From b24b378f6dea8970f318600aef51fbc05a311f33 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Wed, 17 Aug 2022 14:25:27 -0700 Subject: [PATCH] SHIBUI-2268 load properties to database from csv configuration on startup --- .../ui/service/ShibPropertiesBootstrap.groovy | 70 ++ .../CustomPropertiesConfiguration.java | 13 +- .../ui/domain/ShibConfigurationProperty.java | 12 +- .../ShibConfigurationRepository.java | 15 + ...EntityAttributesDefinitionServiceImpl.java | 4 +- .../ui/service/ShibConfigurationService.java | 12 + .../service/ShibConfigurationServiceImpl.java | 25 + backend/src/main/resources/application.yml | 15 +- .../resources/shib_configuration_prop.csv | 656 ++++++++++++++++++ 9 files changed, 813 insertions(+), 9 deletions(-) create mode 100644 backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy create mode 100644 backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/ShibConfigurationRepository.java create mode 100644 backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationService.java create mode 100644 backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceImpl.java create mode 100644 backend/src/main/resources/shib_configuration_prop.csv diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy new file mode 100644 index 000000000..daf75b61e --- /dev/null +++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/ShibPropertiesBootstrap.groovy @@ -0,0 +1,70 @@ +package edu.internet2.tier.shibboleth.admin.ui.service + +import com.opencsv.CSVReader +import edu.internet2.tier.shibboleth.admin.ui.domain.ShibConfigurationProperty +import groovy.util.logging.Slf4j +import org.springframework.beans.factory.annotation.Autowired +import org.springframework.boot.context.event.ApplicationStartedEvent +import org.springframework.context.event.EventListener +import org.springframework.core.io.ClassPathResource +import org.springframework.core.io.Resource +import org.springframework.stereotype.Component + +import javax.transaction.Transactional + +@Component +@Slf4j +class ShibPropertiesBootstrap { + @Autowired + private ShibConfigurationService service + + ShibPropertiesBootstrap(ShibConfigurationService service) { + this.service = service + } + + @Transactional + @EventListener + void bootstrapUsersAndRoles(ApplicationStartedEvent e) { + log.info("Ensuring base Shibboleth properties configuration has loaded") + + Resource resource = new ClassPathResource('shib_configuration_prop.csv') + final HashMap propertiesMap = new HashMap<>() + + // Read in the defaults in the configuration file + new CSVReader(new InputStreamReader(resource.inputStream)).each { fields -> + def (resource_id,category,config_file,description,idp_version,module,module_version,note,default_value,property_name,property_type,selection_items,property_value) = fields + ShibConfigurationProperty prop = new ShibConfigurationProperty().with { + it.resourceId = resource_id + it.category = category + it.configFile = config_file + it.description = description + it.idpVersion = idp_version + it.module = module + it.moduleVersion = module_version + it.note = note + it.defaultValue = default_value + it.description = description + it.propertyName = property_name + def pt = property_type + it.setPropertyType(pt) + it.selectionItems = selection_items + // we shouldn't have property values coming in from the config... + it + } + propertiesMap.put(prop.getPropertyName(), prop) + } + + // If we already have the property in the db, ignore the configuration setup for that property + service.getExistingPropertyNames().each { + propertiesMap.remove(it) + } + + // Save anything that's left + if (propertiesMap.size() > 0) { + log.info("Saving/loading [" + propertiesMap.size() + "] properties to the database") + service.addAll(propertiesMap.values()) + } + + log.info("COMPLETED: ensuring base Shibboleth properties configuration has loaded") + } +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/CustomPropertiesConfiguration.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/CustomPropertiesConfiguration.java index af8aef206..9a85e48a2 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/CustomPropertiesConfiguration.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/CustomPropertiesConfiguration.java @@ -2,21 +2,20 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.IRelyingPartyOverrideProperty; import edu.internet2.tier.shibboleth.admin.ui.domain.RelyingPartyOverrideProperty; +import edu.internet2.tier.shibboleth.admin.ui.domain.ShibConfigurationProperty; import edu.internet2.tier.shibboleth.admin.ui.service.CustomEntityAttributesDefinitionService; import edu.internet2.tier.shibboleth.admin.ui.service.events.CustomEntityAttributeDefinitionChangeEvent; - import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.context.ApplicationListener; import org.springframework.context.annotation.Configuration; +import javax.annotation.PostConstruct; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import javax.annotation.PostConstruct; - @Configuration @ConfigurationProperties(prefix = "custom") public class CustomPropertiesConfiguration implements ApplicationListener { @@ -28,6 +27,8 @@ public class CustomPropertiesConfiguration implements ApplicationListener overridesFromConfigFile = new ArrayList<>(); + private List shibprops = new ArrayList<>(); + private void buildRelyingPartyOverrides() { // Start over with a clean map and get the CustomEntityAttributesDefinitions from the DB HashMap reloaded = new HashMap<>(); @@ -68,6 +69,7 @@ public void onApplicationEvent(CustomEntityAttributeDefinitionChangeEvent arg0) public void postConstruct() { // Make sure we have the right data buildRelyingPartyOverrides(); + updateShibPropsDatabase(); } public void setAttributes(List> attributes) { @@ -85,4 +87,7 @@ public void setCeadService(CustomEntityAttributesDefinitionService ceadService) public void setOverrides(List overridesFromConfigFile) { this.overridesFromConfigFile = overridesFromConfigFile; } -} + + private void updateShibPropsDatabase() { + } +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/ShibConfigurationProperty.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/ShibConfigurationProperty.java index 945f9ff96..345592ae3 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/ShibConfigurationProperty.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/ShibConfigurationProperty.java @@ -22,7 +22,7 @@ public class ShibConfigurationProperty { @Column(name = "config_file", nullable = false) String configFile; - @Column(name = "default_value", nullable = false) + @Column(name = "default_value") String defaultValue; @Column(name = "description") @@ -46,8 +46,16 @@ public class ShibConfigurationProperty { @Column(name = "property_type", nullable = false) PropertyType propertyType; - @Column(name = "property_value", nullable = false) + @Column(name = "property_value") String propertyValue; + + @Column(name = "selection_items") + String selectionItems; + + public void setPropertyType(String val) { + this.propertyType = PropertyType.valueOf(val); + } + } enum PropertyType { diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/ShibConfigurationRepository.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/ShibConfigurationRepository.java new file mode 100644 index 000000000..e5889b3cd --- /dev/null +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/ShibConfigurationRepository.java @@ -0,0 +1,15 @@ +package edu.internet2.tier.shibboleth.admin.ui.repository; + +import edu.internet2.tier.shibboleth.admin.ui.domain.ShibConfigurationProperty; +import org.springframework.data.jpa.repository.JpaRepository; +import org.springframework.data.jpa.repository.Query; + +import java.util.List; + +/** + * Repository to manage {@link ShibConfigurationProperty} instances. + */ +public interface ShibConfigurationRepository extends JpaRepository { + @Query(value = "select property_name from shib_configuration_prop", nativeQuery = true) + List getPropertyNames(); +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/CustomEntityAttributesDefinitionServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/CustomEntityAttributesDefinitionServiceImpl.java index 6fe0a8c25..cd5893c42 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/CustomEntityAttributesDefinitionServiceImpl.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/CustomEntityAttributesDefinitionServiceImpl.java @@ -19,7 +19,7 @@ public class CustomEntityAttributesDefinitionServiceImpl implements CustomEntity private ApplicationEventPublisher applicationEventPublisher; @Autowired - EntityManager entityManager; + EntityManager entityManager; // Why is this here - it isn't used @Autowired private CustomEntityAttributeDefinitionRepository repository; @@ -53,4 +53,4 @@ public List getAllDefinitions() { private void notifyListeners() { applicationEventPublisher.publishEvent(new CustomEntityAttributeDefinitionChangeEvent(this)); } -} +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationService.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationService.java new file mode 100644 index 000000000..504c60956 --- /dev/null +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationService.java @@ -0,0 +1,12 @@ +package edu.internet2.tier.shibboleth.admin.ui.service; + +import edu.internet2.tier.shibboleth.admin.ui.domain.ShibConfigurationProperty; + +import java.util.Collection; +import java.util.List; + +public interface ShibConfigurationService { + void addAll(Collection newProperties); + + List getExistingPropertyNames(); +} \ No newline at end of file diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceImpl.java new file mode 100644 index 000000000..d9d29c37f --- /dev/null +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/ShibConfigurationServiceImpl.java @@ -0,0 +1,25 @@ +package edu.internet2.tier.shibboleth.admin.ui.service; + +import edu.internet2.tier.shibboleth.admin.ui.domain.ShibConfigurationProperty; +import edu.internet2.tier.shibboleth.admin.ui.repository.ShibConfigurationRepository; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import java.util.Collection; +import java.util.List; + +@Service +public class ShibConfigurationServiceImpl implements ShibConfigurationService { + @Autowired + private ShibConfigurationRepository repository; + + @Override + public void addAll(Collection newProperties) { + repository.saveAll(newProperties); + } + + @Override + public List getExistingPropertyNames() { + return repository.getPropertyNames(); + } +} \ No newline at end of file diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index bf1367934..09d922b1c 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -162,4 +162,17 @@ custom: displayType: boolean helpText: tooltip.ignore-request-signatures attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures - attributeFriendlyName: ignoreRequestSignatures \ No newline at end of file + attributeFriendlyName: ignoreRequestSignatures + shibprops: + - category: asd # required + configFile: kj # required + defaultValue: foo + description: blak + idpVersion: 4.1 # required + module: h + moduleVersion: 1 + note: nnn + propertyName: dddd # required + propertyType: dddd # required as one of: BOOLEAN, DURATION, INTEGER, SELECTION_LIST, SPRING_BEAN_ID, STRING + propertyValue: dddd + selectionItems: dddd,dddd # required if propertyType is SELECTION_LIST - comma seperated values \ No newline at end of file diff --git a/backend/src/main/resources/shib_configuration_prop.csv b/backend/src/main/resources/shib_configuration_prop.csv new file mode 100644 index 000000000..fd6b84a33 --- /dev/null +++ b/backend/src/main/resources/shib_configuration_prop.csv @@ -0,0 +1,656 @@ +474,?,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.storage.authenticated,BOOLEAN,, +472,?,admin/admin.properties,Audit log identifier for flow,4.1,,,,Storage,idp.storage.logging,STRING,, +476,?,admin/admin.properties,?,4.1,,,,,idp.storage.defaultAuthenticationMethods,STRING,, +473,?,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.storage.accessPolicy,STRING,, +475,?,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.storage.nonBrowserSupported,BOOLEAN,, +442,AACLI,admin/admin.properties,?,4.1,,,,,idp.resolvertest.defaultAuthenticationMethods,STRING,, +443,AACLI,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.resolvertest.resolveAttributes,BOOLEAN,, +439,AACLI,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.resolvertest.accessPolicy,STRING,, +438,AACLI,admin/admin.properties,Audit log identifier for flow,4.1,,,,ResolverTest,idp.resolvertest.logging,STRING,, +441,AACLI,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.resolvertest.nonBrowserSupported,BOOLEAN,, +444,AACLI,admin/admin.properties,?,4.1,,,,,idp.resolvertest.postAuthenticationFlows,STRING,, +440,AACLI,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.resolvertest.authenticated,BOOLEAN,, +466,AccountLockoutManagement,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.lockout.accessPolicy,STRING,, +467,AccountLockoutManagement,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.lockout.authenticated,BOOLEAN,, +470,AccountLockoutManagement,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.lockout.resolveAttributes,BOOLEAN,, +468,AccountLockoutManagement,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.lockout.nonBrowserSupported,BOOLEAN,, +469,AccountLockoutManagement,admin/admin.properties,?,4.1,,,,,idp.lockout.defaultAuthenticationMethods,STRING,, +471,AccountLockoutManagement,admin/admin.properties,?,4.1,,,,,idp.lockout.postAuthenticationFlows,STRING,, +465,AccountLockoutManagement,admin/admin.properties,Audit log identifier for