LoginConfigStrategy example?

[Cantor, Scott]

On 5/19/21, 10:12 AM, "users on behalf of Phil Chapman" <users-bounces at shibboleth.net on behalf of phil.chapman at adept.co.uk> wrote:

>    I believe this should be possible by writing a shibboleth.authn.JAAS.LoginConfigStrategy Function bean, but
> can't get the syntax right and can't find any appropriate examples online. Does anyone have a sample that they
> can share which would meet my needs?

Doesn't require a function, though I probably would argue it's easier syntax.

"If the information the function would return is static, a bean named shibboleth.authn.JAAS.LoginConfigurations can be defined."

This is static (you're just associating each JAAS config with one or more principals).

Bean type is Collection<Pair<String,Subject>>

<util:list>
<!-- one config -->
<bean parent="shibboleth.Pair">
<constructor-arg>config1</constructor-arg>
<constructor-arg>
	<bean class="javax.security.auth.Subject">
		<constructor-arg>false</ constructor-arg>
		<constructor-arg>
			<util:set>
				<bean parent="shibboleth.SAML2AuthnContextClassRef"
				c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />			</util:set>
		</constructor-arg>
		<constructor-arg><null/></constructor-arg>
		<constructor-arg><null/></constructor-arg>
	</bean>
</constructor-arg>
</bean>
<!-- etc. -->
</util:list>

It's something like that, but I doubt it's exact.

FWIW, the historical advice to use JAAS is also largely out of date, that was needed when it was impractical to chain LDAPs or LDAP with other options. The IdP does this natively now and JAAS is slower comparatively speaking.

-- Scott