From a574d2fc6212ba97e2e352713c47948c55b22f16 Mon Sep 17 00:00:00 2001 From: Ryan Mathis Date: Mon, 15 Aug 2022 08:02:59 -0700 Subject: [PATCH] Property list Former-commit-id: 5bd0e2138de520486178133c016356e30691eba5 --- .../main/resources/i18n/messages.properties | 2 +- .../schema/configuration/configuration.json | 37 + .../assets/schema/properties/property.json | 30 - ui/public/data/properties.json | 659 ++++++++++++++++++ ui/src/app/App.js | 6 +- .../{Properties.js => IdpConfiguration.js} | 20 +- .../{PropertyForm.js => ConfigurationForm.js} | 15 +- .../{PropertyList.js => ConfigurationList.js} | 12 +- .../{EditProperty.js => EditConfiguration.js} | 8 +- .../{NewProperty.js => NewConfiguration.js} | 8 +- ...sProvider.js => ConfigurationsProvider.js} | 2 +- ui/src/app/core/components/Header.js | 4 +- ui/src/app/core/components/ProtectRoute.js | 8 +- 13 files changed, 735 insertions(+), 76 deletions(-) create mode 100644 ui/public/assets/schema/configuration/configuration.json delete mode 100644 ui/public/assets/schema/properties/property.json create mode 100644 ui/public/data/properties.json rename ui/src/app/admin/{Properties.js => IdpConfiguration.js} (54%) rename ui/src/app/admin/component/{PropertyForm.js => ConfigurationForm.js} (75%) rename ui/src/app/admin/container/{PropertyList.js => ConfigurationList.js} (89%) rename ui/src/app/admin/container/{EditProperty.js => EditConfiguration.js} (94%) rename ui/src/app/admin/container/{NewProperty.js => NewConfiguration.js} (91%) rename ui/src/app/admin/hoc/{PropertiesProvider.js => ConfigurationsProvider.js} (94%) diff --git a/backend/src/main/resources/i18n/messages.properties b/backend/src/main/resources/i18n/messages.properties index 3b3e67e83..c33e3b4a1 100644 --- a/backend/src/main/resources/i18n/messages.properties +++ b/backend/src/main/resources/i18n/messages.properties @@ -646,7 +646,7 @@ tooltip.dont-sign-response=Don\u0027t Sign Response tooltip.turn-off-encryption=Turn Off Encryption of Response tooltip.usa-sha-algorithm=Use SHA1 Signing Algorithm tooltip.authentication-methods-to-use=Authentication Methods to Use -tooltip.ignore-auth-method=Ignore any SP-Requested Authentication Method +tooltip.ignore-auth-method=Reject any AuthnReuests from this SP that contain an explicitly requested AuthnContext class tooltip.omit-not-before-condition=Omit Not Before Condition tooltip.responder-id=ResponderId tooltip.instruction=Information icon diff --git a/ui/public/assets/schema/configuration/configuration.json b/ui/public/assets/schema/configuration/configuration.json new file mode 100644 index 000000000..6694bcf25 --- /dev/null +++ b/ui/public/assets/schema/configuration/configuration.json @@ -0,0 +1,37 @@ +{ + "type": "object", + "properties": { + "properties": { + "title": "label.configuration-properties", + "description": "label.configuration-properties", + "type": "array", + "required": ["property", "value"], + "items": { + "type": "object", + "properties": { + "property": { + "title": "label.property-key", + "description": "tooltip.property-key", + "type": "string", + "minLength": 1, + "maxLength": 255 + }, + "description": { + "title": "label.property-descr", + "description": "tooltip.property-descr", + "type": "string", + "minLength": 1, + "maxLength": 255 + }, + "value": { + "title": "label.property-value", + "description": "tooltip.property-value", + "type": "string", + "minLength": 1, + "maxLength": 255 + } + } + } + } + } +} diff --git a/ui/public/assets/schema/properties/property.json b/ui/public/assets/schema/properties/property.json deleted file mode 100644 index f0e90ff49..000000000 --- a/ui/public/assets/schema/properties/property.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "type": "object", - "required": [ - "property", - "value" - ], - "properties": { - "property": { - "title": "label.property-key", - "description": "tooltip.property-key", - "type": "string", - "minLength": 1, - "maxLength": 255 - }, - "description": { - "title": "label.property-descr", - "description": "tooltip.property-descr", - "type": "string", - "minLength": 1, - "maxLength": 255 - }, - "value": { - "title": "label.property-value", - "description": "tooltip.property-value", - "type": "string", - "minLength": 1, - "maxLength": 255 - } - } -} \ No newline at end of file diff --git a/ui/public/data/properties.json b/ui/public/data/properties.json new file mode 100644 index 000000000..a022a4fd5 --- /dev/null +++ b/ui/public/data/properties.json @@ -0,0 +1,659 @@ +[ +{"note":"ex. /conf/ldap.properties, /conf/services.properties","property_name":"idp.additionalProperties","idp_vers":"all","property_default_value":"none","property_type":"Comma-delimited paths","module_vers":"","configuration_cat":"IDP","module":"","description":"Used to point to additional property files to load. All properties must be unique and are ultimately pooled into a single unordered set."}, +{"note":"","property_name":"idp.searchForProperties","idp_vers":"4","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"IDP","module":"","description":"Auto-load all files matching conf/**/*.properties"}, +{"note":"ex. https://unicon.net/idp/shibboleth","property_name":"idp.entityID","idp_vers":"all","property_default_value":"none","property_type":"URI","module_vers":"","configuration_cat":"RP","module":"","description":"The unique name of the IdP used as the iisuer in all SAML profiles"}, +{"note":"","property_name":"idp.entityID.metadataFile","idp_vers":"all","property_default_value":"%{idp.home}/metadata/idp-metadata.xml","property_type":"resource path","module_vers":"","configuration_cat":"IDP","module":"","description":"Identifies the file to serve for requests to the IdP's well-known metadata location"}, +{"note":"","property_name":"idp.artifact.enabled","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"RP","module":"","description":"Whether to allow use of the SAML artifact bindings when sending messages"}, +{"note":"","property_name":"idp.artifact.secureChannel","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"RP","module":"","description":"Whether preparation of messages to be communicated via SAML artifact should assume use of a secure channel (allowing signing and encryption to be skipped)"}, +{"note":"","property_name":"idp.artifact.endpointIndex","idp_vers":"all","property_default_value":"2","property_type":"int","module_vers":"","configuration_cat":"RP","module":"","description":"Identifies the endpoint in SAML metadata associated with artifacts issued by a server node"}, +{"note":"","property_name":"idp.artifact.StorageService","idp_vers":"all","property_default_value":"shibboleth.StorageService","property_type":"Bean ID of a StorageService (org.opensaml.storage)","module_vers":"","configuration_cat":"STOR","module":"","description":"Storage back-end to use for short-lived SAML Artifact mappings (must be server-side)"}, +{"note":"","property_name":"idp.bindings.inMetadataOrder","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"RP","module":"","description":"Controls whether the outbound binding selection is ordered by the SP's metadata or the IdP's preferred bindings (the inbuilt default order is Redirect -> POST -> Artifact -> SOAP). Set to false to leave artifact support on, but favor use of POST. Set also to false to favor the front channel over back channel for Logout."}, +{"note":"","property_name":"idp.entityID.metadataFile","idp_vers":"all","property_default_value":"%{idp.home}/metadata/idp-metadata.xml","property_type":"file pathname","module_vers":"","configuration_cat":"IDP","module":"","description":"Identifies the file to serve for requests to the IdP's well-known metadata location"}, +{"note":"","property_name":"idp.scope","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"IDP","module":"","description":"applies a (fixed) scope typically a domain-valued suffix to an input attribute's values"}, +{"note":"","property_name":"idp.cookie.secure","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SEC","module":"","description":"If true all cookies issued by the IdP (not including the container) will be limited to TLS"}, +{"note":"","property_name":"idp.cookie.httpOnly","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"SEC","module":"","description":"If true all cookies issued by the IdP (not including the container) will contain the HttpOnly property"}, +{"note":"","property_name":"idp.cookie.domain","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"SEC","module":"","description":"Overrides the domain of any cookies issued by the IdP (not including the container)"}, +{"note":"","property_name":"idp.cookie.path","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"SEC","module":"","description":"Overrides the path of any cookies issued by the IdP (not including the container)"}, +{"note":"","property_name":"idp.cookie.maxAge","idp_vers":"all","property_default_value":"31536000","property_type":"int","module_vers":"","configuration_cat":"SEC","module":"","description":"Lifetime in seconds of cookies issued by the IdP that are meant to span sessions (365 days)"}, +{"note":"","property_name":"idp.cookie.sameSite","idp_vers":"all","property_default_value":"None","property_type":"Null/None/Lax/Strict","module_vers":"","configuration_cat":"SEC","module":"","description":"Default SameSite value to apply to cookies via servlet filter if no explicit rule for the named cookie is specified"}, +{"note":"","property_name":"idp.cookie.sameSiteCondition","idp_vers":"all","property_default_value":"shibboleth.Conditions.FALSE","property_type":"Bean ID of Predicate","module_vers":"","configuration_cat":"SEC","module":"","description":"Predicate condition bean controlling whether SameSite filter runs"}, +{"note":"","property_name":"idp.sealer.keyStrategy","idp_vers":"all","property_default_value":"shibboleth.DataSealerKeyStrategy","property_type":"Bean ID of DataSealerKeyStrategy","module_vers":"","configuration_cat":"SEC","module":"","description":"Bean ID supporting the DataSealerKeyStrategy interface to use in place of the built-in option."}, +{"note":"","property_name":"idp.sealer.storeType","idp_vers":"all","property_default_value":"JCEKS","property_type":"string","module_vers":"","configuration_cat":"SEC","module":"","description":"Type of Java keystore used for IdP's internal AES encryption key"}, +{"note":"","property_name":"idp.sealer.updateInterval","idp_vers":"all","property_default_value":"PT15M","property_type":"duration","module_vers":"","configuration_cat":"SEC","module":"","description":"Time between checks for a new AES key version"}, +{"note":"","property_name":"idp.sealer.aliasBase","idp_vers":"all","property_default_value":"secret","property_type":"string","module_vers":"","configuration_cat":"SEC","module":"","description":"Case insensitive name of keystore alias prefix used in AES keystore (the entries will be suffixed by the key version number)"}, +{"note":"","property_name":"idp.sealer.storeResource","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Keystore resource containing AES encryption key usually a file path"}, +{"note":"","property_name":"idp.sealer.versionResource","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Resource that tracks the active AES encryption key version usually a file path"}, +{"note":"","property_name":"idp.sealer.storePassword","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"SEC","module":"","description":"Keystore password unlocking AES encryption keystore typically set during installation"}, +{"note":"","property_name":"idp.sealer.keyPassword","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"SEC","module":"","description":"Key password unlocking AES encryption key typically set to the same as the previous property and set during installation"}, +{"note":"","property_name":"idp.signing.key","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Resource containing private key for signing typically a file in the credentials directory"}, +{"note":"","property_name":"idp.signing.cert","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Resource containing the public