...
Since certificate trust underpins the last point, it requires adequate treatment to garner meaningful security. The IdP offers two approaches to proxy trust configuration in order of decreasing security:
- Registering Registration of service-specific end-entity certificates via SAML metadata. 3.4
- PKIX validation of issuer certificatesend-entity certificates based on a set of CA trust anchors.
- Configure via relying-party.xml 3.0,3.1,3.2,3.3
- Configure via cas-protocol.xml 3.4.2
The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates via metadata is the recommended approach.
...