,idp.oidc.OP,3.2,,,idp.oauth2.accessToken.type,STRING, +534,OPToken,oidc.properties,Whether the absence of encryption details in a resource server’s metadata should fail when issuing an access token,4.1,idp.oidc.OP,3,,false,idp.oauth2.encryptionOptional,BOOLEAN, +532,OPToken,oidc.properties,Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token.,4.1,idp.oidc.OP,3.2,,false,idp.oauth2.enforceRefreshTokenRotation,BOOLEAN, +531,OPToken,oidc.properties,OAuth grant types to allow,4.1,idp.oidc.OP,3,Comma seperated list of values,"authorization_code,refresh_token",idp.oauth2.grantTypes,STRING, +519,OPToken,oidc.properties,Lifetime of access token,4.1,idp.oidc.OP,3,,PT10M,idp.oidc.accessToken.defaultLifetime,DURATION, +523,OPToken,oidc.properties,Whether client is allowed to use PKCE code challenge method plain,4.1,idp.oidc.OP,3,,false,idp.oidc.allowPKCEPlain,BOOLEAN, +522,OPToken,oidc.properties,Whether client is required to use PKCE,4.1,idp.oidc.OP,3,,false,idp.oidc.forcePKCE,BOOLEAN, +518,OPToken,oidc.properties,Lifetime of ID token,4.1,idp.oidc.OP,3,,PT1H,idp.oidc.idToken.defaultLifetime,DURATION, +521,OPToken,oidc.properties,Lifetime of refresh token,4.1,idp.oidc.OP,3,,PT2H,idp.oidc.refreshToken.defaultLifetime,DURATION, +530,OPToken,oidc.properties,The acceptable client authentication methods,4.1,idp.oidc.OP,3,Comma seperated list of values,"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt",idp.oidc.tokenEndpointAuthMethods,STRING, +368,PersistentNameIDGenerationConfiguration,saml-nameid.properties,The hash algorithm used when using computed persistent IDs,all,,,,SHA,idp.persistentId.algorithm,STRING, +363,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies a strategy plugin to use to generate the first persistent identifier for each subject,all,,,used to migrate from the computed to stored strategies: can be null,shibboleth.ComputedPersistentIdGenerator,idp.persistentId.computed,SPRING_BEAN_ID, +382,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,creationDate,idp.persistentId.createTimeColumn,STRING, +362,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies a data source for storage-based management of persistent IDs,all,,,Bean ID of a JDBC DataSource,,idp.persistentId.dataSource,SPRING_BEAN_ID, +383,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,deactivationDate,idp.persistentId.deactivationTimeColumn,STRING, +367,PersistentNameIDGenerationConfiguration,saml-nameid.properties,An encoded form of the persistentId.salt,all,,,,,idp.persistentId.encodedSalt,STRING, +369,PersistentNameIDGenerationConfiguration,saml-nameid.properties,The final encoding applied to the hash generated when using computed persistent IDs: one of BASE32 or BASE64,all,,,,BASE64,idp.persistentId.encoding,STRING, +370,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Advanced feature allowing revocation or regeneration of computed persistent IDs for specific subjects or services,all,,,,shibboleth.ComputedIdExceptionMap,idp.persistentId.exceptionMap,SPRING_BEAN_ID, +361,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies the strategy plugin for sourcing persistent IDs,all,,,Bean ID of a PairwiseIdStore,shibboleth.ComputedPersistentIdGenerator,idp.persistentId.generator,SPRING_BEAN_ID, +376,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,localEntity,idp.persistentId.localEntityColumn,STRING, +377,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,peerEntity,idp.persistentId.peerEntityColumn,STRING, +381,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,peerProvidedId,idp.persistentId.peerProvidedIdColumn,STRING, +380,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,persistentId,idp.persistentId.persistentIdColumn,STRING, +378,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,principalName,idp.persistentId.principalNameColumn,STRING, +371,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Query timeout for database access,4.1,,,,PT5S,idp.persistentId.queryTimeout,DURATION, +373,PersistentNameIDGenerationConfiguration,saml-nameid.properties,List of error strings to identify as retryable failures,4.1,,,,"23000,23505",idp.persistentId.retryableErrors,STRING, +366,PersistentNameIDGenerationConfiguration,saml-nameid.properties,A secret salt for the hash when using computed persistent IDs,all,,,,,idp.persistentId.salt,STRING, +364,PersistentNameIDGenerationConfiguration,saml-nameid.properties,List of attributes to search for a value to uniquely identify the subject of a persistent identifier that MUST be stable long-lived and non-reassignable,all,,,,,idp.persistentId.sourceAttribute,STRING, +379,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,localId,idp.persistentId.sourceIdColumn,STRING, +375,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides the name of the table in the database,4.1,,,,shibpid,idp.persistentId.tableName,STRING, +372,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Number of retries in the event database