Versions Compared

Old Version 2

changes.mady.by.user Marvin Addison

Saved on

compared with

New Version Current

changes.mady.by.user Marvin Addison

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleCAS Proxy Trust in relying-party.xml
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <ref bean="Shibboleth.SSO" />
                <ref bean="SAML1.AttributeQuery" />
                <ref bean="SAML1.ArtifactResolution" />
                <ref bean="SAML2.SSO" />
                <ref bean="SAML2.ECP" />
                <ref bean="SAML2.Logout" />
                <ref bean="SAML2.AttributeQuery" />
                <ref bean="SAML2.ArtifactResolution" />
                <ref bean="CAS.LoginConfiguration" />
                <ref bean="CAS.ProxyConfiguration" />
                <ref bean="CAS.ValidateConfiguration.default" />
            </list>
        </property>
    </bean>
    <bean id="CAS.ValidateConfiguration.default" parent="CAS.ValidateConfiguration">
        <property name="securityConfiguration">
            <bean class="net.shibboleth.idp.profile.config.SecurityConfiguration"
                  c:skew="PT5M"
                  p:clientTLSValidationConfiguration-ref="standardProxyTLSConfig">
                <constructor-arg name="generator">
                    <bean class="net.shibboleth.idp.cas.ticket.impl.TicketIdentifierGenerationStrategy"
                          c:prefix="PGT"
                          c:randomLength="50" />
                </constructor-arg>
            </bean>
        </property>
    </bean>
    <bean id="standardProxyTLSConfig"
          class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration">
        <property name="x509TrustEngine">
            <bean class="org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine" c:nameEvaluator="#{null}">
                <constructor-arg name="resolver">
                    <bean class="org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver" c:names="#{null}">
                        <constructor-arg name="info">
                            <bean class="org.opensaml.security.x509.impl.BasicPKIXValidationInformation" c:crls="#{null}" c:depth="5">
                                <constructor-arg name="anchors">
                                    <list>
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgsca.pem" />
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgqsca.pem" />
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgqsca256.pem" />
                                    </list>
                                </constructor-arg>
                            </bean>
                        </constructor-arg>
                    </bean>
                </constructor-arg>
                <constructor-arg name="pkixEvaluator">
                    <bean class="org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator" />
                </constructor-arg>
            </bean>
        </property>
    </bean>

Service Ticket Expiration (Optional)

CAS Service tickets issued by the Shibboleth IdP are single use tickets with a default validity period of 15 seconds. It is possible to extend the validity period by altering the profile configuration in relying-party.xml as follows:

...