key certificate inserted into signed messages typically a file in the credentials directory"}, +{"note":"","property_name":"idp.encryption.key","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Resource containing a private key for decryption typically a file in the credentials directory"}, +{"note":"","property_name":"idp.encryption.cert","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Resource containing a public key certificate given to others needing to encrypt data for the IdP typically a file in the credentials directory"}, +{"note":"","property_name":"idp.encryption.key.2","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Resource containing an alternate private key for decryption generally unused except while changing decryption keys"}, +{"note":"","property_name":"idp.encryption.cert.2","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"SEC","module":"","description":"Resource containing an alternate public key certificate generally unused except while changing decryption keys"}, +{"note":"","property_name":"idp.security.config","idp_vers":"all","property_default_value":"shibboleth.DefaultSecurityConfiguration","property_type":"Bean ID of SecurityConfiguration (net.shibboleth.idp.profile.config.SecurityConfiguration)","module_vers":"","configuration_cat":"SEC","module":"","description":"Name of Spring bean supplying the default SecurityConfiguration "}, +{"note":"","property_name":"idp.signing.config","idp_vers":"all","property_default_value":"shibboleth.SigningConfiguration.SHA256","property_type":"Bean ID of SignatureSigningConfiguration (org.opensaml.xmlsec)","module_vers":"","configuration_cat":"SEC","module":"","description":"Name of Spring bean supplying the default SignatureSigningConfiguration"}, +{"note":"","property_name":"idp.encryption.config","idp_vers":"all","property_default_value":"shibboleth.EncryptionConfiguration.CBC","property_type":"Bean ID of EncryptionConfiguration (org.opensaml.xmlsec)","module_vers":"","configuration_cat":"SEC","module":"","description":"Name of Spring bean supplying the default EncryptionConfiguration"}, +{"note":"","property_name":"idp.encryption.optional","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SEC","module":"","description":"If true failure to locate an encryption key to use won't result in request failure "}, +{"note":"","property_name":"idp.encryption.keyagreement.metadata.defaultUseKeyWrap","idp_vers":"all","property_default_value":"Default","property_type":"string","module_vers":"","configuration_cat":"SEC","module":"","description":"Sets the default strategy for key agreement key wrap usage for credentials from metadata if not otherwise configured on the security configuration"}, +{"note":"","property_name":"idp.trust.signatures","idp_vers":"all","property_default_value":"shibboleth.ChainingSignatureTrustEngine","property_type":"Bean ID of SignatureTrustEngine (org.opensaml.xmlsec.signature.support)","module_vers":"","configuration_cat":"SEC","module":"","description":"Name of Spring bean for the trust engine used to verify signatures"}, +{"note":"","property_name":"idp.trust.certificates","idp_vers":"all","property_default_value":"shibboleth.ChainingX509TrustEngine","property_type":"Bean ID of TrustEngine (org.opensaml.security.trust)","module_vers":"","configuration_cat":"SEC","module":"","description":"Name of Spring bean for the trust engine used to verify TLS certificates"}, +{"note":"","property_name":"idp.policy.messageLifetime","idp_vers":"all","property_default_value":"PT3M","property_type":"duration","module_vers":"","configuration_cat":"SEC","module":"","description":"Default freshness window for accepting timestamped messages"}, +{"note":"","property_name":"idp.policy.assertionLifetime","idp_vers":"all","property_default_value":"PT3M","property_type":"duration","module_vers":"","configuration_cat":"SEC","module":"","description":"Default freshness window for accepting timestamped assertions"}, +{"note":"","property_name":"idp.policy.clockSkew","idp_vers":"all","property_default_value":"PT3M","property_type":"duration","module_vers":"","configuration_cat":"SEC","module":"","description":"Default allowance for clock differences between systems"}, +{"note":"","property_name":"idp.security.basicKeyInfoFactory","idp_vers":"4.1","property_default_value":"shibboleth.BasicKeyInfoGeneratorFactory","property_type":"Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager)","module_vers":"","configuration_cat":"SEC","module":"","description":"Overrides the BasicKeyInfoGeneratorFactory used by default"}, +{"note":"","property_name":"idp.security.x509KeyInfoFactory","idp_vers":"4.1","property_default_value":"shibboleth.X509KeyInfoGeneratorFactory","property_type":"Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager)","module_vers":"","configuration_cat":"SEC","module":"","description":"Overrides the X509KeyInfoGeneratorFactory used by default"}, +{"note":"","property_name":"idp.csrf.enabled","idp_vers":"4","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"CSRF","module":"","description":"Enables CSRF protection"}, +{"note":"","property_name":"idp.csrf.token.parameter","idp_vers":"4","property_default_value":"csrf_token","property_type":"string","module_vers":"","configuration_cat":"CSRF","module":"","description":"Name of the HTTP parameter that stores the CSRF token"}, +{"note":"","property_name":"idp.hsts","idp_vers":"all","property_default_value":"max-age=0","property_type":"string","module_vers":"","configuration_cat":"IDP","module":"","description":"Auto-configures an HSTS response header"}, +{"note":"","property_name":"idp.frameoptions","idp_vers":"all","property_default_value":"DENY","property_type":"DENY/SAMEORIGIN","module_vers":"","configuration_cat":"IDP","module":"","description":"Auto-configures an X-Frame-Options response header"}, +{"note":"","property_name":"idp.csp","idp_vers":"all","property_default_value":"frame-ancestors 'none'","property_type":"string","module_vers":"","configuration_cat":"IDP","module":"","description":"Auto-configures a Content Security Policy response header"}, +{"note":"","property_name":"idp.webflows","idp_vers":"all","property_default_value":"%{idp.home}/flows","property_type":"resource path","module_vers":"","configuration_cat":"IDP","module":"","description":"Location from which to load user-supplied webflows from"}, +{"note":"","property_name":"idp.views","idp_vers":"all","property_default_value":"%{idp.home}/views","property_type":"Comma-delimited paths","module_vers":"","configuration_cat":"IDP","module":"","description":"Location from which to load user-modifiable Velocity view templates. This can be set to include \"classpath*:/META-INF/net/shibboleth/idp/views\" (or equivalent) to load templates from the classpath, such as from extension jars, but doing so disables support for template reloading."}, +{"note":"","property_name":"idp.errors.detailed","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"ERR","module":"","description":"Whether to expose detailed error causes in status information provided to outside parties"}, +{"note":"","property_name":"idp.errors.signed","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"ERR","module":"","description":"Whether to digitally sign error responses in SAML or similar protocols, if signing is otherwise warranted (this can prevent a simple denial of service vector, since errors are simple to trigger)"}, +{"note":"","property_name":"idp.errors.defaultView","idp_vers":"all","property_default_value":"error","property_type":"string","module_vers":"","configuration_cat":"ERR","module":"","description":"The default view name to render for exceptions and events"}, +{"note":"","property_name":"idp.errors.excludedExceptions","idp_vers":"all","property_default_value":"none","property_type":"Bean ID of Properties (java.util.Properties)","module_vers":"","configuration_cat":"ERR","module":"","description":"Bean defing Properties mapping exception class names to error views. The matching by class name does not support wildcards, but does do substring matches (so it's not necessary to fully qualify the class)."}, +{"note":"","property_name":"idp.errors.exceptionMappings","idp_vers":"all","property_default_value":"none","property_type":"Bean ID of Collection (java.util)","module_vers":"","configuration_cat":"ERR","module":"","description":"Bean defining Collection identifying exception classes to ignore (causing them to bubble outward, so use with caution)"}, +{"note":"","property_name":"idp.storage.cleanupInterval","idp_vers":"all","property_default_value":"PT10M","property_type":"duration","module_vers":"","configuration_cat":"STOR","module":"","description":"Interval of background thread sweeping server-side storage for expired records"}, +{"note":"","property_name":"idp.storage.htmlLocalStorage","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"STOR","module":"","description":"Whether to use HTML Local Storage (if available) instead of cookies"}, +{"note":"","property_name":"idp.storage.clientSessionStorageName","idp_vers":"all","property_default_value":"shib_idp_session_ss","property_type":"string","module_vers":"","configuration_cat":"STOR","module":"","description":"Name of cookie or HTML storage key used by the default per-session instance of the client storage service"}, +{"note":"","property_name":"idp.storage.clientPersistentStorageName","idp_vers":"all","property_default_value":"shib_idp_persistent_ss","property_type":"string","module_vers":"","configuration_cat":"STOR","module":"","description":"Name of cookie or HTML storage key used by the default persistent instance of the client storage service"}, +{"note":"","property_name":"idp.replayCache.StorageService","idp_vers":"all","property_default_value":"shibboleth.StorageService","property_type":"Bean ID of a StorageService (org.opensaml.storage)","module_vers":"","configuration_cat":"STOR","module":"","description":"Storage back-end to use for message replay checking (must be server-side)"}, +{"note":"","property_name":"idp.replayCache.strict","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"STOR","module":"","description":"Whether storage errors during replay checks should be treated as a replay"}, +{"note":"","property_name":"idp.session.enabled","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"SESS","module":"","description":"Whether to enable the IdP's session tracking feature"}, +{"note":"","property_name":"idp.session.StorageService","idp_vers":"all","property_default_value":"shibboleth.ClientSessionStorageService","property_type":"Bean ID of StorageService (org.opensaml.storage)","module_vers":"","configuration_cat":"SESS","module":"","description":"Bean name of a storage implementation/configuration to use for IdP sessions"}, +{"note":"","property_name":"idp.session.cookieName","idp_vers":"4.2","property_default_value":"shib_idp_session","property_type":"string","module_vers":"","configuration_cat":"SESS","module":"","description":"Name of cookie containing IdP session ID (note this is not the same as the cookie the Java container uses to track its own sessions)"}, +{"note":"","property_name":"idp.session.idSize","idp_vers":"all","property_default_value":"32","property_type":"int","module_vers":"","configuration_cat":"SESS","module":"","description":"Number of characters in IdP session identifiers"}, +{"note":"","property_name":"idp.session.consistentAddress","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"SESS","module":"","description":"Whether to bind IdP sessions to IP addresses"}, +{"note":"","property_name":"idp.session.consistentAddressCondition","idp_vers":"all","property_default_value":"Direct string comparison","property_type":"BiPredicate","module_vers":"","configuration_cat":"SESS","module":"","description":"A 2-argument predicate that compares a bound session's address to a client address"}, +{"note":"","property_name":"idp.session.timeout","idp_vers":"all","property_default_value":"PT60M","property_type":"duration","module_vers":"","configuration_cat":"SESS","module":"","description":"Inactivity