This is a DRAFT in progress reflecting unreleased code.
SAML Metadata Profile
IdP 3.4.0 supports adding CAS protocol endpoints to SAML metadata entries. The following CAS protocol operations may be registered:
- Single sign-on via
SPSSODescriptor
with one or moreAssertionConsumerService
elements - Proxy via
AttributeAuthorityDescriptor
with one or moreAttributeService
elements - Single sign-out via
SPSSODescriptor
with a singleSingleLogoutService
element
The following sections describe the specific metadata requirements for each type of protocol operation.
CAS Single Sign On
An entity advertises support for the CAS single sign-on protocol with an SPSSODescriptor
that has the following characteristics:
- MUST include
https://www.apereo.org/cas/protocol
protocolSupportEnumeration
attribute.
- Contains one or more
AssertionConsumerService
elements that MUST have the following attributes:Binding
attribute with value ofhttps://www.apereo.org/cas/protocol/login
.Location
attribute with a URL whereby some subset of service URLs start with the given value. ACS endpoints are repeated with varyingLocation
attributes until the full set of service URLs is covered.
CAS Proxy
An entity advertises support for the CAS proxy protocol with an AttributeAuthorityDescriptor
that has the following characteristics:
- MUST include
https://www.apereo.org/cas/protocol
protocolSupportEnumeration
attribute.
- Contains one or more
AttributeService
elements that MUST have the following attributes:Binding
attribute with value ofhttps://www.apereo.org/cas/protocol/proxy
.Location
attribute that matches thepgtURL
protocol parameter. The presented protocol parameter value will be verified against this value as part of proxy callback URL validation.
- MAY define one or more signing certificates in the
KeyDescriptor
element that will be used as explicit TLS trust material when validating the certificate presented by the proxy callback endpoint.
CAS Single Sign-Out
An entity advertises support for the CAS single sign-out protocol by adding a SingleLogoutService
endpoint to a SPSSODescriptor
that supports CAS single sign-on. The SingleLogoutService has the following characteristics:
- Binding attribute with value of https://www.apereo.org/cas/protocol/logout
- Location attribute is required to be defined but is not used since the protocol sends the logout message to the same endpoint to which the service ticket was delivered. To clarify that the location is not used, it is recommended to use a URL with an RFC 6761 reserved domain name such as https://not.used.invalid/.
Example Metadata
An example representing a typical CAS entity follows:
<EntityDescriptor entityID="https://alpha.example.org/"> <SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol"> <AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login" Location="https://alpha.example.org/" index="1"/> <AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login" Location="https://alpha.dev.example.org/" index="2"/> <AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login" Location="https://alpha.test.example.org/" index="3"/> <SingleLogoutService