flow,4.1,,,,Lockout,idp.lockout.logging,STRING,, +479,AttendedRestartConfiguration,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessDenied,idp.unlock-keys.accessPolicy,STRING,, +480,AttendedRestartConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,true,idp.unlock-keys.authenticated,BOOLEAN,, +478,AttendedRestartConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,UnlockKeys,idp.unlock-keys.logging,STRING,, +477,AttendedRestartConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.storage.resolveAttributes,BOOLEAN,, +483,AttendedRestartConfiguration,admin/admin.properties,?,4.1,,,,,idp.unlock-keys.postAuthenticationFlows,STRING,, +481,AttendedRestartConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.unlock-keys.nonBrowserSupported,BOOLEAN,, +482,AttendedRestartConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.unlock-keys.resolveAttributes,BOOLEAN,, +491,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attributes to search for in the results looking for a StringAttributeValue or ScopedStringAttributeValue,4.1,,,,,idp.c14n.attribute.attributeSourceIds,STRING,, +492,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to examine the input Subject for IdPAttributePrincipal objects to pull from directly instead of from the output of the Attribute Resolver service,4.1,,,,false,idp.c14n.attribute.resolveFromSubject,BOOLEAN,, +487,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.attribute.lowercase,BOOLEAN,, +493,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Bean ID of a Predicate to evaluate to determine whether to run the Attribute Resolver or go directly to the Subject alone,4.1,,,,shibboleth.Conditions.TRUE,idp.c14n.attribute.resolutionCondition,SPRING_BEAN_ID,, +488,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.attribute.uppercase,BOOLEAN,, +489,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.attribute.trim,BOOLEAN,, +490,AttributePostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attributes to resolve (an empty list directs the resolver to resolve everything it can),4.1,,,,,idp.c14n.attribute.attributesToResolve,STRING,, +512,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Status,idp.service.logging.status,STRING,, +511,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.cas,STRING,, +514,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Reload,idp.service.logging.serviceReload,STRING,, +515,AuditLoggingConfiguration,services.properties,Hash algorithm to apply to various hashed fields,4.1,,,,SHA-256,idp.audit.hashAlgorithm,STRING,, +510,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Logout,idp.service.logging.logout,STRING,, +516,AuditLoggingConfiguration,services.properties,Salt to apply to hashed fields must be set to use those fields,4.1,,,,,idp.audit.salt,STRING,, +509,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,Logout,idp.service.logging.saml2slo,STRING,, +504,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,AttributeQuery,idp.service.logging.saml1attrquery,STRING,, +508,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ArtifactResolution,idp.service.logging.saml2artifact,STRING,, +507,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,AttributeQuery,idp.service.logging.saml2attrquery,STRING,, +506,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.saml2sso,STRING,, +118,AuditLoggingConfiguration,services.properties,"Set false if you want SAML bindings ""spelled out"" in audit log",all,,,,true,idp.audit.shortenBindings,BOOLEAN,, +503,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,SSO,idp.service.logging.saml1sso,STRING,, +513,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ResolverTest,idp.service.logging.resolvertest,STRING,, +505,AuditLoggingConfiguration,services.properties,Suffix added to audit logging category when various profiles/flows are audited,all,,,you can use this to route different kinds of audit records to different destinations based on general function,ArtifactResolution,idp.service.logging.saml1artifact,STRING,, +78,AuthenticationConfiguration,authn/authn.properties,Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication,4.1,,,,true,idp.authn.proxyRestrictionsEnforced,BOOLEAN,, +79,AuthenticationConfiguration,authn/authn.properties,Whether to prioritize prior authentication results when an SP requests more than one possible matching method,all,,,,false,idp.authn.favorSSO,BOOLEAN,, +82,AuthenticationConfiguration,authn/authn.properties,Provides a static discovery URL to use for external discovery this property replaces the need for the XML-defined bean used in V4.0 for this purpose,4.1,,,,,idp.authn.discoveryURL,STRING,, +80,AuthenticationConfiguration,authn/authn.properties,Whether to populate information about the relying party into the tree for user interfaces during login and interceptors,all,,,,true,idp.authn.rpui,BOOLEAN,, +81,AuthenticationConfiguration,authn/authn.properties,Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session.,all,,,,false,idp.authn.identitySwitchIsError,BOOLEAN,, +76,AuthenticationConfiguration,authn/authn.properties,Default amount of time to allow reuse prior authentication flows,all,,,measured since first usage,PT60M,idp.authn.defaultLifetime,DURATION,, +77,AuthenticationConfiguration,authn/authn.properties,Default inactivity timeout to prevent reuse of prior authentication flows,all,,,measured since last usage,PT30M,idp.authn.defaultTimeout,DURATION,, +75,AuthenticationConfiguration,authn/authn.properties,Required expression that identifies the login flows to globally enable,all,,,"ex. Password, MA, DUO",,idp.authn.flows,STRING,, +83,AuthenticationConfiguration,authn/authn.properties,Whether to override an explicit element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global set,4,,,,false,idp.authn.overrideRequestedAuthnContext,BOOLEAN,, +110,CasProtocolConfiguration,idp.properties,CAS service registry implementation class,all,,,,net.shibboleth.idp.cas.service.PatternServiceRegistry,idp.cas.serviceRegistryClass,STRING,, +109,CasProtocolConfiguration,idp.properties,"Storage service used by CAS protocol for chained proxy-granting tickets and when using server-managed ""simple"" TicketService. MUST be server-side storage (e.g. in-memory, memcached, database)",all,,,,shibboleth.StorageService,idp.cas.StorageService,SPRING_BEAN_ID,, +111,CasProtocolConfiguration,idp.properties,If true CAS services provisioned with SAML metadata are identified via entityID,all,,,,false,idp.cas.relyingPartyIdFromMetadata,BOOLEAN,, +89,ConsentConfiguration,idp.properties,Name of function used to return the String storage key representing a user defaults to the principal name,all,,,,shibboleth.consent.PrincipalConsentStorageKey,idp.consent.terms-of-use.userStorageKey,SPRING_BEAN_ID,, +96,ConsentConfiguration,idp.properties,Whether per-attribute consent is allowed,all,,,,false,idp.consent.allowPerAttribute,BOOLEAN,, +97,ConsentConfiguration,idp.properties,Whether attribute values and terms of use text are stored and compared for equality,all,,,,false,idp.consent.compareValues,BOOLEAN,, +94,ConsentConfiguration,idp.properties,Whether not remembering/storing consent is allowed,all,,,,true,idp.consent.allowDoNotRemember,BOOLEAN,, +95,ConsentConfiguration,idp.properties,Whether consent to any attribute and to any relying party is allowed,all,,,,true,idp.consent.allowGlobal,BOOLEAN,, +86,ConsentConfiguration,idp.properties,Attribute whose value is the storage key representing a user,all,,,,uid,idp.consent.attribute-release.userStorageKeyAttribute,STRING,, +98,ConsentConfiguration,idp.properties,"Maximum number of records stored when using space-limited storage (e.g. cookies), 0 = no limit",all,,,,10,idp.consent.maxStoredRecords,INTEGER,, +100,ConsentConfiguration,idp.properties,Time in milliseconds to expire consent storage records,4.x,,,"(v4.0=P1Y,v4.1=infinite)",,idp.consent.storageRecordLifetime,DURATION,, +90,ConsentConfiguration,idp.properties,Attribute whose value is the storage key representing a user,all,,,,uid,idp.consent.terms-of-use.userStorageKeyAttribute,STRING,, +91,ConsentConfiguration,idp.properties,Suffix of message property used as value of consent storage records when idp.consent.compareValues is true,all,,,,.text,idp.consent.terms-of-use.consentValueMessageCodeSuffix,STRING,, +84,ConsentConfiguration,idp.properties,Name of storage service used to store users' consent choices,all,,,,shibboleth.ClientPersistentStorageService,idp.consent.StorageService,SPRING_BEAN_ID,, +85,ConsentConfiguration,idp.properties,Name of function used to return the String storage key representing a user defaults to the principal name,all,,,,shibboleth.consent.PrincipalConsentStorageKey,idp.consent.attribute-release.userStorageKey,SPRING_BEAN_ID,, +99,ConsentConfiguration,idp.properties,"Maximum number of records stored when using larger/server-side storage, 0 = no limit",all,,,,0,idp.consent.expandedMaxStoredRecords,INTEGER,, +88,ConsentConfiguration,idp.properties,Default consent auditing formats,all,,,Logback logging pattern,%T|%SP|%e|%u|%CCI|%CCV|%CCA,idp.consent.attribute-release.auditFormat,STRING,, +93,ConsentConfiguration,idp.properties,Default consent auditing formats,all,,,Logback logging pattern,%T|%SP|%e|%u|%CCI|%CCV|%CCA,idp.consent.terms-of-use.auditFormat,STRING,, +92,ConsentConfiguration,idp.properties,Optional condition to apply to control activation of terms-of-use flow,4.1,,,,shibboleth.Conditions.TRUE,idp.consent.terms-of-use.activationCondition,SPRING_BEAN_ID,, +87,ConsentConfiguration,idp.properties,Optional condition to apply to control activation of attribute-release flow along with system default behavior,4.1,,,,shibboleth.Conditions.TRUE,idp.consent.attribute-release.activationCondition,SPRING_BEAN_ID,, +11,Core,idp.properties,applies a (fixed) scope typically a domain-valued suffix to an input attribute's values,all,,,,,idp.scope,STRING,, +2,Core,idp.properties,Used to point to additional property files to load. All properties must be unique and are ultimately pooled into a single unordered set.,all,,,"Comma seperated list of values ex. /conf/ldap.properties, /conf/services.properties",,idp.additionalProperties,STRING,, +4,Core,idp.properties,Identifies the file to serve for requests to the IdP's well-known metadata location,all,,,,%{idp.home}/metadata/idp-metadata.xml,idp.entityID.metadataFile,STRING,, +47,Core,idp.properties,Auto-configures an HSTS response header,all,,,,max-age=0,idp.hsts,STRING,, +51,Core,idp.properties,"Location from which to load user-modifiable Velocity view templates. This can be set to include ""classpath*:/META-INF/net/shibboleth/idp/views"" (or equivalent) to load templates from the classpath, such as from extension jars, but doing so disables suppor",all,,,Comma seperated list of values,%{idp.home}/views,idp.views,STRING,, +107,Core,idp.properties,Allows the HttpClient used for SOAP communication to be overriden (applies to SAML logout via SOAP),all,,,Bean ID of HttpClient to use for SOAP-based logout,SOAPClient.HttpClient,idp.soap.httpClient,SPRING_BEAN_ID,, +119,Core,idp.properties,Set to true to fail on velocity syntax errors,all,,,,false,idp.velocity.runtime.strictmode,BOOLEAN,, +122,Core,idp.properties,Policies to use with Impersonate interceptor flow,all,,,Policy ID,SpecificImpersonationPolicy,idp.impersonate.specificPolicy,STRING,, +50,Core,idp.properties,Location from which to load user-supplied webflows from,all,,,resource path,%{idp.home}/flows,idp.webflows,STRING,, +121,Core,idp.properties,Policies to use with Impersonate interceptor flow,all,,,Policy ID,GeneralImpersonationPolicy,idp.impersonate.generalPolicy,STRING,, +1,Core,idp.properties,Auto-load all files matching conf/**/*.properties,4,,,,true,idp.searchForProperties,BOOLEAN,, +10,Core,idp.properties,Identifies the file to serve for requests to the IdP's well-known metadata location,all,,,file pathname,%{idp.home}/metadata/idp-metadata.xml,idp.entityID.metadataFile,STRING,, +120,Core,idp.properties,Path to use with External interceptor flow,all,,,,contextRelative:intercept.jsp,idp.intercept.External.externalPath,STRING,, +108,Core,idp.properties,languages to use if no match can be found with the browser-supported languages,all,,,"Comma seperated list of values ex. en, fr, de",,idp.ui.fallbackLanguages,STRING,, +48,Core,idp.properties,Auto-configures an X-Frame-Options response header,all,,,,DENY,idp.frameoptions,SELECTION_LIST,"DENY,SAMEORIGIN", +49,Core,idp.properties,Auto-configures a Content Security Policy response header,all,,,,frame-ancestors 'none',idp.csp,STRING,, +45,CSRF,idp.properties,Enables CSRF protection,4,,,,true,idp.csrf.enabled,BOOLEAN,, +46,CSRF,idp.properties,Name of the HTTP parameter that stores the CSRF token,4,,,,csrf_token,idp.csrf.token.parameter,STRING,, +317,DuoAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.Duo,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.Duo.lifetime,DURATION,, +305,DuoAuthnConfiguration,authn/duo.properties,Name of HTTP request header for Duo AuthAPI factor,4.1,idp.authn.Duo,,this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key,X-Shibboleth-Duo-Factor,idp.duo.nonbrowser.header.factor,STRING,, +311,DuoAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.Duo,,,false,idp.authn.Duo.nonBrowserSupported,BOOLEAN,, +314,DuoAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.Duo,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.Duo.proxyRestrictionsEnforced,BOOLEAN,, +320,DuoAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.Duo,,,shibboleth.Conditions.TRUE,idp.authn.Duo.activationCondition,SPRING_BEAN_ID,, +319,DuoAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.Duo,,,shibboleth.Conditions.TRUE,idp.authn.Duo.reuseCondition,SPRING_BEAN_ID,, +310,DuoAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.Duo,,,1000,idp.authn.Duo.order,INTEGER,, +302,DuoAuthnConfiguration,authn/duo.properties,Duo AuthAPI hostname assigned to the integration,4.1,idp.authn.Duo,,this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key,${idp.duo.apiHost},idp.duo.nonbrowser.apiHost,STRING,, +298,DuoAuthnConfiguration,authn/duo.properties,DuoWeb API hostname assigned to the integration,4.1,idp.authn.Duo,,this sould be set in conf/authn/duo.properties due to the sensitivity of the secret