...
- Registration of service-specific end-entity certificates via SAML metadata. 3.4
- PKIX validation of end-entity certificates based on a set of CA trust anchors.
- Configure via relying-party.xml 3.0,3.1,3.2,3.3
- Configure via cas-protocol.xml 3.4.2
The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates via metadata is the recommended approach.
...