Install process needs to be updated for new Shib IdP 4.2+ installs
jwray3-asu opened this issue · 2 comments
The changes to the Module system make it so there seems to be a few updates needed to the readme file for shib 4.2+
In a fresh install the External module is disabled by default and needs to be enabled by IDP_HOME/bin/module.sh -e idp.authn.External . The IDP_HOME/conf/authn/external-authn.xml and IDP_HOME/conf/authn/general-authn.xml files appear to no longer exist and setting the context path appears to be done in the IDP_HOME/conf/authn/authn.properties file now
#### External ####
#idp.authn.External.order = 1000
#idp.authn.External.nonBrowserSupported = false
#idp.authn.External.matchExpression =
# Unset if you plan to return full Java Subject from external source
#idp.authn.External.addDefaultPrincipals = true
# Servlet context-relative path to wherever your implementation lives
idp.authn.External.externalAuthnPath = contextRelative:external.jsp
based on the other configurations present in the properties file this appears to be the new config for supporting both the basic setup and a REFEDS MFA profile in the auth.properties file
#### External ####
#idp.authn.External.order = 1000
idp.authn.External.nonBrowserSupported = false
idp.authn.External.forcedAuthenticationSupported = true
idp.authn.External.passiveAuthenticationSupported = true
#idp.authn.External.matchExpression =
# Unset if you plan to return full Java Subject from external source
#idp.authn.External.addDefaultPrincipals = true
# Servlet context-relative path to wherever your implementation lives
idp.authn.External.externalAuthnPath = contextRelative:Authn/External
idp.authn.External.supportedPrincipals = \
saml2/https://refeds.org/profile/mfa, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Awesome thanks for the PR! We'll be looking at this shortly and as soon as we're able get a 4.2 version out.
The location of the idp.authn.flows line has also been moved to the authn.properties file as well. The IdP properties file now by default loads all values in conf/**/*.properties, so all configs for shibcas might be better served by being moved to either the authn.properties file or a custom properties file like shibcas.properties in /conf/authn