Package org.apereo.cas.configuration.model.support.oidc

Class OidcCoreProperties

java.lang.Object
org.apereo.cas.configuration.model.support.oidc.OidcCoreProperties
All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-support-oidc") public class OidcCoreProperties extends Object implements Serializable
This is OidcCoreProperties.
Since:
5.0.0
See Also:

  • Constructor Details

    • OidcCoreProperties

      public OidcCoreProperties()

  • Method Details

    • getIssuer

      public String getIssuer()
      OIDC issuer. All OpenID Connect servers such as CAS are uniquely identified by a URL known as the issuer. This URL serves as the prefix of a service discovery endpoint as specified in the OpenID Connect Discovery standard.

      This URL must be using the https scheme with no query or fragment component that the identity provider (CAS) asserts as its Issuer Identifier. This also MUST be identical to the iss claim value in ID Tokens issued from this issuer, unless overridden in very special circumstances as a last resort.

      CAS primarily supports a single issuer per deployment/host.

    • getAcceptedIssuersPattern

      public String getAcceptedIssuersPattern()
      Defines the regular expression pattern that is matched against the calculated issuer from the request. If the issuer that is extracted from the request does not match the issuer defined in the CAS configuration, this pattern acts as a secondary level rule to allow incoming requests to pass through if the match is successful. By default, the pattern is designed to never match anything.

    • getSkew

      public String getSkew()
      Skew value used to massage the authentication issue instance.

    • getUserDefinedScopes

      public Map<String,String> getUserDefinedScopes()
      Mapping of user-defined scopes. Key is the new scope name and value is a comma-separated list of claims mapped to the scope. Such user-defined scopes are also able to override the definition of system scopes. User-defined scopes as well as any and all custom claims that are mapped to the scope must also be defined as scopes and claims supported by CAS in OpenID Connect discovery.

    • getClaimsMap

      public Map<String,String> getClaimsMap()
      Map fixed claims to CAS attributes. Key is the existing claim name for a scope and value is the new attribute that should take its place and value. Claims associated with a scope (i.e. given_name for profile) are fixed in the OpenID specification. In the event that custom arbitrary attributes should be mapped to claims, mappings can be defined in CAS settings to link a CAS-defined attribute to a fixed given scope. For instance, CAS configuration may allow the value of the attribute sys_given_name to be mapped and assigned to the claim given_name without having an impact on the attribute resolution configuration and all other CAS-enabled applications. If mapping is not defined, by default CAS attributes are expected to match claim names.

    • getAuthenticationContextReferenceMappings

      public List<String> getAuthenticationContextReferenceMappings()
      A mapping of authentication context refs (ACR) values. This is where specific authentication context classes are referenced and mapped to providers that CAS may support mainly for MFA purposes.

      Example might be acr-value->mfa-duo.

      Support for authentication context class references is implemented in form of acr_values as part of the original authorization request, which is mostly taken into account by the multifactor authentication features of CAS. Once successful, acr and amr values are passed back to the relying party as part of the id token.

    • setIssuer

      public OidcCoreProperties setIssuer(String issuer)
      OIDC issuer. All OpenID Connect servers such as CAS are uniquely identified by a URL known as the issuer. This URL serves as the prefix of a service discovery endpoint as specified in the OpenID Connect Discovery standard.

      This URL must be using the https scheme with no query or fragment component that the identity provider (CAS) asserts as its Issuer Identifier. This also MUST be identical to the iss claim value in ID Tokens issued from this issuer, unless overridden in very special circumstances as a last resort.

      CAS primarily supports a single issuer per deployment/host.

      Returns:
      this.

    • setAcceptedIssuersPattern

      public OidcCoreProperties setAcceptedIssuersPattern(String acceptedIssuersPattern)
      Defines the regular expression pattern that is matched against the calculated issuer from the request. If the issuer that is extracted from the request does not match the issuer defined in the CAS configuration, this pattern acts as a secondary level rule to allow incoming requests to pass through if the match is successful. By default, the pattern is designed to never match anything.
      Returns:
      this.

    • setSkew

      public OidcCoreProperties setSkew(String skew)
      Skew value used to massage the authentication issue instance.
      Returns:
      this.

    • setUserDefinedScopes

      public OidcCoreProperties setUserDefinedScopes(Map<String,String> userDefinedScopes)
      Mapping of user-defined scopes. Key is the new scope name and value is a comma-separated list of claims mapped to the scope. Such user-defined scopes are also able to override the definition of system scopes. User-defined scopes as well as any and all custom claims that are mapped to the scope must also be defined as scopes and claims supported by CAS in OpenID Connect discovery.
      Returns:
      this.

    • setClaimsMap

      public OidcCoreProperties setClaimsMap(Map<String,String> claimsMap)
      Map fixed claims to CAS attributes. Key is the existing claim name for a scope and value is the new attribute that should take its place and value. Claims associated with a scope (i.e. given_name for profile) are fixed in the OpenID specification. In the event that custom arbitrary attributes should be mapped to claims, mappings can be defined in CAS settings to link a CAS-defined attribute to a fixed given scope. For instance, CAS configuration may allow the value of the attribute sys_given_name to be mapped and assigned to the claim given_name without having an impact on the attribute resolution configuration and all other CAS-enabled applications. If mapping is not defined, by default CAS attributes are expected to match claim names.
      Returns:
      this.

    • setAuthenticationContextReferenceMappings

      public OidcCoreProperties setAuthenticationContextReferenceMappings(List<String> authenticationContextReferenceMappings)
      A mapping of authentication context refs (ACR) values. This is where specific authentication context classes are referenced and mapped to providers that CAS may support mainly for MFA purposes.

      Example might be acr-value->mfa-duo.

      Support for authentication context class references is implemented in form of acr_values as part of the original authorization request, which is mostly taken into account by the multifactor authentication features of CAS. Once successful, acr and amr values are passed back to the relying party as part of the id token.

      Returns:
      this.