Configuration
The minimal configuration required to have the plugin running:
IdPv4
The minimum configuration requires you to define the profile configuration for user to access the profile pages.
USERPROFILE.SSO profile configuration has to be enabled by adding it to shibboleth.UnverifiedRelyingParty bean.
| Profile Configuration Bean | Profile Configuration URI | Activated Endpoint |
|---|---|---|
| USERPROFILE.SSO | http://geant.org/ns/profiles/userprofile/sso/browser | /idp/profile/userprofile |
<!-- Example of activating USERPROFILE.SSO in relying-party.xml -->
<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<bean parent="USERPROFILE.SSO"/>
</list>
</property>
</bean>
The configuration options for USERPROFILE.SSO are far less than with other SSO profiles as there is really no relying party involved. What we have to do is to authenticate (and control how that is done) the user to grant access to correct data.
| Name | Type | Default | Description |
|---|---|---|---|
| defaultAuthenticationMethods | List<Principal> | Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt. | |
| authenticationFlows | List<String> | List of allowed login flow(s) to attempt. | |
| forceAuthn | Boolean | false | Disallows use (or reuse) of authentication results and login flows that don't provide a real-time proof of user presence in the login process |
Some 3rd party authentication flows require relying party identifier value to exist. For such cases you may set dummy value in userprofile.properties - file
| Property Name | Default | Description |
|---|---|---|
userProfile.relyingPartyIdentifier |
None | Dummy relying party identifier to use during authentication phase. |
IdPv5
User Profile is a administrative flow. The behaviour of this particular administrative flow is defined in userprofile.properties - file. The default options will authenticate the user accessing /idp/profile/userprofile with any available authentication flow supporting browsers.
| Property Name | Default | Description |
|---|---|---|
| userProfile.logging | UserProfile | Set a logging ID to use when auditing this profile. |
| userProfile.accessPolicy | None | Set an explicit access control policy name to apply. |
| userProfile.forceAuthn | false | Set whether a fresh user presence proof should be required for this request. |
| userProfile.authenticationFlows | None | Set the authentication flows to use as comma limited list. |
| userProfile.defaultAuthenticationMethods | None | Set the default authentication methods to use, expressed as custom principals as comma limited list. |
| userProfile.postAuthenticationFlows | None | Set the ordered collection of post-authentication interceptor flows to enable as comma limited list. |
| userProfile.resolveAttributes | false | Set whether attributes should be resolved for access control policy. |
Once minimal configuration is done, authenticated user is able to access endpoint /idp/profile/userprofile and Personal Data - page.
The purpose of Personal Data page is to show what attributes of user are "stored" to IdP.
The attributes shown on the page are in many deployments a simple list of LDAP attributes in which case the configuration is pretty straightforward. If you are running a proxy the attributes shown may be a complex set of upstream attributes combined with locally resolved ones and sometimes may need new attribute definitions. To solve this dilemma the attributes that are resolved and shown in the page for user must be separately listed in userprofile.properties - file. Attribute filtering is not applied to the listed attributes.
| Property Name | Default | Description |
|---|---|---|
userProfile.idpuserattributes |
None | List (mandatory) of attributes that are presented to user as Personal Data. Comma separated list of attribute ids. |
userProfile.logoutUrl |
None | Optional logout url, for instance /idp/profile/Logout
|
The properties file may be used to activate optional "Log Out" - button on profile pages.