timeout policy for IdP sessions (must be non-zero)"}, +{"note":"","property_name":"idp.session.slop","idp_vers":"all","property_default_value":"0","property_type":"duration","module_vers":"","configuration_cat":"SESS","module":"","description":"Extra time after expiration before removing SP sessions in case a logout is invoked"}, +{"note":"","property_name":"idp.session.maskStorageFailure","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SESS","module":"","description":"Whether to hide storage failures from users during session cache reads/writes"}, +{"note":"","property_name":"idp.session.trackSPSessions","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SESS","module":"","description":"Whether to save a record of every SP accessed during an IdP session (requires a server-side session store or HTML LocalStorage)"}, +{"note":"","property_name":"idp.session.secondaryServiceIndex","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SESS","module":"","description":"Whether to track SPs on the basis of the SAML subject ID used, for logout purposes (requires SP session tracking be on)"}, +{"note":"","property_name":"idp.session.defaultSPlifetime","idp_vers":"all","property_default_value":"PT2H","property_type":"duration","module_vers":"","configuration_cat":"SESS","module":"","description":"Default length of time to maintain record of an SP session (must be non-zero), overridable by relying-party-specific setting"}, +{"note":" ex. Password, MA, DUO","property_name":"idp.authn.flows","idp_vers":"all","property_default_value":"none","property_type":"regex","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Required expression that identifies the login flows to globally enable"}, +{"note":" measured since first usage","property_name":"idp.authn.defaultLifetime","idp_vers":"all","property_default_value":"PT60M","property_type":"duration","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Default amount of time to allow reuse prior authentication flows"}, +{"note":" measured since last usage","property_name":"idp.authn.defaultTimeout","idp_vers":"all","property_default_value":"PT30M","property_type":"duration","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Default inactivity timeout to prevent reuse of prior authentication flows"}, +{"note":"","property_name":"idp.authn.proxyRestrictionsEnforced","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication"}, +{"note":"","property_name":"idp.authn.favorSSO","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to prioritize prior authentication results when an SP requests more than one possible matching method"}, +{"note":"","property_name":"idp.authn.rpui","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to populate information about the relying party into the tree for user interfaces during login and interceptors"}, +{"note":"","property_name":"idp.authn.identitySwitchIsError","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session."}, +{"note":"","property_name":"idp.authn.discoveryURL","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Provides a static discovery URL to use for external discovery this property replaces the need for the XML-defined bean used in V4.0 for this purpose"}, +{"note":"","property_name":"idp.authn.overrideRequestedAuthnContext","idp_vers":"4","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to override an explicit element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global setting applying to all SPs that may have such a profile configuration set."}, +{"note":"","property_name":"idp.consent.StorageService","idp_vers":"all","property_default_value":"shibboleth.ClientPersistentStorageService","property_type":"Bean ID","module_vers":"","configuration_cat":"CONS","module":"","description":"Name of storage service used to store users' consent choices"}, +{"note":"","property_name":"idp.consent.attribute-release.userStorageKey","idp_vers":"all","property_default_value":"shibboleth.consent.PrincipalConsentStorageKey","property_type":"Bean ID","module_vers":"","configuration_cat":"CONS","module":"","description":"Name of function used to return the String storage key representing a user defaults to the principal name"}, +{"note":"","property_name":"idp.consent.attribute-release.userStorageKeyAttribute","idp_vers":"all","property_default_value":"uid","property_type":"string","module_vers":"","configuration_cat":"CONS","module":"","description":"Attribute whose value is the storage key representing a user"}, +{"note":"","property_name":"idp.consent.attribute-release.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"CONS","module":"","description":"Optional condition to apply to control activation of attribute-release flow along with system default behavior"}, +{"note":"","property_name":"idp.consent.attribute-release.auditFormat","idp_vers":"all","property_default_value":"%T|%SP|%e|%u|%CCI|%CCV|%CCA","property_type":"logback","module_vers":"","configuration_cat":"CONS","module":"","description":"Default consent auditing formats"}, +{"note":"","property_name":"idp.consent.terms-of-use.userStorageKey","idp_vers":"all","property_default_value":"shibboleth.consent.PrincipalConsentStorageKey","property_type":"Bean ID","module_vers":"","configuration_cat":"CONS","module":"","description":"Name of function used to return the String storage key representing a user defaults to the principal name"}, +{"note":"","property_name":"idp.consent.terms-of-use.userStorageKeyAttribute","idp_vers":"all","property_default_value":"uid","property_type":"string","module_vers":"","configuration_cat":"CONS","module":"","description":"Attribute whose value is the storage key representing a user"}, +{"note":"","property_name":"idp.consent.terms-of-use.consentValueMessageCodeSuffix","idp_vers":"all","property_default_value":".text","property_type":"string","module_vers":"","configuration_cat":"CONS","module":"","description":"Suffix of message property used as value of consent storage records when idp.consent.compareValues is true"}, +{"note":"","property_name":"idp.consent.terms-of-use.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"CONS","module":"","description":"Optional condition to apply to control activation of terms-of-use flow"}, +{"note":"","property_name":"idp.consent.terms-of-use.auditFormat","idp_vers":"all","property_default_value":"%T|%SP|%e|%u|%CCI|%CCV|%CCA","property_type":"logback","module_vers":"","configuration_cat":"CONS","module":"","description":"Default consent auditing formats"}, +{"note":"","property_name":"idp.consent.allowDoNotRemember","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"CONS","module":"","description":"Whether not remembering/storing consent is allowed"}, +{"note":"","property_name":"idp.consent.allowGlobal","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"CONS","module":"","description":"Whether consent to any attribute and to any relying party is allowed"}, +{"note":"","property_name":"idp.consent.allowPerAttribute","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"CONS","module":"","description":"Whether per-attribute consent is allowed"}, +{"note":"","property_name":"idp.consent.compareValues","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"CONS","module":"","description":"Whether attribute values and terms of use text are stored and compared for equality"}, +{"note":"","property_name":"idp.consent.maxStoredRecords","idp_vers":"all","property_default_value":"10","property_type":"int","module_vers":"","configuration_cat":"CONS","module":"","description":"Maximum number of records stored when using space-limited storage (e.g. cookies), 0 = no limit"}, +{"note":"","property_name":"idp.consent.expandedMaxStoredRecords","idp_vers":"all","property_default_value":"0","property_type":"int","module_vers":"","configuration_cat":"CONS","module":"","description":"Maximum number of records stored when using larger/server-side storage, 0 = no limit"}, +{"note":"","property_name":"idp.consent.storageRecordLifetime","idp_vers":"4.x","property_default_value":"(v4.0=P1Y,v4.1=infinite)","property_type":"duration","module_vers":"","configuration_cat":"CONS","module":"","description":"Time in milliseconds to expire consent storage records"}, +{"note":"","property_name":"idp.logout.elaboration","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SLO","module":"","description":"Whether to search metadata for user interface information associated with every service involved in logout propagation"}, +{"note":"","property_name":"idp.logout.authenticated","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"SLO","module":"","description":"Whether to require signed logout messages in accordance with the SAML 2.0 standard"}, +{"note":"","property_name":"idp.logout.promptUser","idp_vers":"all","property_default_value":"false","property_type":"Bean ID of Predicate","module_vers":"","configuration_cat":"SLO","module":"","description":"If the bean returns true the user is given the option to actually cancel the IdP logout outright and prevent removal of the session"}, +{"note":"","property_name":"idp.logout.preserveQuery","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SLO","module":"","description":"Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic"}, +{"note":"","property_name":"idp.logout.assumeAsync","idp_vers":"4.2","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SLO","module":"","description":"When true allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints"}, +{"note":"","property_name":"idp.logout.propagationHidden","idp_vers":"4.2","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"SLO","module":"","description":"Applies the \"display:none\" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user"}, +{"note":"","property_name":"idp.soap.httpClient","idp_vers":"all","property_default_value":"SOAPClient.HttpClient","property_type":"Bean ID of HttpClient to use for SOAP-based logout","module_vers":"","configuration_cat":"IDP","module":"","description":"Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP)"}, +{"note":"ex. en, fr, de","property_name":"idp.ui.fallbackLanguages","idp_vers":"all","property_default_value":"none","property_type":"Comma-delimited list","module_vers":"","configuration_cat":"IDP","module":"","description":"languages to use if no match can be found with the browser-supported languages"}, +{"note":"","property_name":"idp.cas.StorageService","idp_vers":"all","property_default_value":"shibboleth.StorageService","property_type":"Bean ID","module_vers":"","configuration_cat":"CAS","module":"","description":"Storage service used by CAS protocol for chained proxy-granting tickets and when using server-managed \"simple\" TicketService. MUST be server-side storage (e.g. in-memory, memcached, database)"}, +{"note":"","property_name":"idp.cas.serviceRegistryClass","idp_vers":"all","property_default_value":"net.shibboleth.idp.cas.service.PatternServiceRegistry","property_type":"?","module_vers":"","configuration_cat":"CAS","module":"","description":"CAS service registry implementation class"}, +{"note":"","property_name":"idp.cas.relyingPartyIdFromMetadata","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"CAS","module":"","description":"If true CAS services provisioned with SAML metadata are identified via entityID"}, +{"note":"","property_name":"idp.fticks.federation","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"FTICK","module":"","description":"Enables F-TICKS output and specifies the value of the federation-identifier field"}, +{"note":"","property_name":"idp.fticks.condition","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"FTICK","module":"","description":"Optional bean name of a Predicate to use to decide whether to run"}, +{"note":"","property_name":"idp.fticks.algorithm","idp_vers":"all","property_default_value":"SHA-2","property_type":"string","module_vers":"","configuration_cat":"FTICK","module":"","description":"Digest algorithm used to obscure usernames"}, +{"note":"","property_name":"idp.fticks.salt","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"FTICK","module":"","description":"A