File(s): conf/cas-protocol.xml

Format: Native Spring

This configuration method applies to IdP V3.4.2 and later.

The issuer certificates of end-entity certificates used to secure proxy endpoints can be registered by loading the PEM-encoded certificates on the IdP filesystem using the following configuration snippet found in conf/cas-protocol.xml:

   | Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
   | Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
   | This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
   | which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
   | certificates are recommended.
<util:list id="shibboleth.CASProxyTrustedCertificates">
    <!-- <value>%{idp.home}/credentials/your_ca.pem</value> -->

The elements of the above list have a global scope such that if any proxy endpoint presents a certificate issued by a trusted issuer, it will be trusted.