locking bugs cause retryable failures,4.1,,,,3,idp.persistentId.transactionRetries,INTEGER, +365,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Whether or not the previous property has access to unreleased attributes,all,,,,true,idp.persistentId.useUnfilteredAttributes,BOOLEAN, +374,PersistentNameIDGenerationConfiguration,saml-nameid.properties,When true the connection and layout of the database is verified at bean initialization time and any failures are fatal.,4.1,,,,true,idp.persistentId.verifyDatabase,BOOLEAN, +423,ReloadableServices,services.properties,Seconds between reloads of message property resources,all,,,,300,idp.message.cacheSeconds,INTEGER, +422,ReloadableServices,services.properties,Name of Spring bean identifying Spring message property resources,all,,,,shibboleth.MessageSourceResources,idp.message.resources,SPRING_BEAN_ID, +415,ReloadableServices,services.properties,Time to notice changes to AccessControlConfiguration and reload service,all,,,,0,idp.service.access.checkInterval,DURATION, +414,ReloadableServices,services.properties,Fail at startup if AccessControlConfiguration is invalid,all,,,,true,idp.service.access.failFast,BOOLEAN, +413,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AccessControlConfiguration,all,,,,shibboleth.AccessControlResource,idp.service.access.resources,SPRING_BEAN_ID, +408,ReloadableServices,services.properties,Time to notice changes to AttributeFilterConfiguration and reload service A value of 0 indicates that the attribute filter configuration never reloads,all,,,,0,idp.service.attribute.filter.checkInterval,DURATION, +407,ReloadableServices,services.properties,Fail at startup if AttributeFilterConfiguration is invalid,all,,,,false,idp.service.attribute.filter.failFast,BOOLEAN, +409,ReloadableServices,services.properties,Whether attribute filtering failure should silently produce no attributes or causes an overall profile request failure event,all,,,,true,idp.service.attribute.filter.maskFailures,BOOLEAN, +406,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeFilterConfiguration,all,,,,shibboleth.AttributeFilterResources,idp.service.attribute.filter.resources,SPRING_BEAN_ID, +398,ReloadableServices,services.properties,Time to notice changes to AttributeRegistryConfiguration and reload service. A value of 0 indicates that the service configuration never reloads,all,,,,0,idp.service.attribute.registry.checkInterval,DURATION, +399,ReloadableServices,services.properties,Shortcut for controlling the encoding of xsi:type information for all SAML transcoding rules in the registry,all,,,,true,idp.service.attribute.registry.encodeType,BOOLEAN, +397,ReloadableServices,services.properties,Fail at startup if AttributeRegistryConfiguration is invalid,all,,,,false,idp.service.attribute.registry.failFast,BOOLEAN, +396,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeRegistryConfiguration,all,,,,shibboleth.AttributeRegistryResources,idp.service.attribute.registry.resources,SPRING_BEAN_ID, +402,ReloadableServices,services.properties,Time to notice changes to AttributeResolverConfiguration and reload service. A value of 0 indicates that the service configuration never reloads,all,,,,0,idp.service.attribute.resolver.checkInterval,DURATION, +401,ReloadableServices,services.properties,Fail at startup if AttributeResolverConfiguration is invalid,all,,,,false,idp.service.attribute.resolver.failFast,BOOLEAN, +403,ReloadableServices,services.properties,Whether attribute resolution failure should silently produce no attributes or cause an overall profile request failure event,all,,,,true,idp.service.attribute.resolver.maskFailures,BOOLEAN, +400,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeResolverConfiguration,all,,,,shibboleth.AttributeResolverResources,idp.service.attribute.resolver.resources,SPRING_BEAN_ID, +404,ReloadableServices,services.properties,"Whether null values should be stripped from the results of the attribute resolution. This filtering happens prior to filtering and encoding, but after attribute resolution is complete. To strip nulls during attribute resolution (so that they will be invis",all,,,,false,idp.service.attribute.resolver.stripNulls,BOOLEAN, +405,ReloadableServices,services.properties,(REMOVED v5 IDP) Setting this to false re-enables the legacy behavior of looking up the display information for the resolved attributes during resolution. As from 4.2 this the display information is looked up at point of use (during the attribute consent flow) and so ther,4.2,,,Removed from Shibboleth 5.0,true,idp.service.attribute.resolver.suppressDisplayInfo,BOOLEAN, +418,ReloadableServices,services.properties,Time to notice CASServiceRegistry configuration changes and reload service,all,,,,0,idp.service.cas.registry.checkInterval,DURATION, +417,ReloadableServices,services.properties,Fail at startup if CASServiceRegistry configuration is invalid,all,,,,false,idp.service.cas.registry.failFast,BOOLEAN, +416,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for