salt to apply when digesting usernames (if not specified, the username will not be included)"}, +{"note":"","property_name":"idp.fticks.loghost","idp_vers":"all","property_default_value":"localhost","property_type":"string","module_vers":"","configuration_cat":"FTICK","module":"","description":"The remote syslog host"}, +{"note":"","property_name":"idp.fticks.logport","idp_vers":"all","property_default_value":"514","property_type":"int","module_vers":"","configuration_cat":"FTICK","module":"","description":"The remote syslog port"}, +{"note":"","property_name":"idp.audit.shortenBindings","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"SERV","module":"","description":"Set false if you want SAML bindings \"spelled out\" in audit log"}, +{"note":"","property_name":"idp.velocity.runtime.strictmode","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"IDP","module":"","description":"Set to true to fail on velocity syntax errors"}, +{"note":"","property_name":"idp.intercept.External.externalPath","idp_vers":"all","property_default_value":"contextRelative:intercept.jsp","property_type":"path","module_vers":"","configuration_cat":"IDP","module":"","description":"Path to use with External interceptor flow"}, +{"note":"","property_name":"idp.impersonate.generalPolicy","idp_vers":"all","property_default_value":"GeneralImpersonationPolicy","property_type":"Policy ID","module_vers":"","configuration_cat":"IDP","module":"","description":"Policies to use with Impersonate interceptor flow"}, +{"note":"","property_name":"idp.impersonate.specificPolicy","idp_vers":"all","property_default_value":"SpecificImpersonationPolicy","property_type":"Policy ID","module_vers":"","configuration_cat":"IDP","module":"","description":"Policies to use with Impersonate interceptor flow"}, +{"note":"","property_name":"idp.authn.LDAP.authenticator","idp_vers":"all","property_default_value":"anonSearchAuthenticator","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"Controls the workflow for how authentication occurs against LDAP: one of anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator"}, +{"note":" ex. ldap://localhost or ldaps://localhost","property_name":"idp.authn.LDAP.ldapURL","idp_vers":"all","property_default_value":"none","property_type":"LDAP URI","module_vers":"","configuration_cat":"LDAP","module":"","description":"Connection URI for LDAP directory"}, +{"note":"","property_name":"idp.authn.LDAP.useStartTLS","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether StartTLS should be used after connecting with LDAP alone."}, +{"note":"","property_name":"idp.authn.LDAP.connectTimeout","idp_vers":"all","property_default_value":"PT3S","property_type":"duration","module_vers":"","configuration_cat":"LDAP","module":"","description":"Time to wait for the TCP connection to occur."}, +{"note":"","property_name":"idp.authn.LDAP.responseTimeout","idp_vers":"all","property_default_value":"PT3S","property_type":"duration","module_vers":"","configuration_cat":"LDAP","module":"","description":"Time to wait for an LDAP response message"}, +{"note":"","property_name":"idp.authn.LDAP.connectionStrategy","idp_vers":"all","property_default_value":"ACTIVE_PASSIVE","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"Connection strategy to use when multiple URLs are supplied: one of ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM"}, +{"note":"","property_name":"idp.authn.LDAP.sslConfig","idp_vers":"all","property_default_value":"certificateTrust","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"How to establish trust in the server's TLS certificate: one of jvmTrust, certificateTrust, or keyStoreTrust"}, +{"note":"ex. %{idp.home}/credentials/ldap-server.crt","property_name":"idp.authn.LDAP.trustCertificates","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"LDAP","module":"","description":"A resource to load trust anchors from when using sslConfig = certificateTrust"}, +{"note":"ex. %{idp.home}/credentials/ldap-server.truststore","property_name":"idp.authn.LDAP.trustStore","idp_vers":"all","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"LDAP","module":"","description":"A resource to load a Java keystore containing trust anchors when using sslConfig = keyStoreTrust"}, +{"note":"","property_name":"idp.authn.LDAP.returnAttributes","idp_vers":"all","property_default_value":"none","property_type":"comma-seperated strings","module_vers":"","configuration_cat":"LDAP","module":"","description":"List of attributes to request during authentication"}, +{"note":"","property_name":"idp.authn.LDAP.baseDN","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"Base DN to search against when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator"}, +{"note":"","property_name":"idp.authn.LDAP.subtreeSearch","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether to search recursively when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator"}, +{"note":"","property_name":"idp.authn.LDAP.userFilter","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"LDAP search filter when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator"}, +{"note":"","property_name":"idp.authn.LDAP.bindDN","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"DN to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator"}, +{"note":"","property_name":"idp.authn.LDAP.bindDNCredential","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"Password to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator usually set via %{idp.home}/credentials/secrets.properties"}, +{"note":"ex. uid=%s,ou=people,dc=example,dc=org or for AD %s@domain.com","property_name":"idp.authn.LDAP.dnFormat","idp_vers":"all","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"A formatting string to generate the user DNs to authenticate when using an LDAP.authenticator of directAuthenticator or adAuthenticator"}, +{"note":"","property_name":"idp.authn.LDAP.resolveEntryOnFailure","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether the user's LDAP entry should be returned in the authentication response even when the user bind fails."}, +{"note":"","property_name":"idp.authn.LDAP.resolveEntryWithBindDN","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether the user's LDAP entry should be resolved with the bindDN credentials rather than as the authenticated user."}, +{"note":"","property_name":"idp.authn.LDAP.usePasswordPolicy","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether to use the Password Policy Control."}, +{"note":"","property_name":"idp.authn.LDAP.usePasswordExpiration","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether to use the Password Expired Control."}, +{"note":"","property_name":"idp.authn.LDAP.activeDirectory","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"If you are using Active Directory this switch will attempt to use the account states defined by AD. Note that this flag is unnecessary if you are using the 'adAuthenticator'. It is meant to be specified with one of the other authenticator types."}, +{"note":"","property_name":"idp.authn.LDAP.freeIPADirectory","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"If you are using the FreeIPA LDAP this switch will attempt to use the account states defined by that product."}, +{"note":"","property_name":"idp.authn.LDAP.eDirectory","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"If you are using the EDirectory LDAP this switch will attempt to use the account states defined by that product."}, +{"note":"","property_name":"idp.authn.LDAP.disablePooling","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether connection pools should be used for LDAP authentication and DN resolution"}, +{"note":"","property_name":"idp.pool.LDAP.minSize","idp_vers":"all","property_default_value":"3","property_type":"int","module_vers":"","configuration_cat":"LDAP","module":"","description":"Minimum LDAP connection pool size"}, +{"note":"","property_name":"idp.pool.LDAP.maxSize","idp_vers":"all","property_default_value":"10","property_type":"int","module_vers":"","configuration_cat":"LDAP","module":"","description":"Maximum LDAP connection pool size"}, +{"note":"","property_name":"idp.pool.LDAP.validateOnCheckout","idp_vers":"all","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether to validate connections when checking them out of the pool"}, +{"note":"","property_name":"idp.pool.LDAP.validatePeriodically","idp_vers":"all","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"LDAP","module":"","description":"Whether to validate connections in the background"}, +{"note":"","property_name":"idp.pool.LDAP.validatePeriod","idp_vers":"all","property_default_value":"PT5M","property_type":"duration","module_vers":"","configuration_cat":"LDAP","module":"","description":"Duration between validation if idp.pool.LDAP.validatePeriodically is true"}, +{"note":"","property_name":"idp.pool.LDAP.validateDN","idp_vers":"4.0.1","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"DN to search with the validateFilter: defaults to the rootDSE"}, +{"note":"","property_name":"idp.pool.LDAP.validateFilter","idp_vers":"4.0.1","property_default_value":"(objectClass=*)","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"Search filter to execute in order to validate a pooled connection"}, +{"note":"","property_name":"idp.pool.LDAP.prunePeriod","idp_vers":"all","property_default_value":"PT5M","property_type":"duration","module_vers":"","configuration_cat":"LDAP","module":"","description":"Duration between looking for idle connections to reduce the pool back to its minimum size"}, +{"note":"","property_name":"idp.pool.LDAP.idleTime","idp_vers":"all","property_default_value":"PT10M","property_type":"duration","module_vers":"","configuration_cat":"LDAP","module":"","description":"Duration connections must be idle to be eligible for pruning"}, +{"note":"","property_name":"idp.pool.LDAP.blockWaitTime","idp_vers":"all","property_default_value":"PT3S","property_type":"duration","module_vers":"","configuration_cat":"LDAP","module":"","description":"Duration to wait for a free connection in the pool"}, +{"note":"","property_name":"idp.authn.LDAP.bindPoolPassivator","idp_vers":"4.0.1","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"LDAP","module":"","description":"Controls how connections in the bind pool are passivated. Connections in the bind pool may be in an authenticated state that will not allow validation searches to succeed. This property controls how bind connections are placed back into the pool. If your directory requires searches to be performed by the idp.authn.LDAP.bindDN or anonymously, this property controls that behavior. one of: none, bind, anonymousBind."