The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

CASProxyPKIXTrustRelyingParty

File(s): conf/relying-party.xml

Format: Native Spring

This configuration mechanism is valid for IdP versions prior to 3.4.


PKIX-based CAS proxy trust is configured in relying-party.xml as part of the profile configuration for a particular relying party. The following configuration excerpt demonstrates configuring CAS to accept proxy callback certificates issued by a handful of trusted issuers for the default relying party.

CAS Proxy Trust in relying-party.xml
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <ref bean="Shibboleth.SSO" />
                <ref bean="SAML1.AttributeQuery" />
                <ref bean="SAML1.ArtifactResolution" />
                <ref bean="SAML2.SSO" />
                <ref bean="SAML2.ECP" />
                <ref bean="SAML2.Logout" />
                <ref bean="SAML2.AttributeQuery" />
                <ref bean="SAML2.ArtifactResolution" />
                <ref bean="CAS.LoginConfiguration" />
                <ref bean="CAS.ProxyConfiguration" />
                <ref bean="CAS.ValidateConfiguration.default" />
            </list>
        </property>
    </bean>
    <bean id="CAS.ValidateConfiguration.default" parent="CAS.ValidateConfiguration">
        <property name="securityConfiguration">
            <bean class="net.shibboleth.idp.profile.config.SecurityConfiguration"
                  c:skew="PT5M"
                  p:clientTLSValidationConfiguration-ref="standardProxyTLSConfig">
                <constructor-arg name="generator">
                    <bean class="net.shibboleth.idp.cas.ticket.impl.TicketIdentifierGenerationStrategy"
                          c:prefix="PGT"
                          c:randomLength="50" />
                </constructor-arg>
            </bean>
        </property>
    </bean>
    <bean id="standardProxyTLSConfig"
          class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration">
        <property name="x509TrustEngine">
            <bean class="org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine" c:nameEvaluator="#{null}">
                <constructor-arg name="resolver">
                    <bean class="org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver" c:names="#{null}">
                        <constructor-arg name="info">
                            <bean class="org.opensaml.security.x509.impl.BasicPKIXValidationInformation" c:crls="#{null}" c:depth="5">
                                <constructor-arg name="anchors">
                                    <list>
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgsca.pem" />
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgqsca.pem" />
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgqsca256.pem" />
                                    </list>
                                </constructor-arg>
                            </bean>
                        </constructor-arg>
                    </bean>
                </constructor-arg>
                <constructor-arg name="pkixEvaluator">
                    <bean class="org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator" />
                </constructor-arg>
            </bean>
        </property>
    </bean>

Service Ticket Expiration (Optional)

CAS Service tickets issued by the Shibboleth IdP are single use tickets with a default validity period of 15 seconds. It is possible to extend the validity period by altering the profile configuration in relying-party.xml as follows:

    <!-- Default configuration, with default settings applied for all profiles. -->
    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <ref bean="Shibboleth.SSO.default" />
                <!-- ... other SAML profiles ... -->
                <bean parent="CAS.LoginConfiguration" p:ticketValidityPeriod="PT5M" />
                <ref bean="CAS.ProxyConfiguration" />
                <ref bean="CAS.ValidateConfiguration.default" />
            </list>
        </property>
    </bean>