CASServiceRegistry configuration,all,,,,shibboleth.CASServiceRegistryResources,idp.service.cas.registry.resources,SPRING_BEAN_ID, +384,ReloadableServices,services.properties,Set default fail-fast behavior of all services unless overridden by service,all,,,,false,idp.service.failFast,BOOLEAN, +387,ReloadableServices,services.properties,Time to notice changes to logging configuration and reload service. A value of 0 indicates that the logging configuration never reloads,all,,,,0,idp.service.logging.checkInterval,DURATION, +386,ReloadableServices,services.properties,Fail at startup if logging configuration is invalid,all,,,,true,idp.service.logging.failFast,BOOLEAN, +385,ReloadableServices,services.properties,Logging configuration resource to use (the reloadable service ID is shibboleth.LoggingService),all,,,resource path,%{idp.home}/conf/logback.xml,idp.service.logging.resource,STRING, +421,ReloadableServices,services.properties,Time to notice ManagedBeanConfiguration changes and reload service,all,,,,0,idp.service.managedBean.checkInterval,DURATION, +420,ReloadableServices,services.properties,Fail at startup if ManagedBeanConfiguration is invalid,all,,,,false,idp.service.managedBean.failFast,BOOLEAN, +419,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for ManagedBeanConfiguration,all,,,,shibboleth.ManagedBeanResources,idp.service.managedBean.resources,SPRING_BEAN_ID, +394,ReloadableServices,services.properties,Time to notice changes to MetadataConfiguration and reload service. A value of 0 indicates that the metadata configuration never reloads,all,,,,0,idp.service.metadata.checkInterval,DURATION, +395,ReloadableServices,services.properties,Disabling this turns off internal support for the ByReferenceFilter feature which provides a very small performance boost,all,,,,true,idp.service.metadata.enableByReferenceFilters,BOOLEAN, +393,ReloadableServices,services.properties,Fail at startup if MetadataConfiguration is invalid,all,,,,false,idp.service.metadata.failFast,BOOLEAN, +392,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for MetadataConfiguration,all,,,,shibboleth.MetadataResolverResources,idp.service.metadata.resources,SPRING_BEAN_ID, +412,ReloadableServices,services.properties,Time to notice changes to NameIDGenerationConfiguration and reload service,all,,,,0,idp.service.nameidGeneration.checkInterval,DURATION, +411,ReloadableServices,services.properties,Fail at startup if NameIDGenerationConfiguration is invalid,all,,,,false,idp.service.nameidGeneration.failFast,BOOLEAN, +410,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for NameIDGenerationConfiguration,all,,,,shibboleth.NameIdentifierGenerationResources,idp.service.nameidGeneration.resources,SPRING_BEAN_ID, +390,ReloadableServices,services.properties,Time to notice changes to RelyingPartyConfiguration and reload service. A value of 0 indicates that the relying party configuration never reloads,all,,,,0,idp.service.relyingparty.checkInterval,DURATION, +389,ReloadableServices,services.properties,Fail at startup if RelyingPartyConfiguration is invalid,all,,,,false,idp.service.relyingparty.failFast,BOOLEAN, +391,ReloadableServices,services.properties,See MetadataDrivenConfiguration SAML Attribute Name Format Usage,all,,,,false,idp.service.relyingparty.ignoreUnmappedEntityAttributes,BOOLEAN, +388,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for RelyingPartyConfiguration,all,,,,shibboleth.RelyingPartyResolverResources,idp.service.relyingparty.resources,SPRING_BEAN_ID, +5,RelyingPartyConfiguration,idp.properties,Whether to allow use of the SAML artifact bindings when sending messages,all,,,,true,idp.artifact.enabled,BOOLEAN, +7,RelyingPartyConfiguration,idp.properties,Identifies the endpoint in SAML metadata associated with artifacts issued by a server node,all,,,,2,idp.artifact.endpointIndex,INTEGER, +6,RelyingPartyConfiguration,idp.properties,Whether preparation of messages to be communicated via SAML artifact should assume use of a secure channel (allowing signing and encryption to be skipped),all,,,,true,idp.artifact.secureChannel,BOOLEAN, +9,RelyingPartyConfiguration,idp.properties,"Controls whether the outbound binding selection is ordered by the SP's metadata or the IdP's preferred bindings (the inbuilt default order is Redirect -> POST -> Artifact -> SOAP). Set to false to leave artifact support on, but favor use of POST. Set also",4.1,,,,true,idp.bindings.inMetadataOrder,BOOLEAN, +3,RelyingPartyConfiguration,idp.properties,The unique name of the IdP used as the iisuer in all SAML