CASProxyPKIXTrustRelyingParty

File(s): conf/relying-party.xml

Format: Native Spring

This configuration mechanism is valid for IdP versions prior to 3.4.


PKIX-based CAS proxy trust is configured in relying-party.xml as part of the profile configuration for a particular relying party. The following configuration excerpt demonstrates configuring CAS to accept proxy callback certificates issued by a handful of trusted issuers for the default relying party.

CAS Proxy Trust in relying-party.xml
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <ref bean="Shibboleth.SSO" />
                <ref bean="SAML1.AttributeQuery" />
                <ref bean="SAML1.ArtifactResolution" />
                <ref bean="SAML2.SSO" />
                <ref bean="SAML2.ECP" />
                <ref bean="SAML2.Logout" />
                <ref bean="SAML2.AttributeQuery" />
                <ref bean="SAML2.ArtifactResolution" />
                <ref bean="CAS.LoginConfiguration" />
                <ref bean="CAS.ProxyConfiguration" />
                <ref bean="CAS.ValidateConfiguration.default" />
            </list>
        </property>
    </bean>
    <bean id="CAS.ValidateConfiguration.default" parent="CAS.ValidateConfiguration">
        <property name="securityConfiguration">
            <bean class="net.shibboleth.idp.profile.config.SecurityConfiguration"
                  c:skew="PT5M"
                  p:clientTLSValidationConfiguration-ref="standardProxyTLSConfig">
                <constructor-arg name="generator">
                    <bean class="net.shibboleth.idp.cas.ticket.impl.TicketIdentifierGenerationStrategy"
                          c:prefix="PGT"
                          c:randomLength="50" />
                </constructor-arg>
            </bean>
        </property>
    </bean>
    <bean id="standardProxyTLSConfig"
          class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration">
        <property name="x509TrustEngine">
            <bean class="org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine" c:nameEvaluator="#{null}">
                <constructor-arg name="resolver">
                    <bean class="org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver" c:names="#{null}">
                        <constructor-arg name="info">
                            <bean class="org.opensaml.security.x509.impl.BasicPKIXValidationInformation" c:crls="#{null}" c:depth="5">
                                <constructor-arg name="anchors">
                                    <list>
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgsca.pem" />
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgqsca.pem" />
                                        <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean"
                                              p:resource="%{idp.home}/credentials/vtgqsca256.pem" />
                                    </list>
                                </constructor-arg>
                            </bean>
                        </constructor-arg>
                    </bean>
                </constructor-arg>
                <constructor-arg name="pkixEvaluator">
                    <bean class="org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator" />
                </constructor-arg>
            </bean>
        </property>
    </bean>

Service Ticket Expiration (Optional)

CAS Service tickets issued by the Shibboleth IdP are single use tickets with a default validity period of 15 seconds. It is possible to extend the validity period by altering the profile configuration in relying-party.xml as follows:

    <!-- Default configuration, with default settings applied for all profiles. -->
    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
        <property name="profileConfigurations">
            <list>
                <ref bean="Shibboleth.SSO.default" />
                <!-- ... other SAML profiles ... -->
                <bean parent="CAS.LoginConfiguration" p:ticketValidityPeriod="PT5M" />
                <ref bean="CAS.ProxyConfiguration" />
                <ref bean="CAS.ValidateConfiguration.default" />
            </list>
        </property>
    </bean>