key,,idp.duo.apiHost,STRING,, +318,DuoAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.Duo,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.Duo.inactivityTimeout,DURATION,, +313,DuoAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.Duo,,,false,idp.authn.Duo.forcedAuthenticationSupported,BOOLEAN,, +321,DuoAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer:/idp/profile/Authn/Duo/2FA/duo-callback,,idp.duo.oidc.redirectURL,STRING,, +608,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI integration key supplied by Duo,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.nonbrowser.integrationKey,STRING,, +598,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token).,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.secretKey,STRING,, +617,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum period inactivity between two consecutive data packets,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.socketTimeout,DURATION,, +616,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum length of time to wait for a connection to be returned from the connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.connectionRequestTimeout,DURATION,, +612,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI passcode,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Passcode,idp.duo.oidc.nonbrowser.header.passcode,STRING,, +615,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum length of time to wait for the connection to be established,4.1,idp.authn.DuoOIDC,1 (nimbus),,PT1M,idp.duo.oidc.connectionTimeout,DURATION,, +581,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.nonBrowserSupported,BOOLEAN,, +602,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Leeway allowed in token expiry calculations,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.clockSkew,DURATION,, +618,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Max total simultaneous connections allowed by the pooling connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,100,idp.duo.oidc.maxConnectionsTotal,INTEGER,, +590,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Bean ID ofPredicate determining whether flow is usable for request,4.1,idp.authn.DuoOIDC,1,,shibboleth.Conditions.TRUE,idp.authn.DuoOIDC.activationCondition,SPRING_BEAN_ID,, +589,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Bean ID ofPredicate controlling result reuse for SSO,4.1,idp.authn.DuoOIDC,1,,shibboleth.Conditions.TRUE,idp.authn.DuoOIDC.reuseCondition,SPRING_BEAN_ID,, +591,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Bean ID ofBiConsumer for subject customization",4.1,idp.authn.DuoOIDC,1,,,idp.authn.DuoOIDC.subjectDecorator,SPRING_BEAN_ID,, +619,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Max simultaneous connections per route allowed by the pooling connection manager,4.1,idp.authn.DuoOIDC,1 (nimbus),,100,idp.duo.oidc.maxConnectionsPerRoute,INTEGER,, +588,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.defaultTimeout:PT30M},idp.authn.DuoOIDC.inactivityTimeout,DURATION,, +587,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Lifetime of results produced by this flow,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.defaultLifetime:PT1H},idp.authn.DuoOIDC.lifetime,DURATION,, +580,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.DuoOIDC,1,,1000,idp.authn.DuoOIDC.order,INTEGER,, +610,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI factor,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Factor,idp.duo.oidc.nonbrowser.header.factor,STRING,, +584,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow enforces upstream IdP-imposed restrictions on proxying,4.1,idp.authn.DuoOIDC,1,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.DuoOIDC.proxyRestrictionsEnforced,BOOLEAN,, +593,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.addDefaultPrincipals,BOOLEAN,, +594,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,DuoOIDC API hostname assigned to the integration,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.apiHost,STRING,, +582,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow allows for passive authentication,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.passiveAuthenticationSupported,BOOLEAN,, +585,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow considers itself to be proxying,4.1,idp.authn.DuoOIDC,1,and therefore enforces SP-signaled restrictions on proxying,false,idp.authn.DuoOIDC.proxyScopingEnforced,BOOLEAN,, +595,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The OAuth 2.0 Client Identifier valid at the Authorization Server,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.clientId,STRING,, +614,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Pass client address to Duo in API calls to support logging,4.1,idp.authn.DuoOIDC,1,push display,true,idp.duo.oidc.nonbrowser.clientAddressTrusted,BOOLEAN,, +592,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Comma-delimited list of protocol-specific Principalstrings associated with flow,4.1,idp.authn.DuoOIDC,1,,"saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa",idp.authn.DuoOIDC.supportedPrincipals,STRING,, +597,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,If the idp.duo.oidc.redirectURL is not set one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection.,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.redirecturl.allowedOrigins,STRING,, +599,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 health check endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/health_check,idp.duo.oidc.endpoint.health,STRING,, +600,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 token endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/token,idp.duo.oidc.endpoint.token,STRING,, +601,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo's OAuth 2.0 authorization endpoint,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/authorize,idp.duo.oidc.endpoint.authorize,STRING,, +604,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://+,4.1,idp.authn.DuoOIDC,1,,/oauth/v1/token,idp.duo.oidc.jwt.verifier.issuerPath,STRING,, +605,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request.,4.1,idp.authn.DuoOIDC,1,,preferred_username,idp.duo.oidc.jwt.verifier.preferredUsername,STRING,, +583,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether the flow supports forced authentication,4.1,idp.authn.DuoOIDC,1,,true,idp.authn.DuoOIDC.forcedAuthenticationSupported,BOOLEAN,, +613,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,"Allow the factor to be defaulted in as ""auto"" if no headers are received",4.1,idp.authn.DuoOIDC,1,,true,idp.duo.oidc.nonbrowser.auto,BOOLEAN,, +607,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI hostname assigned to the integration,4.1,idp.authn.DuoOIDC,1,,%{idp.duo.oidc.apiHost},idp.duo.oidc.nonbrowser.apiHost,STRING,, +609,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Duo AuthAPI secret key supplied by Duo,4.1,idp.authn.DuoOIDC,1,,,idp.duo.oidc.nonbrowser.secretKey,STRING,, +611,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Name of HTTP request header for Duo AuthAPI device ID or name,4.1,idp.authn.DuoOIDC,1,,X-Shibboleth-Duo-Device,idp.duo.oidc.nonbrowser.header.device,STRING,, +606,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,How long the authentication is valid. Only applies to forced authentication requests.,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.authLifetime,DURATION,, +620,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,To enable certificate revocation checking,4.1,idp.authn.DuoOIDC,1 (nimbus),,false,idp.duo.oidc.nimbus.checkRevocation,BOOLEAN,, +603,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Maximum amount (in either direction from now) of duration for which a token is valid after it is issued,4.1,idp.authn.DuoOIDC,1,,PT60S,idp.duo.oidc.jwt.verifier.iatWindow,DURATION,, +586,DuoOIDCAuthnConfiguration,authn/duo-oidc.properties,Whether to invoke IdP-discovery prior to running flow,4.1,idp.authn.DuoOIDC,1,,false,idp.authn.DuoOIDC.discoveryRequired,BOOLEAN,, +55,ErrorHandlingConfiguration,idp.properties,"Bean defing Properties mapping exception class names to error views. The matching by class name does not support wildcards, but does do substring matches (so it's not necessary to fully qualify the class).",all,,,Bean ID of Properties (java.util.Properties),,idp.errors.excludedExceptions,SPRING_BEAN_ID,, +52,ErrorHandlingConfiguration,idp.properties,Whether to expose detailed error causes in status information provided to outside parties,all,,,,false,idp.errors.detailed,BOOLEAN,, +54,ErrorHandlingConfiguration,idp.properties,The default view name to render for exceptions and events,all,,,,error,idp.errors.defaultView,STRING,, +56,ErrorHandlingConfiguration,idp.properties,"Bean defining Collection identifying exception classes to ignore (causing them to bubble outward, so use with caution)",all,,,Bean ID of Collection (java.util),,idp.errors.exceptionMappings,SPRING_BEAN_ID,, +53,ErrorHandlingConfiguration,idp.properties,"Whether to digitally sign error responses in SAML or similar protocols, if signing is otherwise warranted (this can prevent a simple denial of service vector, since errors are simple to trigger)",all,,,,true,idp.errors.signed,BOOLEAN,, +168,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.External,,,false,idp.authn.External.passiveAuthenticationSupported,BOOLEAN,, +170,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.External,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.External.proxyRestrictionsEnforced,BOOLEAN,, +176,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.External,,,shibboleth.Conditions.TRUE,idp.authn.External.activationCondition,SPRING_BEAN_ID,, +169,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.External,,,false,idp.authn.External.forcedAuthenticationSupported,BOOLEAN,, +173,ExternalAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.External,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.External.lifetime,DURATION,, +166,ExternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.External,,,1000,idp.authn.External.order,INTEGER,, +175,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.External,,,shibboleth.Conditions.TRUE,idp.authn.External.reuseCondition,SPRING_BEAN_ID,, +167,ExternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.External,,,false,idp.authn.External.nonBrowserSupported,BOOLEAN,, +178,ExternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.External,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password",idp.authn.External.supportedPrincipals,STRING,, +164,ExternalAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.External,,,contextRelative:external.jsp,idp.authn.External.externalAuthnPath,STRING,, +179,ExternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.External,,,true,idp.authn.External.addDefaultPrincipals,BOOLEAN,, +165,ExternalAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.External,,regex expected,,idp.authn.External.matchExpression,STRING,, +172,ExternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.External,,,false,idp.authn.External.discoveryRequired,BOOLEAN,, +174,ExternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.External,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.External.inactivityTimeout,DURATION,, +171,ExternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.External,,,false,idp.authn.External.proxyScopingEnforced,BOOLEAN,, +177,ExternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer to use to decide whether to run,4.1,,,,,idp.fticks.condition,SPRING_BEAN_ID,, +114,FTICKSLoggingConfiguration,idp.properties,Digest algorithm used to obscure usernames,all,,,,SHA-2,idp.fticks.algorithm,STRING,, +115,FTICKSLoggingConfiguration,idp.properties,"A salt to apply when digesting usernames (if not specified, the username will not be included)",all,,,,,idp.fticks.salt,STRING,, +297,FunctionAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.Function,,,true,idp.authn.Function.addDefaultPrincipals,BOOLEAN,, +289,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.Function,,,false,idp.authn.Function.proxyScopingEnforced,BOOLEAN,, +294,FunctionAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.Function,,,shibboleth.Conditions.TRUE,idp.authn.Function.activationCondition,SPRING_BEAN_ID,, +286,FunctionAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.Function,,,false,idp.authn.Function.passiveAuthenticationSupported,BOOLEAN,, +285,FunctionAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.Function,,,false,idp.authn.Function.nonBrowserSupported,BOOLEAN,, +295,FunctionAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer controlling result reuse for SSO,4.1,idp.authn.Function,,,shibboleth.Conditions.TRUE,idp.authn.Function.reuseCondition,SPRING_BEAN_ID,, +459,HelloWorldConfiguration,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByAdminUser,idp.hello.accessPolicy,STRING,, +461,HelloWorldConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.hello.nonBrowserSupported,BOOLEAN,, +458,HelloWorldConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,Hello,idp.hello.logging,STRING,, +462,HelloWorldConfiguration,admin/admin.properties,?,4.1,,,,,idp.hello.defaultAuthenticationMethods,STRING,, +463,HelloWorldConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,true,idp.hello.resolveAttributes,BOOLEAN,, +460,HelloWorldConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,true,idp.hello.authenticated,BOOLEAN,, +464,HelloWorldConfiguration,admin/admin.properties,?,4.1,,,,,idp.hello.postAuthenticationFlows,STRING,, +280,IPAddressAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.IPAddress,,,shibboleth.Conditions.TRUE,idp.authn.IPAddress.activationCondition,SPRING_BEAN_ID,, +278,IPAddressAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.IPAddress,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.IPAddress.inactivityTimeout,DURATION,, +283,IPAddressAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.IPAddress,,,true,idp.authn.IPAddress.addDefaultPrincipals,BOOLEAN,, +273,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.forcedAuthenticationSupported,BOOLEAN,, +275,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.proxyScopingEnforced,BOOLEAN,, +276,IPAddressAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.discoveryRequired,BOOLEAN,, +272,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.passiveAuthenticationSupported,BOOLEAN,, +270,IPAddressAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.IPAddress,,,1000,idp.authn.IPAddress.order,INTEGER,, +281,IPAddressAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer controlling result reuse for SSO,4.1,idp.authn.IPAddress,,,shibboleth.Conditions.TRUE,idp.authn.IPAddress.reuseCondition,SPRING_BEAN_ID,, +277,IPAddressAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.IPAddress,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.IPAddress.lifetime,DURATION,, +274,IPAddressAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.IPAddress,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.IPAddress.proxyRestrictionsEnforced,BOOLEAN,, +271,IPAddressAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.IPAddress,,,false,idp.authn.IPAddress.nonBrowserSupported,BOOLEAN,, +158,JAASAuthnConfiguration,authn/authn.properties,Comma-delimited set of JAAS application configuration names to use,4.1,,,,ShibUserPassAuth,idp.authn.JAAS.loginConfigNames,STRING,, +159,JAASAuthnConfiguration,authn/authn.properties,Location of JAAS configuration file,4.1,,,resource path,%{idp.home}/conf/authn/jaas.config,idp.authn.JAAS.loginConfig,STRING,, +161,KerberosAuthnConfiguration,authn/authn.properties,Whether to preserve the resulting Kerberos TGT in the Java Subject's private credential set,4.1,,,,false,idp.authn.Krb5.preserveTicket,BOOLEAN,, +163,KerberosAuthnConfiguration,authn/authn.properties,Path to a keytab file containing keys belonging to the service principal defined in idp.authn.Krb5.servicePrincipal,4.1,,,,,idp.authn.Krb5.keytab,STRING,, +160,KerberosAuthnConfiguration,authn/authn.properties,Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt,4.1,,,,false,idp.authn.Krb5.refreshConfig,BOOLEAN,, +162,KerberosAuthnConfiguration,authn/authn.properties,Name of a service principal to use to verify the KDC supplying the TGT by requesting and verifying a service ticket issued for it,4.1,,,,,idp.authn.Krb5.servicePrincipal,STRING,, +144,LDAPAuthnConfiguration,authn/authn.properties,If you are using the FreeIPA LDAP this switch will attempt to use the account states defined by that product.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.freeIPADirectory,BOOLEAN,, +134,LDAPAuthnConfiguration,authn/authn.properties,Whether to search recursively when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.subtreeSearch,BOOLEAN,, +135,LDAPAuthnConfiguration,authn/authn.properties,LDAP search filter when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.userFilter,STRING,, +132,LDAPAuthnConfiguration,authn/authn.properties,List of attributes to request during authentication,all,,,"Comma seperated list of values. The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.returnAttributes,STRING,, +133,LDAPAuthnConfiguration,authn/authn.properties,Base DN to search against when using an LDAP.authenticator of anonSearchAuthenticator or bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.baseDN,STRING,, +139,LDAPAuthnConfiguration,authn/authn.properties,Whether the user's LDAP entry should be returned in the authentication response even when the user bind fails.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.resolveEntryOnFailure,BOOLEAN,, +136,LDAPAuthnConfiguration,authn/authn.properties,DN to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.bindDN,STRING,, +123,LDAPAuthnConfiguration,authn/authn.properties,"Controls the workflow for how authentication occurs against LDAP: one of anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator",all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",anonSearchAuthenticator,idp.authn.LDAP.authenticator,STRING,, +127,LDAPAuthnConfiguration,authn/authn.properties,Time to wait for an LDAP response message,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT3S,idp.authn.LDAP.responseTimeout,DURATION,, +128,LDAPAuthnConfiguration,authn/authn.properties,"Connection strategy to use when multiple URLs are supplied: one of ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM",all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",ACTIVE_PASSIVE,idp.authn.LDAP.connectionStrategy,STRING,, +157,LDAPAuthnConfiguration,authn/authn.properties,Controls how connections in the bind pool are passivated. Connections in the bind pool may be in an authenticated state that will not allow validation searches to succeed. This property controls how bind connections are placed back into the pool. If your ,4.0.1,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.bindPoolPassivator,STRING,, +126,LDAPAuthnConfiguration,authn/authn.properties,Time to wait for the TCP connection to occur.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT3S,idp.authn.LDAP.connectTimeout,DURATION,, +145,LDAPAuthnConfiguration,authn/authn.properties,If you are using the EDirectory LDAP this switch will attempt to use the account states defined by that product.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.eDirectory,BOOLEAN,, +146,LDAPAuthnConfiguration,authn/authn.properties,Whether connection pools should be used for LDAP authentication and DN resolution,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.disablePooling,BOOLEAN,, +143,LDAPAuthnConfiguration,authn/authn.properties,If you are using Active Directory this switch will attempt to use the account states defined by AD. Note that this flag is unnecessary if you are using the 'adAuthenticator'. It is meant to be specified with one of the other authenticator types.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.activeDirectory,BOOLEAN,, +149,LDAPAuthnConfiguration,authn/authn.properties,Whether to validate connections when checking them out of the pool,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.pool.LDAP.validateOnCheckout,BOOLEAN,, +125,LDAPAuthnConfiguration,authn/authn.properties,Whether StartTLS should be used after connecting with LDAP alone.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",true,idp.authn.LDAP.useStartTLS,BOOLEAN,, +129,LDAPAuthnConfiguration,authn/authn.properties,"How to establish trust in the server's TLS certificate: one of jvmTrust, certificateTrust, or keyStoreTrust",all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",certificateTrust,idp.authn.LDAP.sslConfig,STRING,, +140,LDAPAuthnConfiguration,authn/authn.properties,Whether the user's LDAP entry should be resolved with the bindDN credentials rather than as the authenticated user.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.resolveEntryWithBindDN,BOOLEAN,, +142,LDAPAuthnConfiguration,authn/authn.properties,Whether to use the Password Expired Control.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.usePasswordExpiration,BOOLEAN,, +150,LDAPAuthnConfiguration,authn/authn.properties,Whether to validate connections in the background,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",true,idp.pool.LDAP.validatePeriodically,BOOLEAN,, +130,LDAPAuthnConfiguration,authn/authn.properties,A resource to load trust anchors from when using sslConfig = certificateTrust,all,,,"resource path ex. %{idp.home}/credentials/ldap-server.crt - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.trustCertificates,STRING,, +131,LDAPAuthnConfiguration,authn/authn.properties,A resource to load a Java keystore containing trust anchors when using sslConfig = keyStoreTrust,all,,,"resource path ex. %{idp.home}/credentials/ldap-server.truststore - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.trustStore,STRING,, +152,LDAPAuthnConfiguration,authn/authn.properties,DN to search with the validateFilter: defaults to the rootDSE,4.0.1,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.pool.LDAP.validateDN,STRING,, +124,LDAPAuthnConfiguration,authn/authn.properties,Connection URI for LDAP directory,all,,,"LDAP URI ex. ldap://localhost or ldaps://localhost - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.ldapURL,STRING,, +137,LDAPAuthnConfiguration,authn/authn.properties,Password to bind with during search when using an LDAP.authenticator = bindSearchAuthenticator usually set via %{idp.home}/credentials/secrets.properties,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.bindDNCredential,STRING,, +138,LDAPAuthnConfiguration,authn/authn.properties,A formatting string to generate the user DNs to authenticate when using an LDAP.authenticator of directAuthenticator or adAuthenticator,all,,,"ex. uid=%s,ou=people,dc=example,dc=org or for AD %s@domain.com - The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",,idp.authn.LDAP.dnFormat,STRING,, +154,LDAPAuthnConfiguration,authn/authn.properties,Duration between looking for idle connections to reduce the pool back to its minimum size,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT5M,idp.pool.LDAP.prunePeriod,DURATION,, +151,LDAPAuthnConfiguration,authn/authn.properties,Duration between validation if idp.pool.LDAP.validatePeriodically is true,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT5M,idp.pool.LDAP.validatePeriod,DURATION,, +141,LDAPAuthnConfiguration,authn/authn.properties,Whether to use the Password Policy Control.,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",false,idp.authn.LDAP.usePasswordPolicy,BOOLEAN,, +155,LDAPAuthnConfiguration,authn/authn.properties,Duration connections must be idle to be eligible for pruning,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT10M,idp.pool.LDAP.idleTime,DURATION,, +148,LDAPAuthnConfiguration,authn/authn.properties,Maximum LDAP connection pool size,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",10,idp.pool.LDAP.maxSize,INTEGER,, +147,LDAPAuthnConfiguration,authn/authn.properties,Minimum LDAP connection pool size,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",3,idp.pool.LDAP.minSize,INTEGER,, +156,LDAPAuthnConfiguration,authn/authn.properties,Duration to wait for a free connection in the pool,all,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",PT3S,idp.pool.LDAP.blockWaitTime,DURATION,, +153,LDAPAuthnConfiguration,authn/authn.properties,Search filter to execute in order to validate a pooled connection,4.0.1,,,"The target file for the value depends on the version of Shibboleth being used:\n for v4: ldap.properties , for V4.1: authn/authn.properties",(objectClass=*),idp.pool.LDAP.validateFilter,STRING,, +104,LogoutConfiguration,idp.properties,Processes arbitrary query parameters to the Simple Logout endpoint and stashes them in a ScratchContext for use by subsequent view logic,4.1,,,,false,idp.logout.preserveQuery,BOOLEAN,, +101,LogoutConfiguration,idp.properties,Whether to search metadata for user interface information associated with every service involved in logout propagation,all,,,,false,idp.logout.elaboration,BOOLEAN,, +105,LogoutConfiguration,idp.properties,When true allows inbound SAML LogoutRequests to be processed even if the SP lacks metadata containing response endpoints,4.2,,,,false,idp.logout.assumeAsync,BOOLEAN,, +106,LogoutConfiguration,idp.properties,"Applies the ""display:none"" style to the list of SPs and logout status reporting images so that logout status is not visibly reported to the user",4.2,,,,false,idp.logout.propagationHidden,BOOLEAN,, +102,LogoutConfiguration,idp.properties,Whether to require signed logout messages in accordance with the SAML 2.0 standard,all,,,,true,idp.logout.authenticated,BOOLEAN,, +103,LogoutConfiguration,idp.properties,If the bean returns true the user is given the option to actually cancel the IdP logout outright and prevent removal of the session,all,,,Bean ID of Predicate,false,idp.logout.promptUser,SPRING_BEAN_ID,, +642,Metadatagen,mdgen.properties,The width of the logo in pixels,4.1,idp.metadatagen,1,,80,idp.metadata.idpsso.mdui.logo.width,INTEGER,, +638,Metadatagen,mdgen.properties,Supplies the DNS name used within the URLs specifying the end points. This should not be used in conjunction with the --DNSName qualifier,4.1,idp.metadatagen,1,,,idp.metadata.dnsname,STRING,, +639,Metadatagen,mdgen.properties,Specifies the path to the certificate protecting the back channel. This should not be used in conjunction with the --backChannel qualifier.,4.1,idp.metadatagen,1,,,idp.metadata.backchannel.cert,STRING,, +640,Metadatagen,mdgen.properties,Specifies the path part of the URL which describes a logo for the IdP. The protocol is hard wired to be https:// and the DNS name is used for the host. The is always emitted. If this is absent then then a fixed path ('/path/to/logo') is use,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.logo.path,STRING,, +643,Metadatagen,mdgen.properties,A space separated list of languages used to lookup values formed appending each one to the name and description properties idp.metadata.idpsso.mdui.displayname. and idp.metadata.idpsso.mdui.description.. If this is absent then an is emitted for that language,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.displayname.,STRING,, +641,Metadatagen,mdgen.properties,The height of the logo in pixels.,4.1,idp.metadatagen,1,,80,idp.metadata.idpsso.mdui.logo.height,INTEGER,, +645,Metadatagen,mdgen.properties,Description for the IdP in the specified language. If this is absent for a language specified above then not is emitted for that language,4.1,idp.metadatagen,1,,,idp.metadata.idpsso.mdui.description.,STRING,, +450,MetadataQuery,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.mdquery.resolveAttributes,BOOLEAN,, +451,MetadataQuery,admin/admin.properties,?,4.1,,,,,idp.mdquery.postAuthenticationFlows,STRING,, +445,MetadataQuery,admin/admin.properties,Audit log identifier for