search

Unicon / shib-cas-authn

Apache License 2.0
13 stars 9 forks source link

Install process needs to be updated for new Shib IdP 4.2+ installs #7

Open jwray3-asu opened 2 years ago

jwray3-asu commented 2 years ago

The changes to the Module system make it so there seems to be a few updates needed to the readme file for shib 4.2+

In a fresh install the External module is disabled by default and needs to be enabled by IDP_HOME/bin/module.sh -e idp.authn.External. The IDP_HOME/conf/authn/external-authn.xml and IDP_HOME/conf/authn/general-authn.xml files appear to no longer exist and setting the context path appears to be done in the IDP_HOME/conf/authn/authn.properties file now

 #### External ####

#idp.authn.External.order = 1000
#idp.authn.External.nonBrowserSupported = false
#idp.authn.External.matchExpression =
# Unset if you plan to return full Java Subject from external source
#idp.authn.External.addDefaultPrincipals = true
# Servlet context-relative path to wherever your implementation lives
idp.authn.External.externalAuthnPath = contextRelative:external.jsp

based on the other configurations present in the properties file this appears to be the new config for supporting both the basic setup and a REFEDS MFA profile in the auth.properties file

 #### External ####

#idp.authn.External.order = 1000
idp.authn.External.nonBrowserSupported = false
idp.authn.External.forcedAuthenticationSupported = true
idp.authn.External.passiveAuthenticationSupported = true
#idp.authn.External.matchExpression =
# Unset if you plan to return full Java Subject from external source
#idp.authn.External.addDefaultPrincipals = true
# Servlet context-relative path to wherever your implementation lives
idp.authn.External.externalAuthnPath = contextRelative:Authn/External
idp.authn.External.supportedPrincipals = \
    saml2/https://refeds.org/profile/mfa, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
pspaude commented 2 years ago

Awesome thanks for the PR! We'll be looking at this shortly and as soon as we're able get a 4.2 version out.

jwray3-asu commented 2 years ago

The location of the idp.authn.flows line has also been moved to the authn.properties file as well. The IdP properties file now by default loads all values in conf/*/.properties, so all configs for shibcas might be better served by being moved to either the authn.properties file or a custom properties file like shibcas.properties in /conf/authn