The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

CASProxyPKIXTrustSimple

File(s): conf/cas-protocol.xml

Format: Native Spring

This configuration method applies to IdP V3.4.2 and later.

The issuer certificates of end-entity certificates used to secure proxy endpoints can be registered by loading the PEM-encoded certificates on the IdP filesystem using the following configuration snippet found in conf/cas-protocol.xml:

<!--
   | Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
   | Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
   | This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
   | which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
   | certificates are recommended.
   -->
<util:list id="shibboleth.CASProxyTrustedCertificates">
    <!-- <value>%{idp.home}/credentials/your_ca.pem</value> -->
</util:list>

The elements of the above list have a global scope such that if any proxy endpoint presents a certificate issued by a trusted issuer, it will be trusted.