...
Configure Proxy Trust (Optional)
The IdP uses the PKIX trust model to validate a service that requests a proxy ticket. When the service provides a pgtUrl protocol parameter at ticket validation time and the service is authorized to proxy, the IdP attempts an HTTP HTTPS connection to that URL. (The IdP will immediately reject a non-HTTPS proxy callback URL.) Note that the URL is not necessarily the same as that of the requesting service; they are logically separate to allow configuration of different certificate credentials (among other reasons). The The proxy callback endpoint must present a certificate that is trusted by the IdP, which requires explicit configuration. The ; in other words, the IdP does not use the default Java truststore for this purpose trust material since that would not provide adequate security. The IdP configuration machinery for proxy trust is designed to force deployers to consider what hosts they trust. While this approach requires more effort, it provides the additional security intended for proxy validation.
There are two approaches to proxy trust configuration:
- List the end-entity certificates of the hosts that are permitted to proxy.
- List the issuer certificates of hosts that are permitted to proxy.
The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates is the recommended approach, but it obviously comes at the cost of additional maintenance as certificates are replaced on the proxying endpoints.
CAS proxy trust is configured in relying-party.xml as part of the profile configuration for a particular relying party. The following configuration excerpt demonstrates configuring CAS to accept proxy callback certificates issued by a handful of trusted issuers for the default relying party.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<ref bean="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<ref bean="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
<ref bean="CAS.LoginConfiguration" />
<ref bean="CAS.ProxyConfiguration" />
<ref bean="CAS.ValidateConfiguration.default" />
</list>
</property>
</bean>
<bean id="CAS.ValidateConfiguration.default" parent="CAS.ValidateConfiguration">
<property name="securityConfiguration">
<bean class="net.shibboleth.idp.profile.config.SecurityConfiguration"
c:skew="PT5M"
p:clientTLSValidationConfiguration-ref="standardProxyTLSConfig">
<constructor-arg name="generator">
<bean class="net.shibboleth.idp.cas.ticket.impl.TicketIdentifierGenerationStrategy"
c:prefix="PGT"
c:randomLength="50" />
</constructor-arg>
</bean>
</property>
</bean>
<bean id="standardProxyTLSConfig"
class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration">
<property name="x509TrustEngine">
<bean class="org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine" c:nameEvaluator="#{null}">
<constructor-arg name="resolver">
<bean class="org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver" c:names="#{null}">
<constructor-arg name="info">
<bean class="org.opensaml.security.x509.impl.BasicPKIXValidationInformation" c:crls="#{null}" c:depth="5">
<constructor-arg name="anchors">
<list>
<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="%{idp.home}/credentials/vtgsca.pem" />
<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="%{idp.home}/credentials/vtgqsca.pem" />
<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="%{idp.home}/credentials/vtgqsca256.pem" />
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="pkixEvaluator">
<bean class="org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator" />
</constructor-arg>
</bean>
</property>
</bean> |
Service Ticket Expiration (Optional)
CAS Service tickets issued by the Shibboleth IdP are single use tickets with a default validity period of 15 seconds. It is possible to extend the validity period by altering the profile configuration in relying-party.xml as follows:
...
| language | xml |
|---|
...
is justified on a few counts:
- Proxying is a substantial increase in authorization afforded to a service.
- The callback endpoint receives a credential, so authentication and trust are paramount.
- TLS authentication is the sole authentication mechanism used to authenticate proxy callback endpoints.
Since certificate trust underpins the last point, it requires adequate treatment to garner meaningful security. The IdP offers two approaches to proxy trust configuration in order of decreasing security:
- Registering service-specific end-entity certificates via SAML metadata.3.4
- PKIX validation of issuer certificates.
- Configure via relying-party.xml 3.0,3.1,3.2,3.3
- Configure via cas-protocol.xml 3.4
The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates via metadata is the recommended approach.
Alternate cas:user in the validation response (Optional)
CAS validation responses include the user's username. This is generally the normalized username the user logged in with. It is possible to substitute the username in the response with a value from another IdP attribute using the p:userAttribute attribute of CAS.ValidateConfiguration profile in a Relying Party Override.
...