The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.


The <StartTLSTrustCredential> element specifies X.509 trust information to use when connecting to a directory over LDAPS or startTLS. This is a targeted alternative to the more typical strategy of loading trust anchors into the global JVM cacert keystore.

Schema Name and Location

This element is defined by the urn:mace:shibboleth:2.0:resolver schema, which is located at

The xsi:type of the credential referenced is usually defined by the urn:mace:shibboleth:2.0:security schema, which is located at

Note that this namespace has not been collapsed into the urn:mace:shibboleth:2.0:resolver one.


Attributes may only be provided if required by the specific credential type.

Child Elements

Child elements may only be provided if required by the specific credential type.

Credential Types

Credential types are distinguished by their xsi:type. Some of the typical types used with this element are:

  • sec:X509Filesystem
  • sec:X509ResourceBacked
  • sec:X509Inline

See the Credentials topic for details on configuring credentials of various types.


A certificate loaded from a file specified in a property.
<dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">