profiles,all,,,ex. https://unicon.net/idp/shibboleth,,idp.entityID,STRING, +192,RemoteUserAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.RemoteUser,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUser.activationCondition,SPRING_BEAN_ID, +195,RemoteUserAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.RemoteUser,,,true,idp.authn.RemoteUser.addDefaultPrincipals,BOOLEAN, +188,RemoteUserAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.discoveryRequired,BOOLEAN, +180,RemoteUserAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.RemoteUser,,,contextRelative:external.jsp,idp.authn.RemoteUser.externalAuthnPath,STRING, +185,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.forcedAuthenticationSupported,BOOLEAN, +190,RemoteUserAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.RemoteUser,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.RemoteUser.inactivityTimeout,DURATION, +189,RemoteUserAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.RemoteUser,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.RemoteUser.lifetime,DURATION, +181,RemoteUserAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.RemoteUser,,regex expected,,idp.authn.RemoteUser.matchExpression,STRING, +183,RemoteUserAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.nonBrowserSupported,BOOLEAN, +182,RemoteUserAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.RemoteUser,,,1000,idp.authn.RemoteUser.order,INTEGER, +184,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.passiveAuthenticationSupported,BOOLEAN, +186,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.RemoteUser,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.RemoteUser.proxyRestrictionsEnforced,BOOLEAN, +187,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.proxyScopingEnforced,BOOLEAN, +191,RemoteUserAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.RemoteUser,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUser.reuseCondition,SPRING_BEAN_ID, +193,RemoteUserAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.RemoteUserInternal,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUserInternal.activationCondition,SPRING_BEAN_ID, +220,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.addDefaultPrincipals,BOOLEAN, +203,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of usernames to accept while blocking all others,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.allowedUsernames,STRING, +197,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited lists of request attributes to check for a username,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.checkAttributes,STRING, +198,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of request headers to check for a username,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.checkHeaders,STRING, +196,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to check REMOTE_USER for a username,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.checkRemoteUser,BOOLEAN, +204,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of usernames to deny while accepting all others,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.deniedUsernames,STRING, +213,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.discoveryRequired,BOOLEAN, +205,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.RemoteUserInternal,,,contextRelative:external.jsp,idp.authn.RemoteUserInternal.externalAuthnPath,STRING, +210,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.forcedAuthenticationSupported,BOOLEAN, +215,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.RemoteUserInternal.inactivityTimeout,DURATION, +214,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.RemoteUserInternal.lifetime,DURATION, +200,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to lowercase the username before validating it,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.lowercase,BOOLEAN, +202,RemoteUserInternalAuthnConfiguration,authn/authn.properties,A regular expression that must match the username,4.1,idp.authn.RemoteUserInternal,,regex expected,,idp.authn.RemoteUserInternal.matchExpression,STRING, +206,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.RemoteUserInternal,,regex expected,,idp.authn.RemoteUserInternal.matchExpression,STRING, +208,RemoteUserInternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.nonBrowserSupported,BOOLEAN, +207,RemoteUserInternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.RemoteUserInternal,,,1000,idp.authn.RemoteUserInternal.order,INTEGER, +209,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.passiveAuthenticationSupported,BOOLEAN, +211,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.RemoteUserInternal.proxyRestrictionsEnforced,BOOLEAN, +212,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.proxyScopingEnforced,BOOLEAN, +216,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.RemoteUserInternal,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUserInternal.reuseCondition,SPRING_BEAN_ID, +218,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.SAML.activationCondition,SPRING_BEAN_ID, +342,SAMLAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,,,,true,idp.authn.SAML.addDefaultPrincipals,BOOLEAN, +328,SAMLAuthnConfiguration,authn/authn.properties,Optional bean ID of AssertionValidator to