}, +{"note":"","property_name":"idp.authn.JAAS.loginConfigNames","idp_vers":"4.1","property_default_value":"ShibUserPassAuth","property_type":"string","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Comma-delimited set of JAAS application configuration names to use"}, +{"note":"","property_name":"idp.authn.JAAS.loginConfig","idp_vers":"4.1","property_default_value":"%{idp.home}/conf/authn/jaas.config","property_type":"resource path","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Location of JAAS configuration file"}, +{"note":"","property_name":"idp.authn.Krb5.refreshConfig","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt"}, +{"note":"","property_name":"idp.authn.Krb5.preserveTicket","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to preserve the resulting Kerberos TGT in the Java Subject's private credential set"}, +{"note":"","property_name":"idp.authn.Krb5.servicePrincipal","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Name of a service principal to use to verify the KDC supplying the TGT by requesting and verifying a service ticket issued for it"}, +{"note":"","property_name":"idp.authn.Krb5.keytab","idp_vers":"4.1","property_default_value":"none","property_type":"resource path","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Path to a keytab file containing keys belonging to the service principal defined in idp.authn.Krb5.servicePrincipal"}, +{"note":"","property_name":"idp.authn.External.externalAuthnPath","idp_vers":"4.1","property_default_value":"contextRelative:external.jsp","property_type":"string","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Spring Web Flow redirection expression for the protected resource"}, +{"note":"","property_name":"idp.authn.External.matchExpression","idp_vers":"4.1","property_default_value":"none","property_type":"regex","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Regular expression to match username against"}, +{"note":"","property_name":"idp.authn.External.order","idp_vers":"4.1","property_default_value":"1000","property_type":"int","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)"}, +{"note":"","property_name":"idp.authn.External.nonBrowserSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Whether the flow should handle non-browser request profiles (e.g., ECP)"}, +{"note":"","property_name":"idp.authn.External.passiveAuthenticationSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Whether the flow allows for passive authentication"}, +{"note":"","property_name":"idp.authn.External.forcedAuthenticationSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Whether the flow supports forced authentication"}, +{"note":"","property_name":"idp.authn.External.proxyRestrictionsEnforced","idp_vers":"4.1","property_default_value":"%{idp.authn.enforceProxyRestrictions:true}","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Whether the flow enforces upstream IdP imposed restrictions on proxying"}, +{"note":"","property_name":"idp.authn.External.proxyScopingEnforced","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying"}, +{"note":"","property_name":"idp.authn.External.discoveryRequired","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Whether to invoke IdP discovery prior to running flow"}, +{"note":"","property_name":"idp.authn.External.lifetime","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultLifetime:PT1H}","property_type":"duration","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Lifetime of results produced by this flow"}, +{"note":"","property_name":"idp.authn.External.inactivityTimeout","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultTimeout:PT30M}","property_type":"duration","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Inactivity timeout of results produced by this flow"}, +{"note":"","property_name":"idp.authn.External.reuseCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Bean ID of Predicate controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.External.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.External.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.RemoteUser.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.RemoteUser","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.RemoteUser.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.RemoteUser","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.RemoteUserInternal.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.RemoteUserInternal","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.RemoteUserInternal.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.RemoteUserInternal","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.SPNEGO.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.SPNEGO","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.SPNEGO.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.SPNEGO","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.X509.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.X509","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.X509.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.X509","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.X509Internal.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.X509Internal.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.IPAddress.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.IPAddress","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.IPAddress.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.IPAddress","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.Function.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.Function.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.External","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.Duo.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.Duo","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.Duo.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.Duo","description":"Bean ID of BiConsumer to run just prior to AuthnRequest signing/encoding step"}, +{"note":"","property_name":"idp.authn.SAML.inboundMessageHandlerFunction","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Optional bean ID of Function to run at the late stages of Response decoding/processing"}, +{"note":"","property_name":"idp.authn.SAML.assertionValidator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Optional bean ID of AssertionValidator to run"}, +{"note":"","property_name":"idp.authn.SAML.order","idp_vers":"4.1","property_default_value":"1000","property_type":"int","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)"}, +{"note":"","property_name":"idp.authn.SAML.nonBrowserSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether the flow should handle non-browser request profiles (e.g., ECP)"}, +{"note":"","property_name":"idp.authn.SAML.passiveAuthenticationSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether the flow allows for passive authentication"}, +{"note":"","property_name":"idp.authn.SAML.forcedAuthenticationSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether the flow supports forced authentication"}, +{"note":"","property_name":"idp.authn.SAML.proxyRestrictionsEnforced","idp_vers":"4.1","property_default_value":"%{idp.authn.enforceProxyRestrictions:true}","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether the flow enforces upstream IdP imposed restrictions on proxying"}, +{"note":"","property_name":"idp.authn.SAML.proxyScopingEnforced","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying"}, +{"note":"","property_name":"idp.authn.SAML.discoveryRequired","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Whether to invoke IdP discovery prior to running flow"}, +{"note":"","property_name":"idp.authn.SAML.lifetime","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultLifetime:PT1H}","property_type":"duration","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Lifetime of results produced by this flow"}, +{"note":"","property_name":"idp.authn.SAML.inactivityTimeout","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultTimeout:PT30M}","property_type":"duration","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Inactivity timeout of results produced by this flow"}, +{"note":"","property_name":"idp.authn.SAML.reuseCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Bean ID of Predicate controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.SAML.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.SAML.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"","description":"Bean ID of BiConsumer controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.MFA.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.MFA","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.MFA.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"","configuration_cat":"AUTHN","module":"idp.authn.MFA","description":"Bean ID of BiConsumer to evaluate to determine whether to run the Attribute Resolver or go directly to the Subject alone"}, +{"note":"","property_name":"idp.c14n.x500.lowercase","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"C14N","module":"","description":"Whether to lowercase the username"}, +{"note":"","property_name":"idp.c14n.x500.uppercase","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"C14N","module":"","description":"Whether to uppercase the username"}, +{"note":"","property_name":"idp.c14n.x500.trim","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"","configuration_cat":"C14N","module":"","description":"Whether to trim leading and trailing whitespace from the username"}, +{"note":"","property_name":"idp.c14n.x500.subjectAltNameTypes","idp_vers":"4.1","property_default_value":"none","property_type":"List","module_vers":"","configuration_cat":"C14N","module":"","description":"Comma-delimited list of subjectAltName extension types to look for"}, +{"note":"","property_name":"idp.c14n.x500.objectIDs","idp_vers":"4.1","property_default_value":"2.5.4.3","property_type":"List","module_vers":"","configuration_cat":"C14N","module":"","description":"Comma-delimited list of attribute OIDs to search for in the subject DN"}, +{"note":"","property_name":"idp.c14n.saml.proxy.lowercase","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"C14N","module":"","description":"Whether to lowercase the username"}, +{"note":"","property_name":"idp.c14n.saml.proxy.uppercase","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"C14N","module":"","description":"Whether to uppercase the username"}, +{"note":"","property_name":"idp.c14n.saml.lowercase","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"C14N","module":"","description":"Whether to lowercase the username"}, +{"note":"","property_name":"idp.c14n.saml.uppercase","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"","configuration_cat":"C14N","module":"","description":"Whether to uppercase the username"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.saml1sso","idp_vers":"all","property_default_value":"SSO","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.saml1attrquery","idp_vers":"all","property_default_value":"AttributeQuery","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.saml1artifact","idp_vers":"all","property_default_value":"ArtifactResolution","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.saml2sso","idp_vers":"all","property_default_value":"SSO","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.saml2attrquery","idp_vers":"all","property_default_value":"AttributeQuery","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.saml2artifact","idp_vers":"all","property_default_value":"ArtifactResolution","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.saml2slo","idp_vers":"all","property_default_value":"Logout","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.logout","idp_vers":"all","property_default_value":"Logout","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.cas","idp_vers":"all","property_default_value":"SSO","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.status","idp_vers":"all","property_default_value":"Status","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.resolvertest","idp_vers":"all","property_default_value":"ResolverTest","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":" you can use this to route different kinds of audit records to different destinations based on general function","property_name":"idp.service.logging.serviceReload","idp_vers":"all","property_default_value":"Reload","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Suffix added to audit logging category when various profiles/flows are audited"}, +{"note":"","property_name":"idp.audit.hashAlgorithm","idp_vers":"4.1","property_default_value":"SHA-256","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Hash algorithm to apply to various hashed fields"}, +{"note":"","property_name":"idp.audit.salt","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"","configuration_cat":"SERV","module":"","description":"Salt to apply to hashed fields must be set to use those fields"}, +{"note":"","property_name":"idp.oidc.issuer","idp_vers":"4.1","property_default_value":"none","property_type":"URL","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Set the Open ID Connect Issuer value "}, +{"note":"","property_name":"idp.oidc.idToken.defaultLifetime","idp_vers":"4.1","property_default_value":"PT1H","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Lifetime of ID