flow,4.1,,,,MetadataQuery,idp.mdquery.logging,STRING,, +446,MetadataQuery,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.mdquery.accessPolicy,STRING,, +449,MetadataQuery,admin/admin.properties,?,4.1,,,,,idp.mdquery.defaultAuthenticationMethods,STRING,, +448,MetadataQuery,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.mdquery.nonBrowserSupported,BOOLEAN,, +447,MetadataQuery,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.mdquery.authenticated,BOOLEAN,, +437,MetadataReload,admin/admin.properties,?,4.1,,,,,idp.reload.postAuthenticationFlows,STRING,, +436,MetadataReload,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.reload.resolveAttributes,BOOLEAN,, +432,MetadataReload,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.reload.accessPolicy,STRING,, +433,MetadataReload,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.reload.authenticated,BOOLEAN,, +434,MetadataReload,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.reload.nonBrowserSupported,BOOLEAN,, +431,MetadataReload,admin/admin.properties,Audit log identifier for flow,4.1,,,,Reload,idp.reload.logging,STRING,, +435,MetadataReload,admin/admin.properties,?,4.1,,,,,idp.reload.defaultAuthenticationMethods,STRING,, +454,MetricsConfiguration,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.metrics.nonBrowserSupported,BOOLEAN,, +456,MetricsConfiguration,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.metrics.resolveAttributes,BOOLEAN,, +455,MetricsConfiguration,admin/admin.properties,?,4.1,,,,,idp.metrics.defaultAuthenticationMethods,STRING,, +452,MetricsConfiguration,admin/admin.properties,Audit log identifier for flow,4.1,,,,Metrics,idp.metrics.logging,STRING,, +457,MetricsConfiguration,admin/admin.properties,?,4.1,,,,,idp.metrics.postAuthenticationFlows,STRING,, +453,MetricsConfiguration,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.metrics.authenticated,BOOLEAN,, +344,MultiFactorAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.MFA,,,1000,idp.authn.MFA.order,INTEGER,, +343,MultiFactorAuthnConfiguration,authn/authn.properties,Whether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions,4.1,,,,true,idp.authn.MFA.validateLoginTransitions,BOOLEAN,, +355,MultiFactorAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.MFA,,,shibboleth.Conditions.TRUE,idp.authn.MFA.activationCondition,SPRING_BEAN_ID,, +345,MultiFactorAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.MFA,,,false,idp.authn.MFA.nonBrowserSupported,BOOLEAN,, +351,MultiFactorAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.MFA,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.MFA.lifetime,DURATION,, +353,MultiFactorAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.MFA,,,shibboleth.Conditions.TRUE,idp.authn.MFA.reuseCondition,SPRING_BEAN_ID,, +352,MultiFactorAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.MFA,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.MFA.inactivityTimeout,DURATION,, +347,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.MFA,,,false,idp.authn.MFA.forcedAuthenticationSupported,BOOLEAN,, +357,MultiFactorAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.MFA,,,true,idp.authn.MFA.addDefaultPrincipals,BOOLEAN,, +346,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.MFA,,,false,idp.authn.MFA.passiveAuthenticationSupported,BOOLEAN,, +356,MultiFactorAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.MFA,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password",idp.authn.MFA.supportedPrincipals,STRING,, +350,MultiFactorAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.MFA,,,false,idp.authn.MFA.discoveryRequired,BOOLEAN,, +349,MultiFactorAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.MFA,,,false,idp.authn.MFA.proxyScopingEnforced,BOOLEAN,, +501,NameIDConsumptionConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.saml.lowercase,BOOLEAN,, +502,NameIDConsumptionConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.saml.uppercase,BOOLEAN,, +358,NameIDGenerationConfiguration,saml-nameid.properties,Identifies the strategy plugin for generating transient IDs,all,,,Bean ID of a TransientIdGenerationStrategy,shibboleth.CryptoTransientIdGenerator,idp.transientId.generator,SPRING_BEAN_ID,, +359,NameIDGenerationConfiguration,saml-nameid.properties,Default Format to generate if nothing else is indicated,all,,,,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,idp.nameid.saml2.default,STRING,, +360,NameIDGenerationConfiguration,saml-nameid.properties,Default Format to generate if nothing else is indicated,all,,,,urn:mace:shibboleth:1.0:nameIdentifier,idp.nameid.saml1.default,STRING,, +553,OAuth2ClientAuthnConfiguration,oidc.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.oidc.OP,3,,1000,idp.authn.OAuth2Client.order,INTEGER,, +557,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.oidc.OP,3,,true,idp.authn.OAuth2Client.addDefaultPrincipals,BOOLEAN,, +551,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to remove the object holding the password from the request's active state after validating it (to avoid it being preserved in the session any longer than needed),4.1,idp.oidc.OP,3,,true,idp.authn.OAuth2Client.removeAfterValidation,BOOLEAN,, +552,OAuth2ClientAuthnConfiguration,oidc.properties,Whether to keep the password around as a private credential in the Java Subject for use in later stages such as attribute resolution,4.1,idp.oidc.OP,3,use with caution as it retains the password and makes it available in plaintext from within server memory at various stages.,false,idp.authn.OAuth2Client.retainAsPrivateCredential,BOOLEAN,, +550,OAuth2ClientAuthnConfiguration,oidc.properties,Whether all validators must succeed or just one,4.1,idp.oidc.OP,3,,false,idp.authn.OAuth2Client.requireAll,BOOLEAN,, +554,OAuth2ClientAuthnConfiguration,oidc.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.oidc.OP,3,,shibboleth.Conditions.TRUE,idp.authn.OAuth2Client.activationCondition,SPRING_BEAN_ID,, +556,OAuth2ClientAuthnConfiguration,oidc.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.oidc.OP,3,,,idp.authn.OAuth2Client.supportedPrincipals,STRING,, +555,OAuth2ClientAuthnConfiguration,oidc.properties,Bean ID of BiConsumer> called shibboleth.oidc.AllowedAudienceStrategy",4.1,idp.oidc.OP,3,,,idp.oauth2.defaultAllowedAudience,SPRING_BEAN_ID,, +574,OPClientCredentialsGrant,oidc.properties,"bean of type Function called shibboleth.oidc.AllowedScopeStrategy",4.1,idp.oidc.OP,3,,,idp.oauth2.defaultAllowedScope,SPRING_BEAN_ID,, +572,OPClientResolution,oidc.properties,When non-zero enables monitoring of resources for service reload,4.1,idp.oidc.OP,3,,PT0S,idp.service.clientinfo.checkInterval,DURATION,, +571,OPClientResolution,oidc.properties,If true any failures during initialization of any resolvers result in IdP startup failure,4.1,idp.oidc.OP,3,,false,idp.service.clientinfo.failFast,BOOLEAN,, +573,OPClientResolution,oidc.properties,Name of bean used to define the resources to use in configuring this service,4.1,idp.oidc.OP,3,,shibboleth.ClientInformationResolverResources,idp.service.clientinfo.resources,SPRING_BEAN_ID,, +558,OPCustomFilterRegistration,oidc.properties,"By default this configures the values defined by the idp.hsts, idp.frameoptions and idp.csp properties into the corresponding HTTP headers and applies them to the OP plugin as well as the original IdP endpoints",4.1,idp.oidc.OP,3,,shibboleth.ResponseHeaderFilter,idp.oidc.ResponseHeaderFilter,SPRING_BEAN_ID,, +559,OPDiscovery,oidc.properties,Location of discovery template to use,4.1,idp.oidc.OP,3,,%{idp.home}/static/openid-configuration.json,idp.oidc.discovery.template,STRING,, +560,OPDiscovery,oidc.properties,Implementation bean for discovery shouldn't require alteration,4.1,idp.oidc.OP,3,,shibboleth.oidc.DefaultOpenIdConfigurationResolver,idp.oidc.discovery.resolver,SPRING_BEAN_ID,, +564,OPDynamicClientRegistration,oidc.properties,Whether to resolve attributes if authentication is enabled,4.1,idp.oidc.OP,3,,false,idp.oidc.admin.registration.resolveAttributes,BOOLEAN,, +566,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to all requests,4.1,idp.oidc.OP,3,,AccessByIPAddress,idp.oidc.admin.registration.accessPolicy,STRING,, +570,OPDynamicClientRegistration,oidc.properties,"Bean ID of type Function>, used to locate metadata policy based on the policyLocation parameter. Defaults to a caching resolver locating server resources to load based on policyLocation parameter.",4.1,idp.oidc.OP,3,,shibboleth.oidc.admin.DefaultMetadataPolicyLookupStrategy,idp.oidc.admin.registration.lookup.policy,SPRING_BEAN_ID,, +562,OPDynamicClientRegistration,oidc.properties,Enables support for non-browser-based authentication,4.1,idp.oidc.OP,3,,true,idp.oidc.admin.registration.nonBrowserSupported,BOOLEAN,, +537,OPDynamicClientRegistration,oidc.properties,Registration lifetime,4.1,idp.oidc.OP,3,,PT24H,idp.oidc.dynreg.defaultRegistrationValidity,DURATION,, +569,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a clientId,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.clientIdPolicy,STRING,, +568,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a policyId,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.policyIdPolicy,STRING,, +567,OPDynamicClientRegistration,oidc.properties,Name of access control policy to apply to requests specifying a policyLocation,4.1,idp.oidc.OP,3,,AccessByAdmin,idp.oidc.admin.registration.policyLocationPolicy,STRING,, +563,OPDynamicClientRegistration,oidc.properties,Whether to enable user authentication for requests,4.1,idp.oidc.OP,3,,false,idp.oidc.admin.registration.authenticated,BOOLEAN,, +541,OPDynamicClientRegistration,oidc.properties,The acceptable client authentication methods when using dynamic registration,4.1,idp.oidc.OP,3,Comma seperated list of values,"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt",idp.oidc.dynreg.tokenEndpointAuthMethods,STRING,, +539,OPDynamicClientRegistration,oidc.properties,The default subject type if not set by client in request. Maybe set to pairwise or public.,4.1,idp.oidc.OP,3,,public,idp.oidc.dynreg.defaultSubjectType,STRING,, +565,OPDynamicClientRegistration,oidc.properties,Default access token lifetime if not specified,4.1,idp.oidc.OP,3,,P1D,idp.oidc.admin.registration.defaultTokenLifetime,DURATION,, +538,OPDynamicClientRegistration,oidc.properties,The default scopes accepted in dynamic registration,4.1,idp.oidc.OP,3,,openid profile email address phone offline_access,idp.oidc.dynreg.defaultScope,STRING,, +561,OPDynamicClientRegistration,oidc.properties,Audit logging label for this profile,4.1,idp.oidc.OP,3,,IssueRegistrationAccessToken,idp.oidc.admin.registration.logging,STRING,, +540,OPMetadataPolicies,oidc.properties,Full path to the file containing default metadata policy used for dynamic client registration,4.1,idp.oidc.OP,3,,,idp.oidc.dynreg.defaultMetadataPolicyFile,STRING,, +536,OPRevocation,oidc.properties,The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens). TOKEN refers to revoking single token,4.1,idp.oidc.OP,3,,CHAIN,idp.oauth2.revocationMethod,STRING,, +528,OPRevocation,oidc.properties,Lifetime of entries in revocation cache for authorize code,4.1,idp.oidc.OP,3,,PT6H,idp.oidc.revocationCache.authorizeCode.lifetime,DURATION,, +543,OPSecurity,oidc.properties,JWK EC signing keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-signing-es.jwk,idp.signing.oidc.es.key,STRING,, +547,OPSecurity,oidc.properties,Allows override of default request decryption configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.requestObjectDecryptionConfiguration,idp.oidc.rodecrypt.config,SPRING_BEAN_ID,, +544,OPSecurity,oidc.properties,JWK RSA decryption keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-encryption-rsa.jwk,idp.signing.oidc.rsa.enc.key,STRING,, +546,OPSecurity,oidc.properties,Allows override of default encryption configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.EncryptionConfiguration,idp.oidc.encryption.config,SPRING_BEAN_ID,, +545,OPSecurity,oidc.properties,Allows override of default signing configuration,4.1,idp.oidc.OP,3,,shibboleth.oidc.SigningConfiguration,idp.oidc.signing.config,SPRING_BEAN_ID,, +542,OPSecurity,oidc.properties,JWK RSA signing keypair,4.1,idp.oidc.OP,3,JWK file pathname,%{idp.home}/credentials/idp-signing-rs.jwk,idp.signing.oidc.rs.key,STRING,, +548,OPSecurity,oidc.properties,Allows override of default request signature validation configuration,4.1,idp.oidc.OP,3,one of these has the wrong name,shibboleth.oidc.requestObjectSignatureValidationConfiguration,idp.oidc.rovalid.config,SPRING_BEAN_ID,, +549,OPSecurity,oidc.properties,Allows override of default JWT token validation configuration,4.1,idp.oidc.OP,3,one of these has the wrong name,shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration,idp.oidc.rovalid.config,SPRING_BEAN_ID,, +577,OPSubClaim,oidc.properties,The source attribute used in generating the sub claim,4.1,idp.oidc.OP,3,,,idp.oidc.subject.sourceAttribute,STRING,, +578,OPSubClaim,oidc.properties,The digest algorithm used in generating the sub claim,4.1,idp.oidc.OP,3,,SHA,idp.oidc.subject.algorithm,STRING,, +579,OPSubClaim,oidc.properties,Salt to inject for randomness should generally be moved into credentials/secrets.properties to avoid committing to configuration repository,4.1,idp.oidc.OP,3,,,idp.oidc.subject.salt,STRING,, +535,OPToken,oidc.properties,Lifetime of access token issued to client for resource server,4.1,idp.oidc.OP,3,,PT10M,idp.oauth2.accessToken.defaultLifetime,DURATION,, +521,OPToken,oidc.properties,Lifetime of refresh token,4.1,idp.oidc.OP,3,,PT2H,idp.oidc.refreshToken.defaultLifetime,DURATION,, +530,OPToken,oidc.properties,The acceptable client authentication methods,4.1,idp.oidc.OP,3,Comma seperated list of values,"client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt",idp.oidc.tokenEndpointAuthMethods,STRING,, +531,OPToken,oidc.properties,OAuth grant types to allow,4.1,idp.oidc.OP,3,Comma seperated list of values,"authorization_code,refresh_token",idp.oauth2.grantTypes,STRING,, +519,OPToken,oidc.properties,Lifetime of access token,4.1,idp.oidc.OP,3,,PT10M,idp.oidc.accessToken.defaultLifetime,DURATION,, +523,OPToken,oidc.properties,Whether client is allowed to use PKCE code challenge method plain,4.1,idp.oidc.OP,3,,false,idp.oidc.allowPKCEPlain,BOOLEAN,, +522,OPToken,oidc.properties,Whether client is