Binding="https://www.apereo.org/cas/protocol/logout" Location="https://not.used.invalid/"/> </SPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2 NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS 3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9 2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9 h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao I1TQuJgghwPvPE9x </ds:X509Certificate> </ds:X509Data> <ds:X509Data> <ds:X509Certificate> MIIDRTCCAi2gAwIBAgIJAJWAmqfrwZdvMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV BAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzAeFw0xODA2MTgxNjUwMThaFw0xODA3 MTgxNjUwMThaMCAxHjAcBgNVBAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdLNFRwzRYG0CNHc/W8diRpoBOM 0pPFs0effNLeYucSC6Q5UWuv5xEHIopRBBvwwg+S68qvPeWegKg7CUUxE+KC0KGO jdQkZNgQxj3ZJBCvbhTqcT/d3aoVp/Y80hbVKKdKPFsTXF5PRt0txNkdRwTbIR8c oWFyBcgmmu9HVx4EkG9hicBO4+BTEyOraSziRfEbSc2VPXdDAF/KQG/ojVaSRzTq YS+QzMo23OtrIErU/KBUE1UxRAAWftO/pzbwG1UsUT1IgqP7llym5aS6NU0kXV1h 02Z8DPc+K4R0+3bKXe3av+/gI/5TyQGVCzoDzfFisDQywedRg6t8vdRNa1kCAwEA AaOBgTB/MB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBQBgNVHSMESTBH gBT/5yBm3mXtsYDvz11kTHsPVGeRcKEkpCIwIDEeMBwGA1UEAxMVYWxwaGEuZGV2 LmV4YW1wbGUub3JnggkAlYCap+vBl28wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQsFAAOCAQEAZJvp0luHvSlb1pSNpH1roT3R35FyZc+rLJWzmtVAdjt0eQU4q6da /lQ/83ntRj82GOxZEbyJwyhXLaav2nTe7N+wQoz6maTYXMX8Q9DZVLihy1SSrCY6 bLi2+byxKORw9GXrVaul8yckElyvx2HxMg8iXcLmuG1pVb1bk8BlnwHNDPZYTNMY iPgHtdsquziKrb08y/fjNiyeEIFlHloK+b4jggjOUbQ/jTkLkG6mkRQwu1NolvvB BBr0q/P8Z86TMmdp1deZEqQMVY6uWNgVs5Ci0piyQdKJjOvaGE/XXItD8blH3d4O SsADjh/HEFpp0Pu5ypQNryzdNL+6sw4XyQ== </ds:X509Certificate> </ds:X509Data> <ds:X509Data> <ds:X509Certificate> MIIDSTCCAjGgAwIBAgIJAI01q+m9qC5gMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV BAMTFmFscGhhLnRlc3QuZXhhbXBsZS5vcmcwHhcNMTgwNjE4MTY1MDQzWhcNMTgw NzE4MTY1MDQzWjAhMR8wHQYDVQQDExZhbHBoYS50ZXN0LmV4YW1wbGUub3JnMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0s0VHDNFgbQI0dz9bx2JGmg E4zSk8WzR5980t5i5xILpDlRa6/nEQciilEEG/DCD5Lryq895Z6AqDsJRTET4oLQ oY6N1CRk2BDGPdkkEK9uFOpxP93dqhWn9jzSFtUop0o8WxNcXk9G3S3E2R1HBNsh HxyhYXIFyCaa70dXHgSQb2GJwE7j4FMTI6tpLOJF8RtJzZU9d0MAX8pAb+iNVpJH NOphL5DMyjbc62sgStT8oFQTVTFEABZ+07+nNvAbVSxRPUiCo/uWXKblpLo1TSRd XWHTZnwM9z4rhHT7dspd7dq/7+Aj/lPJAZULOgPN8WKwNDLB51GDq3y91E1rWQID AQABo4GDMIGAMB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBRBgNVHSME SjBIgBT/5yBm3mXtsYDvz11kTHsPVGeRcKElpCMwITEfMB0GA1UEAxMWYWxwaGEu dGVzdC5leGFtcGxlLm9yZ4IJAI01q+m9qC5gMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcNAQELBQADggEBAFL7Xe5jaIE/f6KbQweDTLEGLZ6CpYFwgjCCI6Kgik2H6+XI daX5FI8IZ9VThfsbCbr55lIKlmmcR32O9xpLuQ792IJY9D2/I6ltW2iKnTKmaZSE /S4p7hYu9EKkxkg8MFCRvfVonf9oOUGzoPvfzt9teXG2xzjetgCoY3taaH5UyEHK pNynStKB0kzfoFOn4pdQWKX5UEZa0fLqzWTfrrikW4PitWrTE5zrn5vsxfBVNPnH LlCxgWwWYeVi5XgpPoKy+So0dri7caGeNXjXW2ND0waHvp/LSmO8cfXbVX+1VqIw L65ZJv2FIAm9LMIFVnEkD7sk1LsYdglvXBDz4BA= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AttributeService Binding="https://www.apereo.org/cas/protocol/proxy" Location="https://alpha.example.org/proxy_receptor" /> </AttributeAuthorityDescriptor> </EntityDescriptor>