token"}, +{"note":"","property_name":"idp.oidc.accessToken.defaultLifetime","idp_vers":"4.1","property_default_value":"PT10M","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Lifetime of access token"}, +{"note":"","property_name":"idp.oidc.authorizeCode.defaultLifetime","idp_vers":"4.1","property_default_value":"PT5M","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Lifetime of authorization code"}, +{"note":"","property_name":"idp.oidc.refreshToken.defaultLifetime","idp_vers":"4.1","property_default_value":"PT2H","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Lifetime of refresh token"}, +{"note":"","property_name":"idp.oidc.forcePKCE","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether client is required to use PKCE"}, +{"note":"","property_name":"idp.oidc.allowPKCEPlain","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether client is allowed to use PKCE code challenge method plain"}, +{"note":"","property_name":"idp.oidc.encodedAttributes","idp_vers":"4.1","property_default_value":"none","property_type":"Set","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Specifies IdPAttributes to encode into tokens for recovery on back-channel token requests"}, +{"note":"","property_name":"idp.oidc.encodeConsentInTokens","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether to embed consent decisions in access/refresh tokens and authorization code to allow for client-side consent storage"}, +{"note":"","property_name":"idp.oidc.alwaysIncludedAttributes","idp_vers":"4.1","property_default_value":"none","property_type":"Set","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Specifies IdPAttributes to always include in ID token regardless of response_type"}, +{"note":"","property_name":"idp.oidc.deniedUserInfoAttributes","idp_vers":"4.1","property_default_value":"none","property_type":"Set","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Specifies IdPAttributes to omit from UserInfo token"}, +{"note":"","property_name":"idp.oidc.revocationCache.authorizeCode.lifetime","idp_vers":"4.1","property_default_value":"PT6H","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Lifetime of entries in revocation cache for authorize code"}, +{"note":"","property_name":"idp.oidc.revocationCache.StorageService","idp_vers":"4.1","property_default_value":"shibboleth.StorageService","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean ID of StorageService for revocation cache requires server-side storage"}, +{"note":"","property_name":"idp.oidc.tokenEndpointAuthMethods","idp_vers":"4.1","property_default_value":"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt","property_type":"Collection","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The acceptable client authentication methods"}, +{"note":"","property_name":"idp.oauth2.grantTypes","idp_vers":"4.1","property_default_value":"authorization_code,refresh_token","property_type":"Collection","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"OAuth grant types to allow"}, +{"note":"","property_name":"idp.oauth2.enforceRefreshTokenRotation","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3.2","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token."}, +{"note":"","property_name":"idp.oauth2.accessToken.type","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"3.2","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Format of access token. Supported values are JWT or nothing."}, +{"note":"","property_name":"idp.oauth2.encryptionOptional","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether the absence of encryption details in a resource server’s metadata should fail when issuing an access token"}, +{"note":"","property_name":"idp.oauth2.accessToken.defaultLifetime","idp_vers":"4.1","property_default_value":"PT10M","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Lifetime of access token issued to client for resource server"}, +{"note":"","property_name":"idp.oauth2.revocationMethod","idp_vers":"4.1","property_default_value":"CHAIN","property_type":"string","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens). TOKEN refers to revoking single token"}, +{"note":"","property_name":"idp.oidc.dynreg.defaultRegistrationValidity","idp_vers":"4.1","property_default_value":"PT24H","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Registration lifetime"}, +{"note":"","property_name":"idp.oidc.dynreg.defaultScope","idp_vers":"4.1","property_default_value":"openid profile email address phone offline_access","property_type":"string","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The default scopes accepted in dynamic registration"}, +{"note":"","property_name":"idp.oidc.dynreg.defaultSubjectType","idp_vers":"4.1","property_default_value":"public","property_type":"string","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The default subject type if not set by client in request. Maybe set to pairwise or public."}, +{"note":"","property_name":"idp.oidc.dynreg.defaultMetadataPolicyFile","idp_vers":"4.1","property_default_value":"none","property_type":"resource path","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Full path to the file containing default metadata policy used for dynamic client registration"}, +{"note":"","property_name":"idp.oidc.dynreg.tokenEndpointAuthMethods","idp_vers":"4.1","property_default_value":"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt","property_type":"Collection","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The acceptable client authentication methods when using dynamic registration"}, +{"note":"","property_name":"idp.signing.oidc.rs.key","idp_vers":"4.1","property_default_value":"%{idp.home}/credentials/idp-signing-rs.jwk","property_type":"JWK file pathname","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"JWK RSA signing keypair"}, +{"note":"","property_name":"idp.signing.oidc.es.key","idp_vers":"4.1","property_default_value":"%{idp.home}/credentials/idp-signing-es.jwk","property_type":"JWK file pathname","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"JWK EC signing keypair"}, +{"note":"","property_name":"idp.signing.oidc.rsa.enc.key","idp_vers":"4.1","property_default_value":"%{idp.home}/credentials/idp-encryption-rsa.jwk","property_type":"JWK file pathname","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"JWK RSA decryption keypair"}, +{"note":"","property_name":"idp.oidc.signing.config","idp_vers":"4.1","property_default_value":"shibboleth.oidc.SigningConfiguration","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Allows override of default signing configuration"}, +{"note":"","property_name":"idp.oidc.encryption.config","idp_vers":"4.1","property_default_value":"shibboleth.oidc.EncryptionConfiguration","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Allows override of default encryption configuration"}, +{"note":"","property_name":"idp.oidc.rodecrypt.config","idp_vers":"4.1","property_default_value":"shibboleth.oidc.requestObjectDecryptionConfiguration","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Allows override of default request decryption configuration"}, +{"note":"one of these has the wrong name","property_name":"idp.oidc.rovalid.config","idp_vers":"4.1","property_default_value":"shibboleth.oidc.requestObjectSignatureValidationConfiguration","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Allows override of default request signature validation configuration"}, +{"note":"one of these has the wrong name ","property_name":"idp.oidc.rovalid.config","idp_vers":"4.1","property_default_value":"shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Allows override of default JWT token validation configuration"}, +{"note":"","property_name":"idp.authn.OAuth2Client.requireAll","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether all validators must succeed or just one"}, +{"note":"","property_name":"idp.authn.OAuth2Client.removeAfterValidation","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether to remove the object holding the password from the request's active state after validating it (to avoid it being preserved in the session any longer than needed)"}, +{"note":"use with caution as it retains the password and makes it available in plaintext from within server memory at various stages.","property_name":"idp.authn.OAuth2Client.retainAsPrivateCredential","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Whether to keep the password around as a private credential in the Java Subject for use in later stages such as attribute resolution"}, +{"note":"","property_name":"idp.authn.OAuth2Client.order","idp_vers":"4.1","property_default_value":"1000","property_type":"int","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)"}, +{"note":"","property_name":"idp.authn.OAuth2Client.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean ID of Predicate determining whether flow is usable for request"}, +{"note":"Subject> for subject customization","property_name":"idp.authn.OAuth2Client.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean ID of BiConsumer>, used to locate metadata policy based on the policyLocation parameter. Defaults to a caching resolver locating server resources to load based on policyLocation parameter."}, +{"note":"","property_name":"idp.service.clientinfo.failFast","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"If true any failures during initialization of any resolvers result in IdP startup failure"}, +{"note":"","property_name":"idp.service.clientinfo.checkInterval","idp_vers":"4.1","property_default_value":"PT0S","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"When non-zero enables monitoring of resources for service reload"}, +{"note":"","property_name":"idp.service.clientinfo.resources","idp_vers":"4.1","property_default_value":"shibboleth.ClientInformationResolverResources","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Name of bean used to define the resources to use in configuring this service"}, +{"note":"","property_name":"idp.oauth2.defaultAllowedScope","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"bean of type Function called shibboleth.oidc.AllowedScopeStrategy"}, +{"note":"","property_name":"idp.oauth2.defaultAllowedAudience","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"bean of type Function> called shibboleth.oidc.AllowedAudienceStrategy"}, +{"note":"","property_name":"idp.oauth2.authn.flows","idp_vers":"4.1","property_default_value":"OAuth2Client","property_type":"regex","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Regular expression matching OAuth login flows to enable."}, +{"note":"","property_name":"idp.oidc.subject.sourceAttribute","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The source attribute used in generating the sub claim"}, +{"note":"","property_name":"idp.oidc.subject.algorithm","idp_vers":"4.1","property_default_value":"SHA","property_type":"string","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The digest algorithm used in generating the sub claim"}, +{"note":"","property_name":"idp.oidc.subject.salt","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Salt to inject for randomness should generally be moved into credentials/secrets.properties to avoid committing to configuration repository"}, +{"note":"","property_name":"idp.authn.DuoOIDC.order","idp_vers":"4.1","property_default_value":"1000","property_type":"int","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)"}, +{"note":"","property_name":"idp.authn.DuoOIDC.nonBrowserSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Whether the flow should handle non-browser request profiles (e.g., ECP)"}, +{"note":"","property_name":"idp.authn.DuoOIDC.passiveAuthenticationSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Whether the flow allows for passive authentication"}, +{"note":"","property_name":"idp.authn.DuoOIDC.forcedAuthenticationSupported","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Whether the flow supports forced authentication"}, +{"note":"","property_name":"idp.authn.DuoOIDC.proxyRestrictionsEnforced","idp_vers":"4.1","property_default_value":"%{idp.authn.enforceProxyRestrictions:true}","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Whether the flow enforces upstream IdP-imposed restrictions on proxying"}, +{"note":" and therefore enforces SP-signaled restrictions on proxying","property_name":"idp.authn.DuoOIDC.proxyScopingEnforced","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Whether the flow considers itself to be proxying"}, +{"note":"","property_name":"idp.authn.DuoOIDC.discoveryRequired","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Whether to invoke IdP-discovery prior to running flow"}, +{"note":"","property_name":"idp.authn.DuoOIDC.lifetime","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultLifetime:PT1H}","property_type":"duration","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Lifetime of results produced by this flow"}, +{"note":"","property_name":"idp.authn.DuoOIDC.inactivityTimeout","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultTimeout:PT30M}","property_type":"duration","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Inactivity timeout of results produced by this flow"}, +{"note":"","property_name":"idp.authn.DuoOIDC.reuseCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Bean ID ofPredicate controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.DuoOIDC.