required to use PKCE,4.1,idp.oidc.OP,3,,false,idp.oidc.forcePKCE,BOOLEAN,, +518,OPToken,oidc.properties,Lifetime of ID token,4.1,idp.oidc.OP,3,,PT1H,idp.oidc.idToken.defaultLifetime,DURATION,, +533,OPToken,oidc.properties,Format of access token. Supported values are JWT or nothing.,4.1,idp.oidc.OP,3.2,,,idp.oauth2.accessToken.type,STRING,, +534,OPToken,oidc.properties,Whether the absence of encryption details in a resource server’s metadata should fail when issuing an access token,4.1,idp.oidc.OP,3,,false,idp.oauth2.encryptionOptional,BOOLEAN,, +532,OPToken,oidc.properties,Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token.,4.1,idp.oidc.OP,3.2,,false,idp.oauth2.enforceRefreshTokenRotation,BOOLEAN,, +371,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Query timeout for database access,4.1,,,,PT5S,idp.persistentId.queryTimeout,DURATION,, +373,PersistentNameIDGenerationConfiguration,saml-nameid.properties,List of error strings to identify as retryable failures,4.1,,,,"23000,23505",idp.persistentId.retryableErrors,STRING,, +369,PersistentNameIDGenerationConfiguration,saml-nameid.properties,The final encoding applied to the hash generated when using computed persistent IDs: one of BASE32 or BASE64,all,,,,BASE64,idp.persistentId.encoding,STRING,, +370,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Advanced feature allowing revocation or regeneration of computed persistent IDs for specific subjects or services,all,,,,shibboleth.ComputedIdExceptionMap,idp.persistentId.exceptionMap,SPRING_BEAN_ID,, +367,PersistentNameIDGenerationConfiguration,saml-nameid.properties,An encoded form of the persistentId.salt,all,,,,,idp.persistentId.encodedSalt,STRING,, +362,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies a data source for storage-based management of persistent IDs,all,,,Bean ID of a JDBC DataSource,,idp.persistentId.dataSource,SPRING_BEAN_ID,, +361,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies the strategy plugin for sourcing persistent IDs,all,,,Bean ID of a PairwiseIdStore,shibboleth.ComputedPersistentIdGenerator,idp.persistentId.generator,SPRING_BEAN_ID,, +368,PersistentNameIDGenerationConfiguration,saml-nameid.properties,The hash algorithm used when using computed persistent IDs,all,,,,SHA,idp.persistentId.algorithm,STRING,, +366,PersistentNameIDGenerationConfiguration,saml-nameid.properties,A secret salt for the hash when using computed persistent IDs,all,,,,,idp.persistentId.salt,STRING,, +383,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,deactivationDate,idp.persistentId.deactivationTimeColumn,STRING,, +382,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,creationDate,idp.persistentId.createTimeColumn,STRING,, +374,PersistentNameIDGenerationConfiguration,saml-nameid.properties,When true the connection and layout of the database is verified at bean initialization time and any failures are fatal.,4.1,,,,true,idp.persistentId.verifyDatabase,BOOLEAN,, +365,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Whether or not the previous property has access to unreleased attributes,all,,,,true,idp.persistentId.useUnfilteredAttributes,BOOLEAN,, +381,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,peerProvidedId,idp.persistentId.peerProvidedIdColumn,STRING,, +380,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,persistentId,idp.persistentId.persistentIdColumn,STRING,, +379,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,localId,idp.persistentId.sourceIdColumn,STRING,, +378,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,principalName,idp.persistentId.principalNameColumn,STRING,, +377,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,peerEntity,idp.persistentId.peerEntityColumn,STRING,, +376,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides database column names,4.1,,,,localEntity,idp.persistentId.localEntityColumn,STRING,, +375,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Overrides the name of the table in the database,4.1,,,,shibpid,idp.persistentId.tableName,STRING,, +364,PersistentNameIDGenerationConfiguration,saml-nameid.properties,List of attributes to search for a value to uniquely identify the subject of a persistent identifier that MUST be stable long-lived and non-reassignable,all,,,,,idp.persistentId.sourceAttribute,STRING,, +363,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Identifies a strategy plugin to use to generate the first persistent identifier for each subject,all,,,used to migrate from the computed to stored strategies: can be null,shibboleth.ComputedPersistentIdGenerator,idp.persistentId.computed,SPRING_BEAN_ID,, +372,PersistentNameIDGenerationConfiguration,saml-nameid.properties,Number of retries in the event database locking bugs cause retryable failures,4.1,,,,3,idp.persistentId.transactionRetries,INTEGER,, +412,ReloadableServices,services.properties,Time to notice changes to NameIDGenerationConfiguration and reload service,all,,,,0,idp.service.nameidGeneration.checkInterval,DURATION,, +422,ReloadableServices,services.properties,Name of Spring bean identifying Spring message property resources,all,,,,shibboleth.MessageSourceResources,idp.message.resources,SPRING_BEAN_ID,, +419,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for ManagedBeanConfiguration,all,,,,shibboleth.ManagedBeanResources,idp.service.managedBean.resources,SPRING_BEAN_ID,, +417,ReloadableServices,services.properties,Fail at startup if CASServiceRegistry configuration is invalid,all,,,,false,idp.service.cas.registry.failFast,BOOLEAN,, +411,ReloadableServices,services.properties,Fail at startup if NameIDGenerationConfiguration is invalid,all,,,,false,idp.service.nameidGeneration.failFast,BOOLEAN,, +407,ReloadableServices,services.properties,Fail at startup if AttributeFilterConfiguration is invalid,all,,,,false,idp.service.attribute.filter.failFast,BOOLEAN,, +404,ReloadableServices,services.properties,"Whether null values should be stripped from the results of the attribute resolution. This filtering happens prior to filtering and encoding, but after attribute resolution is complete. To strip nulls during attribute resolution (so that they will be invis",all,,,,false,idp.service.attribute.resolver.stripNulls,BOOLEAN,, +401,ReloadableServices,services.properties,Fail at startup if AttributeResolverConfiguration is invalid,all,,,,false,idp.service.attribute.resolver.failFast,BOOLEAN,, +397,ReloadableServices,services.properties,Fail at startup if AttributeRegistryConfiguration is invalid,all,,,,false,idp.service.attribute.registry.failFast,BOOLEAN,, +421,ReloadableServices,services.properties,Time to notice ManagedBeanConfiguration changes and reload service,all,,,,0,idp.service.managedBean.checkInterval,DURATION,, +418,ReloadableServices,services.properties,Time to notice CASServiceRegistry configuration changes and reload service,all,,,,0,idp.service.cas.registry.checkInterval,DURATION,, +415,ReloadableServices,services.properties,Time to notice changes to AccessControlConfiguration and reload service,all,,,,0,idp.service.access.checkInterval,DURATION,, +408,ReloadableServices,services.properties,Time to notice changes to AttributeFilterConfiguration and reload service A value of 0 indicates that the attribute filter configuration never reloads,all,,,,0,idp.service.attribute.filter.checkInterval,DURATION,, +416,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for CASServiceRegistry configuration,all,,,,shibboleth.CASServiceRegistryResources,idp.service.cas.registry.resources,SPRING_BEAN_ID,, +413,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AccessControlConfiguration,all,,,,shibboleth.AccessControlResource,idp.service.access.resources,SPRING_BEAN_ID,, +410,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for NameIDGenerationConfiguration,all,,,,shibboleth.NameIdentifierGenerationResources,idp.service.nameidGeneration.resources,SPRING_BEAN_ID,, +402,ReloadableServices,services.properties,Time to notice changes to AttributeResolverConfiguration and reload service. A value of 0 indicates that the service configuration never reloads,all,,,,0,idp.service.attribute.resolver.checkInterval,DURATION,, +406,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeFilterConfiguration,all,,,,shibboleth.AttributeFilterResources,idp.service.attribute.filter.resources,SPRING_BEAN_ID,, +398,ReloadableServices,services.properties,Time to notice changes to AttributeRegistryConfiguration and reload service. A value of 0 indicates that the service configuration never reloads,all,,,,0,idp.service.attribute.registry.checkInterval,DURATION,, +400,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeResolverConfiguration,all,,,,shibboleth.AttributeResolverResources,idp.service.attribute.resolver.resources,SPRING_BEAN_ID,, +396,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for AttributeRegistryConfiguration,all,,,,shibboleth.AttributeRegistryResources,idp.service.attribute.registry.resources,SPRING_BEAN_ID,, +392,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for MetadataConfiguration,all,,,,shibboleth.MetadataResolverResources,idp.service.metadata.resources,SPRING_BEAN_ID,, +423,ReloadableServices,services.properties,Seconds between reloads of message property resources,all,,,,300,idp.message.cacheSeconds,INTEGER,, +393,ReloadableServices,services.properties,Fail at startup if MetadataConfiguration is invalid,all,,,,false,idp.service.metadata.failFast,BOOLEAN,, +391,ReloadableServices,services.properties,See MetadataDrivenConfiguration SAML Attribute Name Format Usage,all,,,,false,idp.service.relyingparty.ignoreUnmappedEntityAttributes,BOOLEAN,, +389,ReloadableServices,services.properties,Fail at startup if RelyingPartyConfiguration is invalid,all,,,,false,idp.service.relyingparty.failFast,BOOLEAN,, +388,ReloadableServices,services.properties,Name of Spring bean identifying resources to use for RelyingPartyConfiguration,all,,,,shibboleth.RelyingPartyResolverResources,idp.service.relyingparty.resources,SPRING_BEAN_ID,, +385,ReloadableServices,services.properties,Logging configuration resource to use (the reloadable service ID is shibboleth.LoggingService),all,,,resource path,%{idp.home}/conf/logback.xml,idp.service.logging.resource,STRING,, +390,ReloadableServices,services.properties,Time to notice changes to RelyingPartyConfiguration and reload service. A value of 0 indicates that the relying party configuration never reloads,all,,,,0,idp.service.relyingparty.checkInterval,DURATION,, +387,ReloadableServices,services.properties,Time to notice changes to logging configuration and reload service. A value of 0 indicates that the logging configuration never reloads,all,,,,0,idp.service.logging.checkInterval,DURATION,, +394,ReloadableServices,services.properties,Time to notice changes to MetadataConfiguration and reload service. A value of 0 indicates that the metadata configuration never reloads,all,,,,0,idp.service.metadata.checkInterval,DURATION,, +384,ReloadableServices,services.properties,Set default fail-fast behavior of all services unless overridden by service,all,,,,false,idp.service.failFast,BOOLEAN,, +414,ReloadableServices,services.properties,Fail at startup if AccessControlConfiguration is invalid,all,,,,true,idp.service.access.failFast,BOOLEAN,, +409,ReloadableServices,services.properties,Whether attribute filtering failure should silently produce no attributes or causes an overall profile request failure event,all,,,,true,idp.service.attribute.filter.maskFailures,BOOLEAN,, +395,ReloadableServices,services.properties,Disabling this turns off internal support for the ByReferenceFilter feature which provides a very small performance boost,all,,,,true,idp.service.metadata.enableByReferenceFilters,BOOLEAN,, +386,ReloadableServices,services.properties,Fail at startup if logging configuration is invalid,all,,,,true,idp.service.logging.failFast,BOOLEAN,, +420,ReloadableServices,services.properties,Fail at startup if ManagedBeanConfiguration is invalid,all,,,,false,idp.service.managedBean.failFast,BOOLEAN,, +405,ReloadableServices,services.properties,Setting this to false re-enables the legacy behavior of looking up the display information for the resolved attributes during resolution. As from 4.2 this the display information is looked up at point of use (during the attribute consent flow) and so ther,4.2,,,,true,idp.service.attribute.resolver.suppressDisplayInfo,BOOLEAN,, +403,ReloadableServices,services.properties,Whether attribute resolution failure should silently produce no attributes or cause an overall profile request failure event,all,,,,true,idp.service.attribute.resolver.maskFailures,BOOLEAN,, +399,ReloadableServices,services.properties,Shortcut for controlling the encoding of xsi:type information for all SAML transcoding rules in the registry,all,,,,true,idp.service.attribute.registry.encodeType,BOOLEAN,, +6,RelyingPartyConfiguration,idp.properties,Whether preparation of messages to be communicated via SAML artifact should assume use of a secure channel (allowing signing and encryption to be skipped),all,,,,true,idp.artifact.secureChannel,BOOLEAN,, +9,RelyingPartyConfiguration,idp.properties,"Controls whether the outbound binding selection is ordered by the SP's metadata or the IdP's preferred bindings (the inbuilt default order is Redirect -> POST -> Artifact -> SOAP). Set to false to leave artifact support on, but favor use of POST. Set also",4.1,,,,true,idp.bindings.inMetadataOrder,BOOLEAN,, +3,RelyingPartyConfiguration,idp.properties,The unique name of the IdP used as the iisuer in all SAML profiles,all,,,ex. https://unicon.net/idp/shibboleth,,idp.entityID,STRING,, +7,RelyingPartyConfiguration,idp.properties,Identifies the endpoint in SAML metadata associated with artifacts issued by a server node,all,,,,2,idp.artifact.endpointIndex,INTEGER,, +5,RelyingPartyConfiguration,idp.properties,Whether to allow use of the SAML artifact bindings when sending