run,4.1,,,,,idp.authn.SAML.assertionValidator,SPRING_BEAN_ID, +335,SAMLAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,,,,false,idp.authn.SAML.discoveryRequired,BOOLEAN, +324,SAMLAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the IdP's AssertionConsumerService,4.1,,,URL path,servletRelative:/Authn/SAML2/POST/SSO,idp.authn.SAML.externalAuthnPath,STRING, +332,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,,,,false,idp.authn.SAML.forcedAuthenticationSupported,BOOLEAN, +337,SAMLAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.SAML.inactivityTimeout,DURATION, +327,SAMLAuthnConfiguration,authn/authn.properties,"Optional bean ID of Function to run at the late stages of Response decoding/processing",4.1,,,,,idp.authn.SAML.inboundMessageHandlerFunction,SPRING_BEAN_ID, +336,SAMLAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.SAML.lifetime,DURATION, +664,SAMLAuthnConfiguration,authn/authn.properties,???????,5.0,,,New in Shibboleth 5.0,,idp.authn.SAML.NameIDLookupStrategy,SPRING_BEAN_ID, +330,SAMLAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,,,,false,idp.authn.SAML.nonBrowserSupported,BOOLEAN, +329,SAMLAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,,,,1000,idp.authn.SAML.order,INTEGER, +326,SAMLAuthnConfiguration,authn/authn.properties,"Optional bean ID of Function to run just prior to AuthnRequest signing/encoding step",4.1,,,,,idp.authn.SAML.outboundMessageHandlerFunction,SPRING_BEAN_ID, +331,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,,,,false,idp.authn.SAML.passiveAuthenticationSupported,BOOLEAN, +325,SAMLAuthnConfiguration,authn/authn.properties,Statically-defined entityID of IdP to use for authentication,4.1,,,,,idp.authn.SAML.proxyEntityID,STRING, +333,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.SAML.proxyRestrictionsEnforced,BOOLEAN, +334,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,,,,false,idp.authn.SAML.proxyScopingEnforced,BOOLEAN, +338,SAMLAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.SAML.reuseCondition,SPRING_BEAN_ID, +340,SAMLAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer condition bean controlling whether SameSite filter runs,all,,,Bean ID of Predicate,shibboleth.Conditions.FALSE,idp.cookie.sameSiteCondition,SPRING_BEAN_ID, +12,SecurityConfiguration,idp.properties,If true all cookies issued by the IdP (not including the container) will be limited to TLS,all,,,,false,idp.cookie.secure,BOOLEAN, +661,SecurityConfiguration,idp.properties,???????,5.0,,,New in Shibboleth 5.0,,idp.encoding.forceUTF8,BOOLEAN, +30,SecurityConfiguration,idp.properties,Resource containing a public key certificate given to others needing to encrypt data for the IdP typically a file in the credentials directory,all,,,resource path,,idp.encryption.cert,STRING, +32,SecurityConfiguration,idp.properties,Resource containing an alternate public key certificate generally unused except while changing decryption keys,all,,,,,idp.encryption.cert.2,STRING, +35,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default EncryptionConfiguration,all,,,Bean ID of EncryptionConfiguration (org.opensaml.xmlsec),shibboleth.EncryptionConfiguration.CBC,idp.encryption.config,SPRING_BEAN_ID, +29,SecurityConfiguration,idp.properties,Resource containing a private key for decryption typically a file in the credentials directory,all,,,resource path,,idp.encryption.key,STRING, +31,SecurityConfiguration,idp.properties,Resource containing an alternate private key for decryption generally unused except while changing decryption keys,all,,,,,idp.encryption.key.2,STRING, +37,SecurityConfiguration,idp.properties,Sets the default strategy for key agreement key wrap usage for credentials from metadata if not otherwise configured on the security configuration,all,,,,Default,idp.encryption.keyagreement.metadata.defaultUseKeyWrap,STRING, +36,SecurityConfiguration,idp.properties,If true failure to locate an encryption key to use won't result in request failure,all,,,,false,idp.encryption.optional,BOOLEAN, +41,SecurityConfiguration,idp.properties,Default freshness window for accepting timestamped assertions,all,,,,PT3M,idp.policy.assertionLifetime,DURATION, +42,SecurityConfiguration,idp.properties,Default allowance for clock differences between systems,all,,,,PT3M,idp.policy.clockSkew,DURATION, +40,SecurityConfiguration,idp.properties,Default freshness window for accepting timestamped messages,all,,,,PT3M,idp.policy.messageLifetime,DURATION, +22,SecurityConfiguration,idp.properties,Case insensitive name of keystore alias prefix used in AES keystore (the entries will be suffixed by the key version number),all,,,,secret,idp.sealer.aliasBase,STRING, +26,SecurityConfiguration,idp.properties,Key password unlocking AES encryption key typically set to the same as the previous property and set during installation,all,,,,,idp.sealer.keyPassword,STRING, +19,SecurityConfiguration,idp.properties,Bean ID supporting the DataSealerKeyStrategy