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Bean ID ofPredicate determining whether flow is usable for request"}, +{"note":"","property_name":"idp.authn.DuoOIDC.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Bean ID ofBiConsumer for subject customization"}, +{"note":"","property_name":"idp.authn.DuoOIDC.supportedPrincipals","idp_vers":"4.1","property_default_value":"saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Comma-delimited list of protocol-specific Principalstrings associated with flow"}, +{"note":"","property_name":"idp.authn.DuoOIDC.addDefaultPrincipals","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow"}, +{"note":"","property_name":"idp.duo.oidc.apiHost","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"DuoOIDC API hostname assigned to the integration"}, +{"note":"","property_name":"idp.duo.oidc.clientId","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"The OAuth 2.0 Client Identifier valid at the Authorization Server"}, +{"note":"ex. https://:/idp/profile/Authn/Duo/2FA/duo-callback","property_name":"idp.duo.oidc.redirectURL","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Redirection URI to which the 2FA response will be sent"}, +{"note":"","property_name":"idp.duo.oidc.redirecturl.allowedOrigins","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"If the idp.duo.oidc.redirectURL is not set one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection."}, +{"note":"","property_name":"idp.duo.oidc.secretKey","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token)."}, +{"note":"","property_name":"idp.duo.oidc.endpoint.health","idp_vers":"4.1","property_default_value":"/oauth/v1/health_check","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Duo's OAuth 2.0 health check endpoint"}, +{"note":"","property_name":"idp.duo.oidc.endpoint.token","idp_vers":"4.1","property_default_value":"/oauth/v1/token","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Duo's OAuth 2.0 token endpoint"}, +{"note":"","property_name":"idp.duo.oidc.endpoint.authorize","idp_vers":"4.1","property_default_value":"/oauth/v1/authorize","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Duo's OAuth 2.0 authorization endpoint"}, +{"note":"","property_name":"idp.duo.oidc.jwt.verifier.clockSkew","idp_vers":"4.1","property_default_value":"PT60S","property_type":"duration","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Leeway allowed in token expiry calculations"}, +{"note":"","property_name":"idp.duo.oidc.jwt.verifier.iatWindow","idp_vers":"4.1","property_default_value":"PT60S","property_type":"duration","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Maximum amount (in either direction from now) of duration for which a token is valid after it is issued"}, +{"note":"","property_name":"idp.duo.oidc.jwt.verifier.issuerPath","idp_vers":"4.1","property_default_value":"/oauth/v1/token","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://+"}, +{"note":"","property_name":"idp.duo.oidc.jwt.verifier.preferredUsername","idp_vers":"4.1","property_default_value":"preferred_username","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request."}, +{"note":"","property_name":"idp.duo.oidc.jwt.verifier.authLifetime","idp_vers":"4.1","property_default_value":"PT60S","property_type":"duration","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"How long the authentication is valid. Only applies to forced authentication requests."}, +{"note":"","property_name":"idp.duo.oidc.nonbrowser.apiHost","idp_vers":"4.1","property_default_value":"%{idp.duo.oidc.apiHost}","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Duo AuthAPI hostname assigned to the integration"}, +{"note":"","property_name":"idp.duo.oidc.nonbrowser.integrationKey","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Duo AuthAPI integration key supplied by Duo"}, +{"note":"","property_name":"idp.duo.oidc.nonbrowser.secretKey","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Duo AuthAPI secret key supplied by Duo"}, +{"note":"","property_name":"idp.duo.oidc.nonbrowser.header.factor","idp_vers":"4.1","property_default_value":"X-Shibboleth-Duo-Factor","property_type":"strinig","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Name of HTTP request header for Duo AuthAPI factor"}, +{"note":"","property_name":"idp.duo.oidc.nonbrowser.header.device","idp_vers":"4.1","property_default_value":"X-Shibboleth-Duo-Device","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Name of HTTP request header for Duo AuthAPI device ID or name"}, +{"note":"","property_name":"idp.duo.oidc.nonbrowser.header.passcode","idp_vers":"4.1","property_default_value":"X-Shibboleth-Duo-Passcode","property_type":"string","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Name of HTTP request header for Duo AuthAPI passcode"}, +{"note":"","property_name":"idp.duo.oidc.nonbrowser.auto","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Allow the factor to be defaulted in as \"auto\" if no headers are received"}, +{"note":" push display","property_name":"idp.duo.oidc.nonbrowser.clientAddressTrusted","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"1","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Pass client address to Duo in API calls to support logging"}, +{"note":"","property_name":"idp.duo.oidc.connectionTimeout","idp_vers":"4.1","property_default_value":"PT1M","property_type":"duration","module_vers":"1 (nimbus)","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Maximum length of time to wait for the connection to be established"}, +{"note":"","property_name":"idp.duo.oidc.connectionRequestTimeout","idp_vers":"4.1","property_default_value":"PT1M","property_type":"duration","module_vers":"1 (nimbus)","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Maximum length of time to wait for a connection to be returned from the connection manager"}, +{"note":"","property_name":"idp.duo.oidc.socketTimeout","idp_vers":"4.1","property_default_value":"PT1M","property_type":"duration","module_vers":"1 (nimbus)","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Maximum period inactivity between two consecutive data packets"}, +{"note":"","property_name":"idp.duo.oidc.maxConnectionsTotal","idp_vers":"4.1","property_default_value":"100","property_type":"int","module_vers":"1 (nimbus)","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Max total simultaneous connections allowed by the pooling connection manager"}, +{"note":"","property_name":"idp.duo.oidc.maxConnectionsPerRoute","idp_vers":"4.1","property_default_value":"100","property_type":"int","module_vers":"1 (nimbus)","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"Max simultaneous connections per route allowed by the pooling connection manager"}, +{"note":"","property_name":"idp.duo.oidc.nimbus.checkRevocation","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1 (nimbus)","configuration_cat":"DUOOIDC","module":"idp.authn.DuoOIDC","description":"To enable certificate revocation checking"}, +{"note":"","property_name":"idp.authn.TOTP.headerName","idp_vers":"4.1","property_default_value":"X-Shibboleth-TOTP","property_type":"string","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Name of request header to use for extracting non-browser submitted token codes"}, +{"note":"","property_name":"idp.authn.TOTP.fieldName","idp_vers":"4.1","property_default_value":"tokencode","property_type":"string","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Name of HTML form field to use for locating browser-submitted token codes"}, +{"note":"","property_name":"idp.authn.TOTP.tokenSeedAttribute","idp_vers":"4.1","property_default_value":"tokenSeeds","property_type":"string","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Name of IdPAttribute to resolve to obtain token seeds for users"}, +{"note":"","property_name":"idp.authn.TOTP.order","idp_vers":"4.1","property_default_value":"1000","property_type":"int","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)"}, +{"note":"","property_name":"idp.authn.TOTP.nonBrowserSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Whether the flow should handle non-browser request profiles (e.g., ECP)"}, +{"note":"","property_name":"idp.authn.TOTP.passiveAuthenticationSupported","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Whether the flow allows for passive authentication"}, +{"note":"","property_name":"idp.authn.TOTP.forcedAuthenticationSupported","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Whether the flow supports forced authentication"}, +{"note":"","property_name":"idp.authn.TOTP.proxyRestrictionsEnforced","idp_vers":"4.1","property_default_value":"%{idp.authn.enforceProxyRestrictions:true}","property_type":"bool","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Whether the flow enforces upstream IdP-imposed restrictions on proxying"}, +{"note":" and therefore enforces SP-signaled restrictions on proxying","property_name":"idp.authn.TOTP.proxyScopingEnforced","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Whether the flow considers itself to be proxying"}, +{"note":"","property_name":"idp.authn.TOTP.discoveryRequired","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Whether to invoke IdP-discovery prior to running flow"}, +{"note":"","property_name":"idp.authn.TOTP.lifetime","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultLifetime:PT1H}","property_type":"duration","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Lifetime of results produced by this flow"}, +{"note":"","property_name":"idp.authn.TOTP.inactivityTimeout","idp_vers":"4.1","property_default_value":"%{idp.authn.defaultTimeout:PT30M}","property_type":"duration","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Inactivity timeout of results produced by this flow"}, +{"note":"","property_name":"idp.authn.TOTP.reuseCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Bean ID ofPredicate controlling result reuse for SSO"}, +{"note":"","property_name":"idp.authn.TOTP.activationCondition","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Bean ID ofPredicate determining whether flow is usable for request"}, +{"note":"","property_name":"idp.authn.TOTP.subjectDecorator","idp_vers":"4.1","property_default_value":"none","property_type":"Bean ID","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Bean ID ofBiConsumer for subject customization"}, +{"note":"","property_name":"idp.authn.TOTP.supportedPrincipals","idp_vers":"4.1","property_default_value":"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken","property_type":"string","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Comma-delimited list of protocol-specific Principalstrings associated with flow"}, +{"note":"","property_name":"idp.authn.TOTP.addDefaultPrincipals","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"1","configuration_cat":"AUTHN","module":"idp.authn.TOTP","description":"Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow"}, +{"note":"","property_name":"idp.metadata.dnsname","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"Supplies the DNS name used within the URLs specifying the end points. This should not be used in conjunction with the --DNSName qualifier"}, +{"note":"","property_name":"idp.metadata.backchannel.cert","idp_vers":"4.1","property_default_value":"none","property_type":"resource path","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"Specifies the path to the certificate protecting the back channel. This should not be used in conjunction with the --backChannel qualifier."