Versions Compared

Old Version 4

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 5

changes.mady.by.user Marvin Addison

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update protocol.

...

  1. Single sign-on via SPSSODescriptor with one or more AssertionConsumerService elements of binding https://www.apereo.org/cas/protocol/login
  2. Proxy via AttributeAuthorityDescriptor with SPSSODescriptor with one or more AttributeService elementsAssertionConsumerService elements of binding https://www.apereo.org/cas/protocol/proxy
  3. Single sign-out via SPSSODescriptor with a single SingleLogoutService element of binding https://www.apereo.org/cas/protocol/logout

The following sections describe the specific metadata requirements for each type of protocol operation.

...

  • Contains one or more AssertionConsumerService elements that MUST have the following attributes:
    • Binding attribute with value of https://www.apereo.org/cas/protocol/login.
    • Location attribute with a URL whereby some subset of service URLs start with the given value.

ACS endpoints are repeated with varying Location attributes until the full set of service URLs is covered.

CAS Proxy

An entity advertises support for the CAS proxy protocol with an AttributeAuthorityDescriptor that SPSSODescriptor that has the following characteristics:

  • MUST include https://www.apereo.org/cas/protocol in the protocolSupportEnumeration attribute.
  • Contains one or more AttributeServiceAssertionConsumerService elements that MUST have the following attributes:
    • Binding attribute with value of https://www.apereo.org/cas/protocol/proxy.
    • Location attribute that matches the pgtURL protocol parameter. The presented protocol parameter value will be verified against this value as part of proxy callback URL validation.
  • MAY define one or more signing certificates in the KeyDescriptor element that will be used as explicit TLS trust material when validating the certificate presented by the proxy callback endpoint.

...

An entity advertises support for the CAS single sign-out protocol by adding a SingleLogoutService endpoint to a SPSSODescriptor that supports CAS single sign-on. The SingleLogoutService has the following characteristics:

  • Binding attribute with value of https://www.apereo.org/cas/protocol/logout.
  • Location attribute is required to be defined but is not used since the protocol sends the logout message to the same endpoint to which the service ticket was delivered. To clarify that the location is not used, it is recommended to use a URL with an RFC 6761 reserved domain name such as https://not.used.invalid/.with value of urn:mace:shibboleth:profile:CAS:logout. A URN is used to indicate that the CAS proxy URL is dynamic and varies with the service URL to which a ticket was issued for SSO.

Example Metadata

An example representing a typical CAS entity follows:

Code Block
languagexml
titleCAS Metadata Entry
<EntityDescriptor entityID="https://alpha.example.org/">
    <SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
        <AssertionConsumerService<!-- Following certs are for defining explicit CAS proxy TLS        Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.example.org/"
                index="1"/>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.dev.example.org/"
                index="2"/>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.test.example.org/"
                index="3"/>
        <SingleLogoutService
                Binding="https://www.apereo.org/cas/protocol/logout"
                Location="https://not.used.invalid/"/>
    </SPSSODescriptor>
    <AttributeAuthorityDescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol"trust -->
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV
                        BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2
                        NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
                        DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS
                        3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9
                        2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv
                        R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr
                        ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE
                        dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G
                        A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt
                        sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC
                        CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M
                        mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL
                        e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9
                        h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH
                        nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg
                        t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao
                        I1TQuJgghwPvPE9x
                    </ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDRTCCAi2gAwIBAgIJAJWAmqfrwZdvMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
                        BAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzAeFw0xODA2MTgxNjUwMThaFw0xODA3
                        MTgxNjUwMThaMCAxHjAcBgNVBAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzCCASIw
                        DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdLNFRwzRYG0CNHc/W8diRpoBOM
                        0pPFs0effNLeYucSC6Q5UWuv5xEHIopRBBvwwg+S68qvPeWegKg7CUUxE+KC0KGO
                        jdQkZNgQxj3ZJBCvbhTqcT/d3aoVp/Y80hbVKKdKPFsTXF5PRt0txNkdRwTbIR8c
                        oWFyBcgmmu9HVx4EkG9hicBO4+BTEyOraSziRfEbSc2VPXdDAF/KQG/ojVaSRzTq
                        YS+QzMo23OtrIErU/KBUE1UxRAAWftO/pzbwG1UsUT1IgqP7llym5aS6NU0kXV1h
                        02Z8DPc+K4R0+3bKXe3av+/gI/5TyQGVCzoDzfFisDQywedRg6t8vdRNa1kCAwEA
                        AaOBgTB/MB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBQBgNVHSMESTBH
                        gBT/5yBm3mXtsYDvz11kTHsPVGeRcKEkpCIwIDEeMBwGA1UEAxMVYWxwaGEuZGV2
                        LmV4YW1wbGUub3JnggkAlYCap+vBl28wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
                        AQsFAAOCAQEAZJvp0luHvSlb1pSNpH1roT3R35FyZc+rLJWzmtVAdjt0eQU4q6da
                        /lQ/83ntRj82GOxZEbyJwyhXLaav2nTe7N+wQoz6maTYXMX8Q9DZVLihy1SSrCY6
                        bLi2+byxKORw9GXrVaul8yckElyvx2HxMg8iXcLmuG1pVb1bk8BlnwHNDPZYTNMY
                        iPgHtdsquziKrb08y/fjNiyeEIFlHloK+b4jggjOUbQ/jTkLkG6mkRQwu1NolvvB
                        BBr0q/P8Z86TMmdp1deZEqQMVY6uWNgVs5Ci0piyQdKJjOvaGE/XXItD8blH3d4O
                        SsADjh/HEFpp0Pu5ypQNryzdNL+6sw4XyQ==
                    </ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data></ds:KeyInfo>
        </KeyDescriptor>
        <AssertionConsumerService
  <ds:X509Certificate>              Binding="https://www.apereo.org/cas/protocol/login"
          MIIDSTCCAjGgAwIBAgIJAI01q+m9qC5gMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV      Location="https://alpha.example.org/"
                index="1"/>
 BAMTFmFscGhhLnRlc3QuZXhhbXBsZS5vcmcwHhcNMTgwNjE4MTY1MDQzWhcNMTgw       <AssertionConsumerService
                 NzE4MTY1MDQzWjAhMR8wHQYDVQQDExZhbHBoYS50ZXN0LmV4YW1wbGUub3JnMIIB
                        IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0s0VHDNFgbQI0dz9bx2JGmg
                        E4zSk8WzR5980t5i5xILpDlRa6/nEQciilEEG/DCD5Lryq895Z6AqDsJRTET4oLQ
                        oY6N1CRk2BDGPdkkEK9uFOpxP93dqhWn9jzSFtUop0o8WxNcXk9G3S3E2R1HBNsh
                        HxyhYXIFyCaa70dXHgSQb2GJwE7j4FMTI6tpLOJF8RtJzZU9d0MAX8pAb+iNVpJH
                        NOphL5DMyjbc62sgStT8oFQTVTFEABZ+07+nNvAbVSxRPUiCo/uWXKblpLo1TSRdBinding="https://www.apereo.org/cas/protocol/login"
                        XWHTZnwM9z4rhHT7dspd7dq/7+Aj/lPJAZULOgPN8WKwNDLB51GDq3y91E1rWQID
                        AQABo4GDMIGAMB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBRBgNVHSMELocation="https://alpha.dev.example.org/"
                        SjBIgBT/5yBm3mXtsYDvz11kTHsPVGeRcKElpCMwITEfMB0GA1UEAxMWYWxwaGEuindex="2"/>
        <AssertionConsumerService
               dGVzdC5leGFtcGxlLm9yZ4IJAI01q+m9qC5gMAwGA1UdEwQFMAMBAf8wDQYJKoZI
                        hvcNAQELBQADggEBAFL7Xe5jaIE/f6KbQweDTLEGLZ6CpYFwgjCCI6Kgik2H6+XI
                        daX5FI8IZ9VThfsbCbr55lIKlmmcR32O9xpLuQ792IJY9D2/I6ltW2iKnTKmaZSE
                        /S4p7hYu9EKkxkg8MFCRvfVonf9oOUGzoPvfzt9teXG2xzjetgCoY3taaH5UyEHK
                        pNynStKB0kzfoFOn4pdQWKX5UEZa0fLqzWTfrrikW4PitWrTE5zrn5vsxfBVNPnH
                        LlCxgWwWYeVi5XgpPoKy+So0dri7caGeNXjXW2ND0waHvp/LSmO8cfXbVX+1VqIw Binding="https://www.apereo.org/cas/protocol/proxy"
                        L65ZJv2FIAm9LMIFVnEkD7sk1LsYdglvXBDz4BA=
                    </ds:X509Certificate>
                </ds:X509Data>Location="https://alpha.example.org/proxy_receptor"
            </ds:KeyInfo>         </KeyDescriptor>index="3"/>
        <AttributeService<SingleLogoutService
                Binding="https://www.apereo.org/cas/protocol/proxylogout"
                Location="https://alpha.example.org/proxy_receptor" urn:mace:shibboleth:profile:CAS:logout"/>
    </AttributeAuthorityDescriptor>SPSSODescriptor>
</EntityDescriptor>