messages,all,,,,true,idp.artifact.enabled,BOOLEAN,, +186,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.RemoteUser,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.RemoteUser.proxyRestrictionsEnforced,BOOLEAN,, +191,RemoteUserAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.RemoteUser,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUser.reuseCondition,SPRING_BEAN_ID,, +188,RemoteUserAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.discoveryRequired,BOOLEAN,, +183,RemoteUserAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.nonBrowserSupported,BOOLEAN,, +184,RemoteUserAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.RemoteUser,,,false,idp.authn.RemoteUser.passiveAuthenticationSupported,BOOLEAN,, +193,RemoteUserAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.RemoteUser,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUser.activationCondition,SPRING_BEAN_ID,, +195,RemoteUserAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.RemoteUser,,,true,idp.authn.RemoteUser.addDefaultPrincipals,BOOLEAN,, +189,RemoteUserAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.RemoteUser,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.RemoteUser.lifetime,DURATION,, +208,RemoteUserInternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.nonBrowserSupported,BOOLEAN,, +219,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.RemoteUserInternal,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password,saml1/urn:oasis:names:tc:SAML:1.0:am:password",idp.authn.RemoteUserInternal.supportedPrincipals,STRING,, +210,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.forcedAuthenticationSupported,BOOLEAN,, +204,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of usernames to deny while accepting all others,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.deniedUsernames,STRING,, +209,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.passiveAuthenticationSupported,BOOLEAN,, +203,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of usernames to accept while blocking all others,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.allowedUsernames,STRING,, +202,RemoteUserInternalAuthnConfiguration,authn/authn.properties,A regular expression that must match the username,4.1,idp.authn.RemoteUserInternal,,regex expected,,idp.authn.RemoteUserInternal.matchExpression,STRING,, +198,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited list of request headers to check for a username,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.checkHeaders,STRING,, +207,RemoteUserInternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.RemoteUserInternal,,,1000,idp.authn.RemoteUserInternal.order,INTEGER,, +211,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.RemoteUserInternal.proxyRestrictionsEnforced,BOOLEAN,, +220,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.addDefaultPrincipals,BOOLEAN,, +199,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to trim leading and trailing whitespace from the username before validating it,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.trim,BOOLEAN,, +201,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to uppercase the username before validating it,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.uppercase,BOOLEAN,, +196,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to check REMOTE_USER for a username,4.1,idp.authn.RemoteUserInternal,,,true,idp.authn.RemoteUserInternal.checkRemoteUser,BOOLEAN,, +206,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.RemoteUserInternal,,regex expected,,idp.authn.RemoteUserInternal.matchExpression,STRING,, +214,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.RemoteUserInternal.lifetime,DURATION,, +216,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.RemoteUserInternal,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUserInternal.reuseCondition,SPRING_BEAN_ID,, +217,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.RemoteUserInternal,,,shibboleth.Conditions.TRUE,idp.authn.RemoteUserInternal.activationCondition,SPRING_BEAN_ID,, +215,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.RemoteUserInternal,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.RemoteUserInternal.inactivityTimeout,DURATION,, +205,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Spring Web Flow redirection expression for the protected resource,4.1,idp.authn.RemoteUserInternal,,,contextRelative:external.jsp,idp.authn.RemoteUserInternal.externalAuthnPath,STRING,, +213,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.discoveryRequired,BOOLEAN,, +197,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Comma-delimited lists of request attributes to check for a username,4.1,idp.authn.RemoteUserInternal,,,,idp.authn.RemoteUserInternal.checkAttributes,STRING,, +212,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.RemoteUserInternal,,,false,idp.authn.RemoteUserInternal.proxyScopingEnforced,BOOLEAN,, +218,RemoteUserInternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.SAML.activationCondition,SPRING_BEAN_ID,, +338,SAMLAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.SAML.reuseCondition,SPRING_BEAN_ID,, +328,SAMLAuthnConfiguration,authn/authn.properties,Optional bean ID of AssertionValidator to run,4.1,,,,,idp.authn.SAML.assertionValidator,SPRING_BEAN_ID,, +327,SAMLAuthnConfiguration,authn/authn.properties,"Optional bean ID of Function to run at the late stages of Response decoding/processing",4.1,,,,,idp.authn.SAML.inboundMessageHandlerFunction,SPRING_BEAN_ID,, +329,SAMLAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,,,,1000,idp.authn.SAML.order,INTEGER,, +333,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.SAML.proxyRestrictionsEnforced,BOOLEAN,, +336,SAMLAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.SAML.lifetime,DURATION,, +340,SAMLAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer to run just prior to AuthnRequest signing/encoding step",4.1,,,,,idp.authn.SAML.outboundMessageHandlerFunction,SPRING_BEAN_ID,, +325,SAMLAuthnConfiguration,authn/authn.properties,Statically-defined entityID of IdP to use for authentication,4.1,,,,,idp.authn.SAML.proxyEntityID,STRING,, +334,SAMLAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,,,,false,idp.authn.SAML.proxyScopingEnforced,BOOLEAN,, +17,SecurityConfiguration,idp.properties,Default SameSite value to apply to cookies via servlet filter if no explicit rule for the named cookie is specified,all,,,,,idp.cookie.sameSite,SELECTION_LIST,"None,Lax,Strict", +16,SecurityConfiguration,idp.properties,Lifetime in seconds of cookies issued by the IdP that are meant to span sessions (365 days),all,,,,31536000,idp.cookie.maxAge,INTEGER,, +21,SecurityConfiguration,idp.properties,Time between checks for a new AES key version,all,,,,PT15M,idp.sealer.updateInterval,DURATION,, +23,SecurityConfiguration,idp.properties,Keystore resource containing AES encryption key usually a file path,all,,,resource path,,idp.sealer.storeResource,STRING,, +12,SecurityConfiguration,idp.properties,If true all cookies issued by the IdP (not including the container) will be limited to TLS,all,,,,false,idp.cookie.secure,BOOLEAN,, +14,SecurityConfiguration,idp.properties,Overrides the domain of any cookies issued by the IdP (not including the container),all,,,,,idp.cookie.domain,STRING,, +33,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default SecurityConfiguration,all,,,Bean ID of SecurityConfiguration (net.shibboleth.idp.profile.config.SecurityConfiguration),shibboleth.DefaultSecurityConfiguration,idp.security.config,SPRING_BEAN_ID,, +34,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default SignatureSigningConfiguration,all,,,Bean ID of SignatureSigningConfiguration (org.opensaml.xmlsec),shibboleth.SigningConfiguration.SHA256,idp.signing.config,SPRING_BEAN_ID,, +18,SecurityConfiguration,idp.properties,Predicate condition bean controlling whether SameSite filter runs,all,,,Bean ID of Predicate,shibboleth.Conditions.FALSE,idp.cookie.sameSiteCondition,SPRING_BEAN_ID,, +15,SecurityConfiguration,idp.properties,Overrides the path of any cookies issued by the IdP (not including the container),all,,,,,idp.cookie.path,STRING,, +20,SecurityConfiguration,idp.properties,Type of Java keystore used for IdP's internal AES encryption key,all,,,,JCEKS,idp.sealer.storeType,STRING,, +40,SecurityConfiguration,idp.properties,Default freshness window for accepting timestamped messages,all,,,,PT3M,idp.policy.messageLifetime,DURATION,, +41,SecurityConfiguration,idp.properties,Default freshness window for accepting timestamped assertions,all,,,,PT3M,idp.policy.assertionLifetime,DURATION,, +42,SecurityConfiguration,idp.properties,Default allowance for clock differences between systems,all,,,,PT3M,idp.policy.clockSkew,DURATION,, +24,SecurityConfiguration,idp.properties,Resource that tracks the active AES encryption key version usually a file path,all,,,,,idp.sealer.versionResource,STRING,, +27,SecurityConfiguration,idp.properties,Resource containing private key for signing typically a file in the credentials directory,all,,,,,idp.signing.key,STRING,, +22,SecurityConfiguration,idp.properties,Case insensitive name of keystore alias prefix used in AES keystore (the entries will be suffixed by the key version number),all,,,,secret,idp.sealer.aliasBase,STRING,, +37,SecurityConfiguration,idp.properties,Sets the default strategy for key agreement key wrap usage for credentials from metadata if not otherwise configured on the security configuration,all,,,,Default,idp.encryption.keyagreement.metadata.defaultUseKeyWrap,STRING,, +38,SecurityConfiguration,idp.properties,Name of Spring bean for the trust engine used to verify signatures,all,,,Bean ID of SignatureTrustEngine (org.opensaml.xmlsec.signature.support),shibboleth.ChainingSignatureTrustEngine,idp.trust.signatures,SPRING_BEAN_ID,, +36,SecurityConfiguration,idp.properties,If true failure to locate an encryption key to use won't result in request failure,all,,,,false,idp.encryption.optional,BOOLEAN,, +25,SecurityConfiguration,idp.properties,Keystore password unlocking AES encryption keystore typically set during installation,all,,,,,idp.sealer.storePassword,STRING,, +28,SecurityConfiguration,idp.properties,Resource containing the public key certificate inserted into signed messages typically a file in the credentials directory,all,,,,,idp.signing.cert,STRING,, +31,SecurityConfiguration,idp.properties,Resource containing an alternate private key for decryption generally unused except while changing decryption keys,all,,,,,idp.encryption.key.2,STRING,, +32,SecurityConfiguration,idp.properties,Resource containing an alternate public key certificate generally unused except while changing decryption keys,all,,,,,idp.encryption.cert.2,STRING,, +30,SecurityConfiguration,idp.properties,Resource containing a public key certificate given to others needing to encrypt data for the IdP typically a file in the credentials directory,all,,,resource path,,idp.encryption.cert,STRING,, +29,SecurityConfiguration,idp.properties,Resource containing a private key for decryption typically a file in the credentials directory,all,,,resource path,,idp.encryption.key,STRING,, +26,SecurityConfiguration,idp.properties,Key password unlocking AES encryption key typically set to the same as the previous property and set during installation,all,,,,,idp.sealer.keyPassword,STRING,, +19,SecurityConfiguration,idp.properties,Bean ID supporting the DataSealerKeyStrategy interface to use in place of the built-in option.,all,,,Bean ID of DataSealerKeyStrategy,shibboleth.DataSealerKeyStrategy,idp.sealer.keyStrategy,SPRING_BEAN_ID,, +44,SecurityConfiguration,idp.properties,Overrides the X509KeyInfoGeneratorFactory used by default,4.1,,,Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager),shibboleth.X509KeyInfoGeneratorFactory,idp.security.x509KeyInfoFactory,SPRING_BEAN_ID,, +35,SecurityConfiguration,idp.properties,Name of Spring bean supplying the default EncryptionConfiguration,all,,,Bean ID of EncryptionConfiguration (org.opensaml.xmlsec),shibboleth.EncryptionConfiguration.CBC,idp.encryption.config,SPRING_BEAN_ID,, +43,SecurityConfiguration,idp.properties,Overrides the BasicKeyInfoGeneratorFactory used by default,4.1,,,Bean ID of KeyInfoGeneratorManager (org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager),shibboleth.BasicKeyInfoGeneratorFactory,idp.security.basicKeyInfoFactory,SPRING_BEAN_ID,, +39,SecurityConfiguration,idp.properties,Name of Spring bean for the trust engine used to verify TLS certificates,all,,,Bean ID of TrustEngine (org.opensaml.security.trust),shibboleth.ChainingX509TrustEngine,idp.trust.certificates,SPRING_BEAN_ID,, +13,SecurityConfiguration,idp.properties,If true all cookies issued by the IdP (not including the container) will contain the HttpOnly property,all,,,,true,idp.cookie.httpOnly,BOOLEAN,, +65,SessionConfiguration,idp.properties,Name of cookie containing IdP session ID (note this is not the same as the cookie the Java container uses to track its own sessions),4.2,,,,shib_idp_session,idp.session.cookieName,STRING,, +67,SessionConfiguration,idp.properties,Whether to bind IdP sessions to IP addresses,all,,,,true,idp.session.consistentAddress,BOOLEAN,, +63,SessionConfiguration,idp.properties,Whether to enable the IdP's session tracking feature,all,,,,true,idp.session.enabled,BOOLEAN,, +74,SessionConfiguration,idp.properties,"Default length of time to maintain record of an SP session (must be non-zero), overridable by relying-party-specific setting",all,,,,PT2H,idp.session.defaultSPlifetime,DURATION,, +71,SessionConfiguration,idp.properties,Whether to hide storage failures from users during session cache reads/writes,all,,,,false,idp.session.maskStorageFailure,BOOLEAN,, +66,SessionConfiguration,idp.properties,Number of characters in IdP session identifiers,all,,,,32,idp.session.idSize,INTEGER,, +69,SessionConfiguration,idp.properties,Inactivity timeout policy for IdP sessions (must be non-zero),all,,,,PT60M,idp.session.timeout,DURATION,, +70,SessionConfiguration,idp.properties,Extra time after expiration before removing SP sessions in case a logout is