Page Comparison

...

1. Registration of service-specific end-entity certificates via SAML metadata. ^3.4
2. PKIX validation of end-entity certificates based on a set of CA trust anchors.
   
   1. Configure via relying-party.xml ^{3.0,3.1,3.2,3.3}
   2. Configure via cas-protocol.xml ^3.4.2

The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates via metadata is the recommended approach.

...