}, +{"note":"","property_name":"idp.metadata.idpsso.mdui.logo.path","idp_vers":"4.1","property_default_value":"none","property_type":"URL","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"Specifies the path part of the URL which describes a logo for the IdP. The protocol is hard wired to be https:// and the DNS name is used for the host. The is always emitted. If this is absent then then a fixed path ('/path/to/logo') is used."}, +{"note":"","property_name":"idp.metadata.idpsso.mdui.logo.height","idp_vers":"4.1","property_default_value":"80","property_type":"int","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"The height of the logo in pixels."}, +{"note":"","property_name":"idp.metadata.idpsso.mdui.logo.width","idp_vers":"4.1","property_default_value":"80","property_type":"init","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"The width of the logo in pixels"}, +{"note":"","property_name":"idp.metadata.idpsso.mdui.langs","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"A space separated list of languages used to lookup values formed appending each one to the name and description properties idp.metadata.idpsso.mdui.displayname. and idp.metadata.idpsso.mdui.description.. If this is absent then an and for the \"en\" language is emitted which you need to edit."}, +{"note":"","property_name":"idp.metadata.idpsso.mdui.displayname.","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"Display name for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language"}, +{"note":"","property_name":"idp.metadata.idpsso.mdui.description.","idp_vers":"4.1","property_default_value":"none","property_type":"string","module_vers":"1","configuration_cat":"MDGEN","module":"idp.metadatagen","description":"Description for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language"}, +{"note":"no doc","property_name":"idp.oidc.encryptionOptional","idp_vers":"4.1","property_default_value":"false","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Set false to preclude issuing unencrypted ID/UserInfo tokens without specific overrides"}, +{"note":"no doc","property_name":"idp.oidc.dynreg.defaultSecretExpiration","idp_vers":"4.1","property_default_value":"P12M","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"The validity of client secret registered"}, +{"note":"no doc","property_name":"idp.oidc.dynreg.allowNoneForRequestSigning","idp_vers":"4.1","property_default_value":"true","property_type":"bool","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Regardless of what signing algorithms are configured allow none for request object signing"}, +{"note":"no doc","property_name":"idp.oidc.dynreg.validateRemoteJwks","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean to determine whether dynamic registration should validate the remote JWK set if it's defined in the request"}, +{"note":"no doc","property_name":"idp.oidc.dynreg.defaultMetadataPolicy","idp_vers":"4.1","property_default_value":"shibboleth.oidc.dynreg.DefaultMetadataPolicy","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean to determine the default metadata policy used for dynamic client registration"}, +{"note":"no doc","property_name":"idp.oidc.jwk.StorageService","idp_vers":"4.1","property_default_value":"shibboleth.StorageService","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Storage for storing remote jwk sets."}, +{"note":"no doc","property_name":"idp.oidc.metadata.saml","idp_vers":"4.1","property_default_value":"shibboleth.Conditions.TRUE","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean to determine whether SAML metadata should be exploited for trusted OIDC RP resolution"}, +{"note":"no doc","property_name":"idp.oidc.jwksuri.fetchInterval","idp_vers":"4.1","property_default_value":"PT30M","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Upgrade interval to the remote JWKs"}, +{"note":"no doc","property_name":"idp.oidc.config.minRefreshDelay","idp_vers":"4.1","property_default_value":"PT5M","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bounds on the next file refresh of the OP configuration resource"}, +{"note":"no doc","property_name":"idp.oidc.config.maxRefreshDelay","idp_vers":"4.1","property_default_value":"PT4H","property_type":"duration","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bounds on the next file refresh of the OP configuration resource"}, +{"note":"no doc","property_name":"idp.oidc.LoginHintLookupStrategy","idp_vers":"4.1","property_default_value":"DefaultRequestLoginHintLookupFunction","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean used for extracting login_hint from the authentication request. The default function parses login_hint as is."}, +{"note":"no doc","property_name":"idp.oidc.SPSessionCreationStrategy","idp_vers":"4.1","property_default_value":"DefaultSPSessionCreationStrategy","property_type":"Bean ID","module_vers":"3","configuration_cat":"OIDCOP","module":"idp.oidc.OP","description":"Bean used for creating SPSessions needed for SLO. By default builds protocol-independent BasicSPSession as SLO is not yet supported."} +] \ No newline at end of file diff --git a/ui/src/app/App.js b/ui/src/app/App.js index 9c4e00422..ca70ee51a 100644 --- a/ui/src/app/App.js +++ b/ui/src/app/App.js @@ -34,7 +34,7 @@ import { Roles } from './admin/Roles'; import { Groups } from './admin/Groups'; import { BASE_PATH } from './App.constant'; import { ProtectRoute } from './core/components/ProtectRoute'; -import { Properties } from './admin/Properties'; +import { IdpConfiguration } from './admin/IdpConfiguration'; function App() { @@ -109,9 +109,9 @@ function App() { } /> - + - + } /> diff --git a/ui/src/app/admin/Properties.js b/ui/src/app/admin/IdpConfiguration.js similarity index 54% rename from ui/src/app/admin/Properties.js rename to ui/src/app/admin/IdpConfiguration.js index b81e0af48..621b54e71 100644 --- a/ui/src/app/admin/Properties.js +++ b/ui/src/app/admin/IdpConfiguration.js @@ -1,11 +1,11 @@ import React from 'react'; import { Switch, Route, useRouteMatch, Redirect } from 'react-router-dom'; -import { PropertiesProvider } from './hoc/PropertiesProvider'; -import { NewProperty } from './container/NewProperty'; -import { EditProperty } from './container/EditProperty'; -import { PropertyList } from './container/PropertyList'; +import { ConfigurationsProvider } from './hoc/ConfigurationsProvider'; +import { NewConfiguration } from './container/NewConfiguration'; +import { EditConfiguration } from './container/EditConfiguration'; +import { ConfigurationList } from './container/ConfigurationList'; -export function Properties() { +export function IdpConfiguration() { let { path, url } = useRouteMatch(); @@ -13,17 +13,17 @@ export function Properties() { <> - + {(properties, onDelete) => - + } - + } /> - + } /> - + } /> diff --git a/ui/src/app/admin/component/PropertyForm.js b/ui/src/app/admin/component/ConfigurationForm.js similarity index 75% rename from ui/src/app/admin/component/PropertyForm.js rename to ui/src/app/admin/component/ConfigurationForm.js index 54a0800ea..93d9ff1d9 100644 --- a/ui/src/app/admin/component/PropertyForm.js +++ b/ui/src/app/admin/component/ConfigurationForm.js @@ -1,14 +1,12 @@ import React from 'react'; import Button from 'react-bootstrap/Button'; -import Form from '../../form/Form'; import { FontAwesomeIcon } from '@fortawesome/react-fontawesome'; import { faSpinner, faSave } from '@fortawesome/free-solid-svg-icons'; import Translate from '../../i18n/components/translate'; -import { usePropertyUiSchema } from '../hooks'; import { FormContext, setFormDataAction, setFormErrorAction } from '../../form/FormManager'; -export function PropertyForm({ property = {}, errors = [], loading = false, schema, onSave, onCancel }) { +export function ConfigurationForm({ property = {}, errors = [], loading = false, schema, onSave, onCancel }) { const { dispatch } = React.useContext(FormContext); const onChange = ({ formData, errors }) => { @@ -16,8 +14,6 @@ export function PropertyForm({ property = {}, errors = [], loading = false, sche dispatch(setFormErrorAction(errors)); }; - const uiSchema = usePropertyUiSchema(); - return (<>
@@ -40,14 +36,7 @@ export function PropertyForm({ property = {}, errors = [], loading = false, sche
-
onChange(form)} - schema={schema} - uiSchema={uiSchema} - liveValidate={true}> - <> -
+
diff --git a/ui/src/app/admin/container/PropertyList.js b/ui/src/app/admin/container/ConfigurationList.js similarity index 89% rename from ui/src/app/admin/container/PropertyList.js rename to ui/src/app/admin/container/ConfigurationList.js index 2312cc1d2..300aab019 100644 --- a/ui/src/app/admin/container/PropertyList.js +++ b/ui/src/app/admin/container/ConfigurationList.js @@ -9,7 +9,7 @@ import { Translate } from '../../i18n/components/translate'; import { DeleteConfirmation } from '../../core/components/DeleteConfirmation'; -export function PropertyList({ properties, onDelete }) { +export function ConfigurationList({ properties, onDelete }) { const remove = (id) => { onDelete(id); @@ -23,14 +23,14 @@ export function PropertyList({ properties, onDelete }) {
- Roles Management + Configuration Management
  - Add new property + Create new configuration
@@ -38,7 +38,7 @@ export function PropertyList({ properties, onDelete }) { - Role Name + Configuration Name (label) Actions @@ -49,7 +49,7 @@ export function PropertyList({ properties, onDelete }) { {property.name} - + Edit @@ -65,7 +65,7 @@ export function PropertyList({ properties, onDelete }) { ) : - No properties defined. + No configurations. } diff --git a/ui/src/app/admin/container/EditProperty.js b/ui/src/app/admin/container/EditConfiguration.js similarity index 94% rename from ui/src/app/admin/container/EditProperty.js rename to ui/src/app/admin/container/EditConfiguration.js index beac8c5f8..4703cc098 100644 --- a/ui/src/app/admin/container/EditProperty.js +++ b/ui/src/app/admin/container/EditConfiguration.js @@ -7,13 +7,13 @@ import { useProperties } from '../hooks'; import { Schema } from '../../form/Schema'; import { FormManager } from '../../form/FormManager'; -import { PropertyForm } from '../component/PropertyForm'; import { PropertyProvider } from '../hoc/PropertyProvider'; import { createNotificationAction, NotificationTypes, useNotificationDispatcher } from '../../notifications/hoc/Notifications'; import { useTranslator } from '../../i18n/hooks'; import { BASE_PATH } from '../../App.constant'; +import { ConfigurationForm } from '../component/ConfigurationForm'; -export function EditProperty() { +export function EditConfiguration() { const { id } = useParams(); @@ -68,12 +68,12 @@ export function EditProperty() {
{(property) => - + {(schema) => <>{property && {(data, errors) => -
- + {(schema) => {(data, errors) => - - + - + diff --git a/ui/src/app/core/components/ProtectRoute.js b/ui/src/app/core/components/ProtectRoute.js index c01706920..c8a7a299f 100644 --- a/ui/src/app/core/components/ProtectRoute.js +++ b/ui/src/app/core/components/ProtectRoute.js @@ -1,9 +1,13 @@ import React from 'react'; import { Redirect } from 'react-router-dom'; - -import { useIsAdmin } from '../user/UserContext'; +import { isUndefined } from 'lodash'; +import { useCurrentUser, useIsAdmin } from '../user/UserContext'; export function ProtectRoute({ children, redirectTo, ...rest }) { + const user = useCurrentUser(); const isAdmin = useIsAdmin(); + if (isUndefined(user?.role)) { + return <> + } return isAdmin ? children : ; } \ No newline at end of file