...
In IdP versions prior to 3.4.0, the ProxyAuthenticator interface was available for advanced proxy endpoint validation. The file conf/cas-protocol.xml offered a user space configuration point to wire in a third-party component that implemented that interface.
As of IdP 3.4.0 this component is deprecated in favor of ProxyValidator which provides access to the context tree via an instance of ProfileRequestContext. This offers the ability for far more complex validation strategies based on all accumulated information about a relying party; most notably, it offers access to relying party metadata. The default implementation offers a secure and flexible method for deriving trust material to authenticate the endpoint via TLS negotiation that should be sufficient for all deployers. While third-party components that extend ProxyAuthenticator will still compile, they are not wired into the CAS proxy flows. Moreover, all user-space configuration points other than the interface itself have been removed intentionally to discourage extending proxy validation behavior.