invoked,all,,,,0,idp.session.slop,DURATION,, +64,SessionConfiguration,idp.properties,Bean name of a storage implementation/configuration to use for IdP sessions,all,,,Bean ID of StorageService (org.opensaml.storage),shibboleth.ClientSessionStorageService,idp.session.StorageService,SPRING_BEAN_ID,, +73,SessionConfiguration,idp.properties,"Whether to track SPs on the basis of the SAML subject ID used, for logout purposes (requires SP session tracking be on)",all,,,,false,idp.session.secondaryServiceIndex,BOOLEAN,, +72,SessionConfiguration,idp.properties,Whether to save a record of every SP accessed during an IdP session (requires a server-side session store or HTML LocalStorage),all,,,,false,idp.session.trackSPSessions,BOOLEAN,, +68,SessionConfiguration,idp.properties,A 2-argument predicate that compares a bound session's address to a client address,all,,,"BiPredicate",Direct string comparison,idp.session.consistentAddressCondition,STRING,, +485,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.simple.uppercase,BOOLEAN,, +486,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.simple.trim,BOOLEAN,, +484,SimplePostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.simple.lowercase,BOOLEAN,, +222,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to always try to run SPNEGO independent of the user's auto-login setting,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.enforceRun,BOOLEAN,, +221,SPNEGOAuthnConfiguration,authn/authn.properties,Servlet-relative path to the SPNEGO external authentication implementation,4.1,idp.authn.SPNEGO,,URL path,/Authn/SPNEGO,idp.authn.SPNEGO.externalAuthnPath,STRING,, +224,SPNEGOAuthnConfiguration,authn/authn.properties,Regular expression to match username against,4.1,idp.authn.SPNEGO,,regex expected,,idp.authn.SPNEGO.matchExpression,STRING,, +238,SPNEGOAuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.SPNEGO,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, saml1/urn:ietf:rfc:1510",idp.authn.SPNEGO.supportedPrincipals,STRING,, +230,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.SPNEGO,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.SPNEGO.proxyRestrictionsEnforced,BOOLEAN,, +225,SPNEGOAuthnConfiguration,authn/authn.properties,Name of cookie used to track auto-login state of client,4.2,idp.authn.SPNEGO,,,_idp_spnego_autologin,idp.authn.SPNEGO.cookieName,STRING,, +226,SPNEGOAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.SPNEGO,,,1000,idp.authn.SPNEGO.order,INTEGER,, +237,SPNEGOAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer controlling result reuse for SSO,4.1,idp.authn.SPNEGO,,,shibboleth.Conditions.TRUE,idp.authn.SPNEGO.reuseCondition,SPRING_BEAN_ID,, +236,SPNEGOAuthnConfiguration,authn/authn.properties,Bean ID of Predicate determining whether flow is usable for request,4.1,idp.authn.SPNEGO,,,shibboleth.Conditions.TRUE,idp.authn.SPNEGO.activationCondition,SPRING_BEAN_ID,, +234,SPNEGOAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.SPNEGO,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.SPNEGO.inactivityTimeout,DURATION,, +239,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.SPNEGO,,,true,idp.authn.SPNEGO.addDefaultPrincipals,BOOLEAN,, +233,SPNEGOAuthnConfiguration,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.SPNEGO,,,%{idp.authn.defaultLifetime:PT1H},idp.authn.SPNEGO.lifetime,DURATION,, +223,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.refreshKrbConfig,BOOLEAN,, +227,SPNEGOAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.nonBrowserSupported,BOOLEAN,, +228,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.passiveAuthenticationSupported,BOOLEAN,, +229,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.forcedAuthenticationSupported,BOOLEAN,, +231,SPNEGOAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.proxyScopingEnforced,BOOLEAN,, +232,SPNEGOAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.SPNEGO,,,false,idp.authn.SPNEGO.discoveryRequired,BOOLEAN,, +430,Status,admin/admin.properties,?,4.1,,,,,idp.status.postAuthenticationFlows,STRING,, +428,Status,admin/admin.properties,?,4.1,,,,,idp.status.defaultAuthenticationMethods,STRING,, +426,Status,admin/admin.properties,Whether authentication should be performed prior to access control evaluation,4.1,,,,false,idp.status.authenticated,BOOLEAN,, +425,Status,admin/admin.properties,Name of access control policy for request authorization,4.1,,,,AccessByIPAddress,idp.status.accessPolicy,STRING,, +429,Status,admin/admin.properties,Whether attributes should be resolved prior to access control evaluation,4.1,,,,false,idp.status.resolveAttributes,BOOLEAN,, +427,Status,admin/admin.properties,Whether the flow should allow for non-browser clients during authentication,4.1,,,,false,idp.status.nonBrowserSupported,BOOLEAN,, +424,Status,admin/admin.properties,Audit log identifier for flow,4.1,,,,Status,idp.status.logging,STRING,, +57,StorageConfiguration,idp.properties,Interval of background thread sweeping server-side storage for expired records,all,,,,PT10M,idp.storage.cleanupInterval,DURATION,, +8,StorageConfiguration,idp.properties,Storage back-end to use for short-lived SAML Artifact mappings (must be server-side),all,,,Bean ID of a StorageService (org.opensaml.storage),shibboleth.StorageService,idp.artifact.StorageService,SPRING_BEAN_ID,, +60,StorageConfiguration,idp.properties,Name of cookie or HTML storage key used by the default persistent instance of the client storage service,all,,,,shib_idp_persistent_ss,idp.storage.clientPersistentStorageName,STRING,, +61,StorageConfiguration,idp.properties,Storage back-end to use for message replay checking (must be server-side),all,,,Bean ID of a StorageService (org.opensaml.storage),shibboleth.StorageService,idp.replayCache.StorageService,SPRING_BEAN_ID,, +58,StorageConfiguration,idp.properties,Whether to use HTML Local Storage (if available) instead of cookies,all,,,,false,idp.storage.htmlLocalStorage,BOOLEAN,, +59,StorageConfiguration,idp.properties,Name of cookie or HTML storage key used by the default per-session instance of the client storage service,all,,,,shib_idp_session_ss,idp.storage.clientSessionStorageName,STRING,, +62,StorageConfiguration,idp.properties,Whether storage errors during replay checks should be treated as a replay,all,,,,true,idp.replayCache.strict,BOOLEAN,, +622,TOTP,authn/authn.properties,Name of HTML form field to use for locating browser-submitted token codes,4.1,idp.authn.TOTP,1,,tokencode,idp.authn.TOTP.fieldName,STRING,, +627,TOTP,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.TOTP,1,,true,idp.authn.TOTP.forcedAuthenticationSupported,BOOLEAN,, +636,TOTP,authn/authn.properties,Comma-delimited list of protocol-specific Principalstrings associated with flow,4.1,idp.authn.TOTP,1,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken",idp.authn.TOTP.supportedPrincipals,STRING,, +623,TOTP,authn/authn.properties,Name of IdPAttribute to resolve to obtain token seeds for users,4.1,idp.authn.TOTP,1,,tokenSeeds,idp.authn.TOTP.tokenSeedAttribute,STRING,, +621,TOTP,authn/authn.properties,Name of request header to use for extracting non-browser submitted token codes,4.1,idp.authn.TOTP,1,,X-Shibboleth-TOTP,idp.authn.TOTP.headerName,STRING,, +624,TOTP,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.TOTP,1,,1000,idp.authn.TOTP.order,INTEGER,, +626,TOTP,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.passiveAuthenticationSupported,BOOLEAN,, +625,TOTP,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.nonBrowserSupported,BOOLEAN,, +628,TOTP,authn/authn.properties,Whether the flow enforces upstream IdP-imposed restrictions on proxying,4.1,idp.authn.TOTP,1,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.TOTP.proxyRestrictionsEnforced,BOOLEAN,, +634,TOTP,authn/authn.properties,Bean ID ofPredicate determining whether flow is usable for request,4.1,idp.authn.TOTP,1,,shibboleth.Conditions.TRUE,idp.authn.TOTP.activationCondition,SPRING_BEAN_ID,, +632,TOTP,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,idp.authn.TOTP,1,,%{idp.authn.defaultTimeout:PT30M},idp.authn.TOTP.inactivityTimeout,DURATION,, +631,TOTP,authn/authn.properties,Lifetime of results produced by this flow,4.1,idp.authn.TOTP,1,,%{idp.authn.defaultLifetime:PT1H},idp.authn.TOTP.lifetime,DURATION,, +633,TOTP,authn/authn.properties,Bean ID ofPredicate controlling result reuse for SSO,4.1,idp.authn.TOTP,1,,shibboleth.Conditions.TRUE,idp.authn.TOTP.reuseCondition,SPRING_BEAN_ID,, +635,TOTP,authn/authn.properties,"Bean ID ofBiConsumer for subject customization",4.1,idp.authn.TOTP,1,,,idp.authn.TOTP.subjectDecorator,SPRING_BEAN_ID,, +629,TOTP,authn/authn.properties,Whether the flow considers itself to be proxying,4.1,idp.authn.TOTP,1,and therefore enforces SP-signaled restrictions on proxying,false,idp.authn.TOTP.proxyScopingEnforced,BOOLEAN,, +630,TOTP,authn/authn.properties,Whether to invoke IdP-discovery prior to running flow,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.discoveryRequired,BOOLEAN,, +637,TOTP,authn/authn.properties,Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow,4.1,idp.authn.TOTP,1,,false,idp.authn.TOTP.addDefaultPrincipals,BOOLEAN,, +496,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to trim leading and trailing whitespace from the username,4.1,,,,true,idp.c14n.x500.trim,BOOLEAN,, +498,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of attribute OIDs to search for in the subject DN,4.1,,,Comma seperated list of integer values,"2,5,4,3",idp.c14n.x500.objectIDs,STRING,, +495,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to uppercase the username,4.1,,,,false,idp.c14n.x500.uppercase,BOOLEAN,, +494,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Whether to lowercase the username,4.1,,,,false,idp.c14n.x500.lowercase,BOOLEAN,, +497,X500PostLoginC14NConfiguration,c14n/subject-c14n.properties,Comma-delimited list of subjectAltName extension types to look for,4.1,,,Comma seperated list of integer values,,idp.c14n.x500.subjectAltNameTypes,STRING,, +241,X509AuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,idp.authn.X509,,,1000,idp.authn.X509.order,INTEGER,, +245,X509AuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,idp.authn.X509,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.X509.proxyRestrictionsEnforced,BOOLEAN,, +252,X509AuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,idp.authn.X509,,,shibboleth.Conditions.TRUE,idp.authn.X509.activationCondition,SPRING_BEAN_ID,, +250,X509AuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,idp.authn.X509,,,shibboleth.Conditions.TRUE,idp.authn.X509.reuseCondition,SPRING_BEAN_ID,, +253,X509AuthnConfiguration,authn/authn.properties,Comma-delimited list of protocol-specific Principal strings associated with flow,4.1,idp.authn.X509,,,"saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, saml1/urn:ietf:rfc:2246",idp.authn.X509.supportedPrincipals,STRING,, +247,X509AuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,idp.authn.X509,,,false,idp.authn.X509.discoveryRequired,BOOLEAN,, +246,X509AuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,idp.authn.X509,,,false,idp.authn.X509.proxyScopingEnforced,BOOLEAN,, +254,X509AuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,idp.authn.X509,,,true,idp.authn.X509.addDefaultPrincipals,BOOLEAN,, +244,X509AuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,idp.authn.X509,,,false,idp.authn.X509.forcedAuthenticationSupported,BOOLEAN,, +243,X509AuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,idp.authn.X509,,,false,idp.authn.X509.passiveAuthenticationSupported,BOOLEAN,, +261,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow considers itself to be proxying and therefore enforces SP signaled restrictions on proxying,4.1,,,,false,idp.authn.X509Internal.proxyScopingEnforced,BOOLEAN,, +259,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow supports forced authentication,4.1,,,,false,idp.authn.X509Internal.forcedAuthenticationSupported,BOOLEAN,, +258,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow allows for passive authentication,4.1,,,,false,idp.authn.X509Internal.passiveAuthenticationSupported,BOOLEAN,, +257,X509InternalAuthnConfiguration,authn/authn.properties,"Whether the flow should handle non-browser request profiles (e.g., ECP)",4.1,,,,false,idp.authn.X509Internal.nonBrowserSupported,BOOLEAN,, +255,X509InternalAuthnConfiguration,authn/authn.properties,Whether to save the certificate into the Subject's public credential set. Disable to reduce the size if not relying on the certificate for subject c14n.,4.1,,,,true,idp.authn.X509Internal.saveCertificateToCredentialSet,BOOLEAN,, +269,X509InternalAuthnConfiguration,authn/authn.properties,Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow,4.1,,,,true,idp.authn.X509Internal.addDefaultPrincipals,BOOLEAN,, +260,X509InternalAuthnConfiguration,authn/authn.properties,Whether the flow enforces upstream IdP imposed restrictions on proxying,4.1,,,,%{idp.authn.enforceProxyRestrictions:true},idp.authn.X509Internal.proxyRestrictionsEnforced,BOOLEAN,, +256,X509InternalAuthnConfiguration,authn/authn.properties,"Flow priority relative to other enabled login flows (lower is ""higher"" in priority)",4.1,,,,1000,idp.authn.X509Internal.order,INTEGER,, +264,X509InternalAuthnConfiguration,authn/authn.properties,Inactivity timeout of results produced by this flow,4.1,,,,%{idp.authn.defaultTimeout:PT30M},idp.authn.X509Internal.inactivityTimeout,DURATION,, +267,X509InternalAuthnConfiguration,authn/authn.properties,Bean ID of BiConsumer determining whether flow is usable for request,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.X509Internal.activationCondition,SPRING_BEAN_ID,, +265,X509InternalAuthnConfiguration,authn/authn.properties,Bean ID of Predicate controlling result reuse for SSO,4.1,,,,shibboleth.Conditions.TRUE,idp.authn.X509Internal.reuseCondition,SPRING_BEAN_ID,, +262,X509InternalAuthnConfiguration,authn/authn.properties,Whether to invoke IdP discovery prior to running flow,4.1,,,,false,idp.authn.X509Internal.discoveryRequired,BOOLEAN,, \ No newline at end of file