File(s): conf/relying-party.xml
Format: Native Spring
This configuration mechanism is valid for IdP versions prior to 3.4. |
PKIX-based CAS proxy trust is configured in relying-party.xml as part of the profile configuration for a particular relying party. The following configuration excerpt demonstrates configuring CAS to accept proxy callback certificates issued by a handful of trusted issuers for the default relying party.
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<ref bean="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<ref bean="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
<ref bean="CAS.LoginConfiguration" />
<ref bean="CAS.ProxyConfiguration" />
<ref bean="CAS.ValidateConfiguration.default" />
</list>
</property>
</bean>
<bean id="CAS.ValidateConfiguration.default" parent="CAS.ValidateConfiguration">
<property name="securityConfiguration">
<bean class="net.shibboleth.idp.profile.config.SecurityConfiguration"
c:skew="PT5M"
p:clientTLSValidationConfiguration-ref="standardProxyTLSConfig">
<constructor-arg name="generator">
<bean class="net.shibboleth.idp.cas.ticket.impl.TicketIdentifierGenerationStrategy"
c:prefix="PGT"
c:randomLength="50" />
</constructor-arg>
</bean>
</property>
</bean>
<bean id="standardProxyTLSConfig"
class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration">
<property name="x509TrustEngine">
<bean class="org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine" c:nameEvaluator="#{null}">
<constructor-arg name="resolver">
<bean class="org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver" c:names="#{null}">
<constructor-arg name="info">
<bean class="org.opensaml.security.x509.impl.BasicPKIXValidationInformation" c:crls="#{null}" c:depth="5">
<constructor-arg name="anchors">
<list>
<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="%{idp.home}/credentials/vtgsca.pem" />
<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="%{idp.home}/credentials/vtgqsca.pem" />
<bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
p:resource="%{idp.home}/credentials/vtgqsca256.pem" />
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="pkixEvaluator">
<bean class="org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator" />
</constructor-arg>
</bean>
</property>
</bean> |
CAS Service tickets issued by the Shibboleth IdP are single use tickets with a default validity period of 15 seconds. It is possible to extend the validity period by altering the profile configuration in relying-party.xml as follows:
<!-- Default configuration, with default settings applied for all profiles. -->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<ref bean="Shibboleth.SSO.default" />
<!-- ... other SAML profiles ... -->
<bean parent="CAS.LoginConfiguration" p:ticketValidityPeriod="PT5M" />
<ref bean="CAS.ProxyConfiguration" />
<ref bean="CAS.ValidateConfiguration.default" />
</list>
</property>
</bean> |