interface to use in place of the built-in option.,all,,,Bean ID of DataSealerKeyStrategy,shibboleth.DataSealerKeyStrategy,idp.sealer.keyStrategy,SPRING_BEAN_ID, +25,SecurityConfiguration,idp.properties,Keystore password unlocking AES encryption keystore typically set during installation,all,,,,,idp.sealer.storePassword,STRING, +23,SecurityConfiguration,idp.properties,Keystore resource containing AES encryption key usually a file path,all,,,resource path,,idp.sealer.storeResource,STRING, +20,SecurityConfiguration,idp.properties,Type of Java keystore used for IdP's internal AES encryption key,all,,,,JCEKS,idp.sealer.storeType,STRING, +21,SecurityConfiguration,idp.properties,Time between checks for a new AES key version,all,,,,PT15M,idp.sealer.updateInterval,DURATION, +24,SecurityConfiguration,idp.properties,Resource that tracks the active AES encryption key version usually a file path,all,,,,,idp.sealer.versionResource,STRING, +43,SecurityConfiguration,idp.properties,Overrides the BasicKeyInfoGeneratorFactory used by default,4.1,,,Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager),shibboleth.BasicKeyInfoGeneratorFactory,idp.security.basicKeyInfoFactory,SPRING_BEAN_ID, +33,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default SecurityConfiguration,all,,,Bean ID of SecurityConfiguration (net.shibboleth.idp.profile.config.SecurityConfiguration),shibboleth.DefaultSecurityConfiguration,idp.security.config,SPRING_BEAN_ID, +44,SecurityConfiguration,idp.properties,Overrides the X509KeyInfoGeneratorFactory used by default,4.1,,,Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager),shibboleth.X509KeyInfoGeneratorFactory,idp.security.x509KeyInfoFactory,SPRING_BEAN_ID, +28,SecurityConfiguration,idp.properties,Resource containing the public key certificate inserted into signed messages typically a file in the credentials directory,all,,,,,idp.signing.cert,STRING, +34,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default SignatureSigningConfiguration,all,,,Bean ID of SignatureSigningConfiguration (org.opensaml.xmlsec),shibboleth.SigningConfiguration.SHA256,idp.signing.config,SPRING_BEAN_ID, +27,SecurityConfiguration,idp.properties,Resource containing private key for signing typically a file in the credentials directory,all,,,,,idp.signing.key,STRING, +39,SecurityConfiguration,idp.properties,Name of Spring bean for the trust engine used to verify TLS certificates,all,,,Bean ID of TrustEngine (org.opensaml.security.trust),shibboleth.ChainingX509TrustEngine,idp.trust.certificates,SPRING_BEAN_ID, +38,SecurityConfiguration,idp.properties,Name of Spring bean for the trust engine used to verify signatures,all,,,Bean ID of SignatureTrustEngine (org.opensaml.xmlsec.signature.support),shibboleth.ChainingSignatureTrustEngine,idp.trust.signatures,SPRING_BEAN_ID, +67,SessionConfiguration,idp.properties,Whether to bind IdP sessions to IP addresses,all,,,,true,idp.session.consistentAddress,BOOLEAN, +68,SessionConfiguration,idp.properties,A 2-argument predicate that compares a bound session's address to a client address,all,,,"BiPredicate",Direct string comparison,idp.session.consistentAddressCondition,STRING, +65,SessionConfiguration,idp.properties,Name of cookie containing IdP session ID (note this is not the same as the cookie the Java container uses to track its own sessions),4.2,,,,shib_idp_session,idp.session.cookieName,STRING, +74,SessionConfiguration,idp.properties,"Default length of time to maintain record of an SP session (must be non-zero), overridable by relying-party-specific setting",all,,,,PT2H,idp.session.defaultSPlifetime,DURATION, +63,SessionConfiguration,idp.properties,Whether to enable the IdP's session tracking feature,all,,,,true,idp.session.enabled,BOOLEAN, +66,SessionConfiguration,idp.properties,Number of characters in IdP session identifiers,all,,,,32,idp.session.idSize,INTEGER, +71,SessionConfiguration,idp.properties,Whether to hide storage failures from users during session cache reads/writes,all,,,,false,idp.session.maskStorageFailure,BOOLEAN, +666,SessionConfiguration,idp.properties,"In the event that very long-lived sessions (on the order of weeks or longer) is desired, the idp.session.persistent property can be set to true to make these cookies persistent instead of session-based, with the expiration based on the idp.cookie.maxAge property (a year by default).",5.0,,,New in Shibboleth 5.0,,idp.session.persistent,BOOLEAN, +73,SessionConfiguration,idp.properties,"Whether to track SPs on the basis of the SAML subject ID used, for logout purposes (requires SP session tracking be on)",all,,,,false,idp.session.secondaryServiceIndex,BOOLEAN, +70,SessionConfiguration,idp.properties,Extra time after expiration before removing SP sessions in case a logout is invoked,all,,,,0,idp.session.slop,DURATION, +64,SessionConfiguration,idp.properties,Bean name of a storage implementation/configuration to use for IdP sessions,all,,,Bean ID of StorageService (org.opensaml.storage),shibboleth.ClientSessionStorageService,idp.session.StorageService,SPRING_BEAN_ID, +69,SessionConfiguration,idp.properties,Inactivity timeout policy for IdP sessions (must be non-zero),all,,,,PT60M,idp.session.timeout,DURATION, +72,SessionConfiguration,idp.properties,Whether to save a record of every SP accessed during an IdP session (requires a server-side session store or HTML LocalStorage),all,,,,false,idp.session.trackSPSessions,BOOLEAN, +484,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.simple.lowercase,BOOLEAN, +486,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.simple.trim,BOOLEAN, +485,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.simple.uppercase,BOOLEAN, +236,SPNEGOAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.SPNEGO,,,shibboleth.Conditions.TRUE,idp.authn.SPNEGO.activationCondition,SPRING_BEAN_ID, +239,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.SPNEGO,,,true,idp.authn.SPNEGO.addDefaultPrincipals,BOOLEAN, +225,SPNEGOAuthnConfiguration,authn/authn.properties,Name of cookie used to track auto-login state of client,4.2,idp.authn.SPNEGO,,,_idp_spnego_autologin,idp.authn.SPNEGO.cookieName,STRING, +232,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.discoveryRequired,BOOLEAN, +222,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to always try to run SPNEGO independent of the user's auto-login setting,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.enforceRun,BOOLEAN, +221,SPNEGOAuthnConfiguration,authn/authn.properties,Servlet-relative path to the SPNEGO external authentication implementation,4.1,idp.authn.SPNEGO,,URL path,/Authn/SPNEGO,idp.authn.SPNEGO.externalAuthnPath,STRING, +229,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.forcedAuthenticationSupported,BOOLEAN, +234,SPNEGOAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.SPNEGO,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.SPNEGO.inactivityTimeout,DURATION, +233,SPNEGOAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.SPNEGO,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.SPNEGO.lifetime,DURATION, +224,SPNEGOAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.SPNEGO,,regex expected,,idp.authn.SPNEGO.matchExpression,STRING, +227,SPNEGOAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.nonBrowserSupported,BOOLEAN, +226,SPNEGOAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.SPNEGO,,,1000,idp.authn.SPNEGO.order,INTEGER, +228,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.passiveAuthenticationSupported,BOOLEAN, +230,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.SPNEGO,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.SPNEGO.proxyRestrictionsEnforced,BOOLEAN, +231,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.proxyScopingEnforced,BOOLEAN, +223,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.refreshKrbConfig,BOOLEAN, +235,SPNEGOAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.SPNEGO,,,shibboleth.Conditions.TRUE,idp.authn.SPNEGO.reuseCondition,SPRING_BEAN_ID, +237,SPNEGOAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.TOTP,1,,shibboleth.Conditions.TRUE,idp.authn.TOTP.activationCondition,SPRING_BEAN_ID, +637,TOTP,authn/authn.properties,Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.addDefaultPrincipals,BOOLEAN, +630,TOTP,authn/authn.properties,Whether to invoke IdP-discovery prior to running flow,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.discoveryRequired,BOOLEAN, +622,TOTP,authn/authn.properties,Name of HTML form field to use for locating browser-submitted token codes,4.1,idp.authn.TOTP,1,,tokencode,idp.authn.TOTP.fieldName,STRING, +627,TOTP,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.TOTP,1,,true,idp.authn.TOTP.forcedAuthenticationSupported,BOOLEAN, +621,TOTP,authn/authn.properties,Name of request header to use for extracting non-browser submitted token codes,4.1,idp.authn.TOTP,1,,X-Shibboleth-TOTP,idp.authn.TOTP.headerName,STRING, +632,TOTP,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.TOTP,1,,%{idp.authn.defaultTimeout:PT30M},idp.authn.TOTP.inactivityTimeout,DURATION, +631,TOTP,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.TOTP,1,,%{idp.authn.defaultLifetime:PT1H},idp.authn.TOTP.lifetime,DURATION, +625,TOTP,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.nonBrowserSupported,BOOLEAN, +624,TOTP,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.TOTP,1,,1000,idp.authn.TOTP.order,INTEGER, +626,TOTP,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.passiveAuthenticationSupported,BOOLEAN, +628,TOTP,authn/authn.properties,Whether the flow enforces upstream IdP-imposed restrictions on proxying,4.1,idp.authn.TOTP,1,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.TOTP.proxyRestrictionsEnforced,BOOLEAN, +629,TOTP,authn/authn.properties,Whether the flow considers itself to be proxying,4.1,idp.authn.TOTP,1,and therefore enforces SP-signaled restrictions on