The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

File(s): conf/cas-protocol.xml

Format: Native Spring

This configuration method applies to IdP V3.4.2 and later. Note that the example below differs from the example shipped with the software and accounts for a bug introduced with the security patch in this version.

The issuer certificates of end-entity certificates used to secure proxy endpoints can be registered by loading the PEM-encoded certificates on the IdP filesystem using the following configuration snippet found in conf/cas-protocol.xml:

<!--
   | Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
   | Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
   | This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
   | which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
   | certificates are recommended.
   -->
<util:list id="shibboleth.CASProxyTrustedCertificates">
    <!-- <value>%{idp.home}/credentials/your_ca.pem</value> -->
</util:list>

The elements of the above list have a global scope such that if any proxy endpoint presents a certificate issued by a trusted issuer, it will be trusted.

  • No labels