Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Registration of service-specific end-entity certificates via SAML metadata. 3.4
  2. PKIX validation of end-entity certificates based on a set of CA trust anchors.
    1. Configure via relying-party.xml 3.0,3.1,3.2,3.3
    2. Configure via cas-protocol.xml 3.4.2

The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates via metadata is the recommended approach.