The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
CASServiceSAMLMetadata
New in IdP 3.4.0.
IdP 3.4.0 provides a new facility to register CAS services in SAML metadata. The following CAS protocol configuration points are configurable via metadata:
- One or more CAS service URLs associated with a single logical CAS service.
- CAS proxy callback URL and trusted certificates.
- CAS single logout participation.
The full specification is described in detail in the CAS metadata profile specification, but there are a few notable configuration points for creating a CAS protocol entry in SAML metadata.
CAS Protocol Support
The SPSSODescriptor is the container for all CAS protocol configuration bits. Add https://www.apereo.org/cas/protocol to the protocolSupportEnumeration attribute to identify an entity that supports the CAS protocol.
Service URLs
One or more AssertionConsumerService elements with the binding https://www.apereo.org/cas/protocol/login identify the base service URLs that will request service tickets from the IdP. "Starts with" matching is used to select a given service URL with a metadata ACS URL, but no wildcards are supported. Consider an example:
<AssertionConsumerService Binding="https://www.apereo.org/cas/protocol/login" Location="https://alpha.example.org/" index="1"/>
The entry above would match the following service URLs:
- https://alpha.example.org/users
- https://alpha.example.org/admins?grp=1
- https://alpha.example.org/secure/dashboard
In order to index ACS endpoints to support the matching process, a CAS-specific index, shibboleth.CASMetadataIndices, must be applied to metadata sources that contain CAS protocol entries. The following configuration snippet from conf/metadata-providers.xml provides an example:
<MetadataProvider id="CASMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="/var/run/idp/vt-metadata.xml" metadataURL="https://metadata.example.edu/cas.xml" indexesRef="shibboleth.CASMetadataIndices"> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>
Proxy Configuration
One or more AssertionConsumerService elements with the binding https://www.apereo.org/cas/protocol/proxy identify proxy callback endpoints. The appearance of at least one ACS endpoint with the proxy binding is an implicit signal to permit proxying; conversely, if no there is no ACS element defined with the proxy binding, then the service is not authorized to proxy.
Using SAML metadata to register proxying CAS services is a best practice since it affords the most secure method of configuring TLS trust. A best practice for configuring CAS proxy callback endpoints is to generate a self-signed certificate for the HTTPS endpoint and register it in metadata as follows:
<KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2 NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS 3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9 2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9 h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao I1TQuJgghwPvPE9x </ds:X509Certificate> </ds:X509Data> ... </ds:KeyInfo> </KeyDescriptor>
Single Logout
A CAS service registers its intent to participate in single logout by adding a SingleLogoutService element as follows.
<SingleLogoutService Binding="https://www.apereo.org/cas/protocol/logout" Location="urn:mace:shibboleth:profile:CAS:logout"/>
Note that the location is a URN, which is intentional, since the CAS logout endpoint cannot be statically defined.