Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

SAML Metadata Profile

IdP 3.4.0 supports adding CAS protocol endpoints to SAML metadata entries. CAS protocol endpoints are naturally SP elements and define <SPSSODescriptor> elements accordingly. An SP entity advertising CAS support has the following characteristics:

  • The <SPSSODescriptor> element MUST include https://www.apereo.org/cas/protocol in the protocolSupportEnumeration attribute.
  • The <SPSSODescriptor> contains one or more <AssertionConsumerService> elements that MUST have the following attributes:
    • Binding attribute with value of https://www.apereo.org/cas/protocol/login.
    • Location attribute with a URL whereby some subset of service URLs start with the given value. ACS endpoints are repeated with varying Location attributes until the full set of service URLs is covered.
  •  A <SingleLogoutService> endpoint MAY be included to signal the intent to participate in single logout; the Binding URI for a CAS logout endpoint is https://www.apereo.org/cas/protocol/logout.
  • The presence of one or more signing certificates in the <EntityDescriptor> element is an implicit signal to grant authorization for a service to request CAS proxy-granting tickets.

Example Metadata

An example representing a typical CAS entity follows:

CAS Metadata Entry
<EntityDescriptor entityID="https://alpha.example.org/">
    <SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV
                        BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2
                        NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
                        DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS
                        3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9
                        2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv
                        R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr
                        ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE
                        dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G
                        A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt
                        sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC
                        CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M
                        mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL
                        e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9
                        h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH
                        nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg
                        t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao
                        I1TQuJgghwPvPE9x
                    </ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDRTCCAi2gAwIBAgIJAJWAmqfrwZdvMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
                        BAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzAeFw0xODA2MTgxNjUwMThaFw0xODA3
                        MTgxNjUwMThaMCAxHjAcBgNVBAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzCCASIw
                        DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdLNFRwzRYG0CNHc/W8diRpoBOM
                        0pPFs0effNLeYucSC6Q5UWuv5xEHIopRBBvwwg+S68qvPeWegKg7CUUxE+KC0KGO
                        jdQkZNgQxj3ZJBCvbhTqcT/d3aoVp/Y80hbVKKdKPFsTXF5PRt0txNkdRwTbIR8c
                        oWFyBcgmmu9HVx4EkG9hicBO4+BTEyOraSziRfEbSc2VPXdDAF/KQG/ojVaSRzTq
                        YS+QzMo23OtrIErU/KBUE1UxRAAWftO/pzbwG1UsUT1IgqP7llym5aS6NU0kXV1h
                        02Z8DPc+K4R0+3bKXe3av+/gI/5TyQGVCzoDzfFisDQywedRg6t8vdRNa1kCAwEA
                        AaOBgTB/MB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBQBgNVHSMESTBH
                        gBT/5yBm3mXtsYDvz11kTHsPVGeRcKEkpCIwIDEeMBwGA1UEAxMVYWxwaGEuZGV2
                        LmV4YW1wbGUub3JnggkAlYCap+vBl28wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
                        AQsFAAOCAQEAZJvp0luHvSlb1pSNpH1roT3R35FyZc+rLJWzmtVAdjt0eQU4q6da
                        /lQ/83ntRj82GOxZEbyJwyhXLaav2nTe7N+wQoz6maTYXMX8Q9DZVLihy1SSrCY6
                        bLi2+byxKORw9GXrVaul8yckElyvx2HxMg8iXcLmuG1pVb1bk8BlnwHNDPZYTNMY
                        iPgHtdsquziKrb08y/fjNiyeEIFlHloK+b4jggjOUbQ/jTkLkG6mkRQwu1NolvvB
                        BBr0q/P8Z86TMmdp1deZEqQMVY6uWNgVs5Ci0piyQdKJjOvaGE/XXItD8blH3d4O
                        SsADjh/HEFpp0Pu5ypQNryzdNL+6sw4XyQ==
                    </ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDSTCCAjGgAwIBAgIJAI01q+m9qC5gMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV
                        BAMTFmFscGhhLnRlc3QuZXhhbXBsZS5vcmcwHhcNMTgwNjE4MTY1MDQzWhcNMTgw
                        NzE4MTY1MDQzWjAhMR8wHQYDVQQDExZhbHBoYS50ZXN0LmV4YW1wbGUub3JnMIIB
                        IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0s0VHDNFgbQI0dz9bx2JGmg
                        E4zSk8WzR5980t5i5xILpDlRa6/nEQciilEEG/DCD5Lryq895Z6AqDsJRTET4oLQ
                        oY6N1CRk2BDGPdkkEK9uFOpxP93dqhWn9jzSFtUop0o8WxNcXk9G3S3E2R1HBNsh
                        HxyhYXIFyCaa70dXHgSQb2GJwE7j4FMTI6tpLOJF8RtJzZU9d0MAX8pAb+iNVpJH
                        NOphL5DMyjbc62sgStT8oFQTVTFEABZ+07+nNvAbVSxRPUiCo/uWXKblpLo1TSRd
                        XWHTZnwM9z4rhHT7dspd7dq/7+Aj/lPJAZULOgPN8WKwNDLB51GDq3y91E1rWQID
                        AQABo4GDMIGAMB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBRBgNVHSME
                        SjBIgBT/5yBm3mXtsYDvz11kTHsPVGeRcKElpCMwITEfMB0GA1UEAxMWYWxwaGEu
                        dGVzdC5leGFtcGxlLm9yZ4IJAI01q+m9qC5gMAwGA1UdEwQFMAMBAf8wDQYJKoZI
                        hvcNAQELBQADggEBAFL7Xe5jaIE/f6KbQweDTLEGLZ6CpYFwgjCCI6Kgik2H6+XI
                        daX5FI8IZ9VThfsbCbr55lIKlmmcR32O9xpLuQ792IJY9D2/I6ltW2iKnTKmaZSE
                        /S4p7hYu9EKkxkg8MFCRvfVonf9oOUGzoPvfzt9teXG2xzjetgCoY3taaH5UyEHK
                        pNynStKB0kzfoFOn4pdQWKX5UEZa0fLqzWTfrrikW4PitWrTE5zrn5vsxfBVNPnH
                        LlCxgWwWYeVi5XgpPoKy+So0dri7caGeNXjXW2ND0waHvp/LSmO8cfXbVX+1VqIw
                        L65ZJv2FIAm9LMIFVnEkD7sk1LsYdglvXBDz4BA=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.example.org/"
                index="1"/>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.dev.example.org/"
                index="2"/>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.test.example.org/"
                index="3"/>
        <SingleLogoutService
                Binding="https://www.apereo.org/cas/protocol/logout"
                Location="https://not.used.invalid/"/>
    </SPSSODescriptor>
</EntityDescriptor>
  • No labels