Skip to content

OIDC.SSO

Jump to bottom
Janne Lauros edited this page Jan 4, 2019 · 40 revisions

Overview

The OIDC.SSO profile configuration bean enables support for oidc authorization and token endpoints.

File(s): conf/relying-party.xml

Common Configuration

  • securityConfiguration of type SecurityConfiguration defaulting to a bean shibboleth.oidc.DefaultSecurityConfiguration.

  • postAuthenticationFlows of type List<String>. Ordered list of profile interceptor flows to run after successful authentication.

  • defaultAuthenticationMethods of type List<Principal>. Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt, in the event that a relying party does not signal a preference. Not supported yet.

Common OIDC Configuration

  • tokenEndpointAuthMethods of type Collection<String>: The comma-separated list of supported token_endpoint_auth_method_s for this profile. Default: client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt. Can be configured with idp.oidc.tokenEndpointAuthMethods -propertiy in conf/idp.properties.

  • acrRequestAlwaysEssential of type Predicate<ProfileRequestContext> defaulting to false. Whether to treat all acr claim requests as essential requests.

Eventhough the following options are not (yet) supported by OIDC.SSO the registration data is respected i.e. by limitig options for response or grant types enabled in registration also limits the available options for running successfullu OIDC.SSO.

  • authorizationCodeFlowEnabled of type Predicate<ProfileRequestContext> defaulting to true. Whether to enable authorization code flow. Not supported yet.

  • hybridFlowEnabled of type Predicate<ProfileRequestContext> defaulting to true. Whether to enable hybrid flow. Not supported yet.

  • implicitFlowEnabled of type Predicate<ProfileRequestContext> defaulting to true. Whether to enable implicit flow. Not supported yet.

  • refreshTokensEnabled of type Predicate<ProfileRequestContext>: defaulting to true. Whether to enable refresh tokens support. Not supported yet.

OIDC.SSO Configuration

  • authorizeCodeLifetime of type Duration. Defaults to PT5M.

  • accessTokenLifetime of type Duration. Defaults to PT10M.

  • iDTokenLifetime of type Duration. Defaults to PT1H.

  • refreshTokenLifetime of type Duration. Defaults to PT2H.

  • additionalAudiencesForIdToken of type Collection<String>: The comma-separated list of strings. Empty by default.

Clone this wiki locally