...
| Note |
|---|
This configuration method applies to IdP 3V3.4.0 2 and later. Note that the example below differs from the example shipped with the software and accounts for a bug introduced with the security patch in this version. |
The issuer certificates of end-entity certificates used to secure proxy endpoints can be registered by loading the PEM-encoded certificates on the IdP filesystem using the following configuration snippet found in conf/cas-protocol.xml:
| Code Block | ||
|---|---|---|
| ||
<!--
| Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
| Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
| This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
| which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
| certificates are recommended.
-->
<util:list id="shibboleth.CASProxyTrustedCertificates">
<!--<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="% <value>%{idp.home}/credentials/your_ca.pem" pem</>value> -->
</util:list> |
The elements of the above list have a global scope such that if any proxy endpoint presents a certificate issued by a trusted issuer, it will be trusted.