...
- Single sign-on via
SPSSODescriptor
with one or moreAssertionConsumerService
elements of bindinghttps://www.apereo.org/cas/protocol/login
- Proxy via
AttributeAuthorityDescriptor
withSPSSODescriptor
with one or moreAttributeService
elementsAssertionConsumerService
elements of bindinghttps://www.apereo.org/cas/protocol/proxy
- Single sign-out via
SPSSODescriptor
with a singleSingleLogoutService
element of bindinghttps://www.apereo.org/cas/protocol/logout
The following sections describe the specific metadata requirements for each type of protocol operation.
...
- Contains one or more
AssertionConsumerService
elements that MUST have the following attributes:Binding
attribute with value ofhttps://www.apereo.org/cas/protocol/login
.Location
attribute with a URL whereby some subset of service URLs start with the given value.
ACS endpoints are repeated with varying Location
attributes until the full set of service URLs is covered.
CAS Proxy
An entity advertises support for the CAS proxy protocol with an AttributeAuthorityDescriptor
that SPSSODescriptor
that has the following characteristics:
- MUST include
https://www.apereo.org/cas/protocol
protocolSupportEnumeration
attribute.
- Contains one or more
AttributeService
AssertionConsumerService elements that MUST have the following attributes:Binding
attribute with value ofhttps://www.apereo.org/cas/protocol/proxy
.Location
attribute that matches thepgtURL
protocol parameter. The presented protocol parameter value will be verified against this value as part of proxy callback URL validation.
- MAY define one or more signing certificates in the
KeyDescriptor
element that will be used as explicit TLS trust material when validating the certificate presented by the proxy callback endpoint.
...
An entity advertises support for the CAS single sign-out protocol by adding a SingleLogoutService
endpoint to a SPSSODescriptor
that supports CAS single sign-on. The SingleLogoutService
has the following characteristics:
- Binding attribute with value of
https://www.apereo.org/cas/protocol/logout
. - Location attribute is required to be defined but is not used since the protocol sends the logout message to the same endpoint to which the service ticket was delivered. To clarify that the location is not used, it is recommended to use a URL with an RFC 6761 reserved domain name such as https://not.used.invalid/.with value of
urn:mace:shibboleth:profile:CAS:logout
. A URN is used to indicate that the CAS proxy URL is dynamic and varies with the service URL to which a ticket was issued for SSO.
Example Metadata
An example representing a typical CAS entity follows:
Code Block | ||||
---|---|---|---|---|
| ||||
<EntityDescriptor entityID="https://alpha.example.org/"> <SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol"> <AssertionConsumerService<!-- Following certs are for defining explicit CAS proxy TLS Binding="https://www.apereo.org/cas/protocol/login" Location="https://alpha.example.org/" index="1"/> <AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login" Location="https://alpha.dev.example.org/" index="2"/> <AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login" Location="https://alpha.test.example.org/" index="3"/> <SingleLogoutService Binding="https://www.apereo.org/cas/protocol/logout" Location="https://not.used.invalid/"/> </SPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol"trust --> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2 NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS 3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9 2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9 h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao I1TQuJgghwPvPE9x </ds:X509Certificate> </ds:X509Data> <ds:X509Data> <ds:X509Certificate> MIIDRTCCAi2gAwIBAgIJAJWAmqfrwZdvMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV BAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzAeFw0xODA2MTgxNjUwMThaFw0xODA3 MTgxNjUwMThaMCAxHjAcBgNVBAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdLNFRwzRYG0CNHc/W8diRpoBOM 0pPFs0effNLeYucSC6Q5UWuv5xEHIopRBBvwwg+S68qvPeWegKg7CUUxE+KC0KGO jdQkZNgQxj3ZJBCvbhTqcT/d3aoVp/Y80hbVKKdKPFsTXF5PRt0txNkdRwTbIR8c oWFyBcgmmu9HVx4EkG9hicBO4+BTEyOraSziRfEbSc2VPXdDAF/KQG/ojVaSRzTq YS+QzMo23OtrIErU/KBUE1UxRAAWftO/pzbwG1UsUT1IgqP7llym5aS6NU0kXV1h 02Z8DPc+K4R0+3bKXe3av+/gI/5TyQGVCzoDzfFisDQywedRg6t8vdRNa1kCAwEA AaOBgTB/MB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBQBgNVHSMESTBH gBT/5yBm3mXtsYDvz11kTHsPVGeRcKEkpCIwIDEeMBwGA1UEAxMVYWxwaGEuZGV2 LmV4YW1wbGUub3JnggkAlYCap+vBl28wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQsFAAOCAQEAZJvp0luHvSlb1pSNpH1roT3R35FyZc+rLJWzmtVAdjt0eQU4q6da /lQ/83ntRj82GOxZEbyJwyhXLaav2nTe7N+wQoz6maTYXMX8Q9DZVLihy1SSrCY6 bLi2+byxKORw9GXrVaul8yckElyvx2HxMg8iXcLmuG1pVb1bk8BlnwHNDPZYTNMY iPgHtdsquziKrb08y/fjNiyeEIFlHloK+b4jggjOUbQ/jTkLkG6mkRQwu1NolvvB BBr0q/P8Z86TMmdp1deZEqQMVY6uWNgVs5Ci0piyQdKJjOvaGE/XXItD8blH3d4O SsADjh/HEFpp0Pu5ypQNryzdNL+6sw4XyQ== </ds:X509Certificate> </ds:X509Data> <ds:X509Data></ds:KeyInfo> </KeyDescriptor> <AssertionConsumerService <ds:X509Certificate> Binding="https://www.apereo.org/cas/protocol/login" MIIDSTCCAjGgAwIBAgIJAI01q+m9qC5gMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV Location="https://alpha.example.org/" index="1"/> BAMTFmFscGhhLnRlc3QuZXhhbXBsZS5vcmcwHhcNMTgwNjE4MTY1MDQzWhcNMTgw <AssertionConsumerService NzE4MTY1MDQzWjAhMR8wHQYDVQQDExZhbHBoYS50ZXN0LmV4YW1wbGUub3JnMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0s0VHDNFgbQI0dz9bx2JGmg E4zSk8WzR5980t5i5xILpDlRa6/nEQciilEEG/DCD5Lryq895Z6AqDsJRTET4oLQ oY6N1CRk2BDGPdkkEK9uFOpxP93dqhWn9jzSFtUop0o8WxNcXk9G3S3E2R1HBNsh HxyhYXIFyCaa70dXHgSQb2GJwE7j4FMTI6tpLOJF8RtJzZU9d0MAX8pAb+iNVpJH NOphL5DMyjbc62sgStT8oFQTVTFEABZ+07+nNvAbVSxRPUiCo/uWXKblpLo1TSRdBinding="https://www.apereo.org/cas/protocol/login" XWHTZnwM9z4rhHT7dspd7dq/7+Aj/lPJAZULOgPN8WKwNDLB51GDq3y91E1rWQID AQABo4GDMIGAMB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBRBgNVHSMELocation="https://alpha.dev.example.org/" SjBIgBT/5yBm3mXtsYDvz11kTHsPVGeRcKElpCMwITEfMB0GA1UEAxMWYWxwaGEuindex="2"/> <AssertionConsumerService dGVzdC5leGFtcGxlLm9yZ4IJAI01q+m9qC5gMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQELBQADggEBAFL7Xe5jaIE/f6KbQweDTLEGLZ6CpYFwgjCCI6Kgik2H6+XI daX5FI8IZ9VThfsbCbr55lIKlmmcR32O9xpLuQ792IJY9D2/I6ltW2iKnTKmaZSE /S4p7hYu9EKkxkg8MFCRvfVonf9oOUGzoPvfzt9teXG2xzjetgCoY3taaH5UyEHK pNynStKB0kzfoFOn4pdQWKX5UEZa0fLqzWTfrrikW4PitWrTE5zrn5vsxfBVNPnH LlCxgWwWYeVi5XgpPoKy+So0dri7caGeNXjXW2ND0waHvp/LSmO8cfXbVX+1VqIw Binding="https://www.apereo.org/cas/protocol/proxy" L65ZJv2FIAm9LMIFVnEkD7sk1LsYdglvXBDz4BA= </ds:X509Certificate> </ds:X509Data>Location="https://alpha.example.org/proxy_receptor" </ds:KeyInfo> </KeyDescriptor>index="3"/> <AttributeService<SingleLogoutService Binding="https://www.apereo.org/cas/protocol/proxylogout" Location="https://alpha.example.org/proxy_receptor" urn:mace:shibboleth:profile:CAS:logout"/> </AttributeAuthorityDescriptor>SPSSODescriptor> </EntityDescriptor> |