proxying,false,idp.authn.TOTP.proxyScopingEnforced,BOOLEAN, +633,TOTP,authn/authn.properties,Bean ID ofPredicate controlling result reuse for SSO,4.1,idp.authn.TOTP,1,,shibboleth.Conditions.TRUE,idp.authn.TOTP.reuseCondition,SPRING_BEAN_ID, +635,TOTP,authn/authn.properties,"Bean ID ofBiConsumer for subject customization",4.1,idp.authn.TOTP,1,,,idp.authn.TOTP.subjectDecorator,SPRING_BEAN_ID, +636,TOTP,authn/authn.properties,Comma-delimited list of protocol-specific Principalstrings associated with flow,4.1,idp.authn.TOTP,1,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken",idp.authn.TOTP.supportedPrincipals,STRING, +623,TOTP,authn/authn.properties,Name of IdPAttribute to resolve to obtain token seeds for users,4.1,idp.authn.TOTP,1,,tokenSeeds,idp.authn.TOTP.tokenSeedAttribute,STRING, +494,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.x500.lowercase,BOOLEAN, +498,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attribute OIDs to search for in the subject DN,4.1,,,Comma seperated list of integer values,"2,5,4,3",idp.c14n.x500.objectIDs,STRING, +497,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of subjectAltName extension types to look for,4.1,,,Comma seperated list of integer values,,idp.c14n.x500.subjectAltNameTypes,STRING, +496,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.x500.trim,BOOLEAN, +495,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.x500.uppercase,BOOLEAN, +251,X509AuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.X509,,,shibboleth.Conditions.TRUE,idp.authn.X509.activationCondition,SPRING_BEAN_ID, +254,X509AuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.X509,,,true,idp.authn.X509.addDefaultPrincipals,BOOLEAN, +247,X509AuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.X509,,,false,idp.authn.X509.discoveryRequired,BOOLEAN, +240,X509AuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.X509,,,contextRelative:x509-prompt.jsp,idp.authn.X509.externalAuthnPath,STRING, +244,X509AuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.X509,,,false,idp.authn.X509.forcedAuthenticationSupported,BOOLEAN, +249,X509AuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.X509,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.X509.inactivityTimeout,DURATION, +248,X509AuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.X509,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.X509.lifetime,DURATION, +242,X509AuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.X509,,,false,idp.authn.X509.nonBrowserSupported,BOOLEAN, +241,X509AuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.X509,,,1000,idp.authn.X509.order,INTEGER, +243,X509AuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.X509,,,false,idp.authn.X509.passiveAuthenticationSupported,BOOLEAN, +245,X509AuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.X509,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.X509.proxyRestrictionsEnforced,BOOLEAN, +246,X509AuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.X509,,,false,idp.authn.X509.proxyScopingEnforced,BOOLEAN, +250,X509AuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.X509,,,shibboleth.Conditions.TRUE,idp.authn.X509.reuseCondition,SPRING_BEAN_ID, +252,X509AuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.X509Internal.activationCondition,SPRING_BEAN_ID, +269,X509InternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,,,,true,idp.authn.X509Internal.addDefaultPrincipals,BOOLEAN, +262,X509InternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,,,,false,idp.authn.X509Internal.discoveryRequired,BOOLEAN, +259,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,,,,false,idp.authn.X509Internal.forcedAuthenticationSupported,BOOLEAN, +264,X509InternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.X509Internal.inactivityTimeout,DURATION, +263,X509InternalAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.X509Internal.lifetime,DURATION, +257,X509InternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,,,,false,idp.authn.X509Internal.nonBrowserSupported,BOOLEAN, +256,X509InternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,,,,1000,idp.authn.X509Internal.order,INTEGER, +258,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,,,,false,idp.authn.X509Internal.passiveAuthenticationSupported,BOOLEAN, +260,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.X509Internal.proxyRestrictionsEnforced,BOOLEAN, +261,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,,,,false,idp.authn.X509Internal.proxyScopingEnforced,BOOLEAN, +265,X509InternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.X509Internal.reuseCondition,SPRING_BEAN_ID, +255,X509InternalAuthnConfiguration,authn/authn.properties,Whether to save the certificate into the Subject's public credential set. Disable to reduce the size if not relying on the certificate for subject c14n.,4.1,,,,true,idp.authn.X509Internal.saveCertificateToCredentialSet,BOOLEAN, +267,X509InternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer