The Shibboleth IdP V4 software will leave support on September 1, 2024.

StartTLSTrustCredential

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

This element has been DEPRECATED and should be avoided.
The replacement is the trustFile attribute.

Overview

The <StartTLSTrustCredential> element specifies X.509 trust information to use when connecting to a directory over LDAPS or StartTLS. This is a targeted alternative to the unsupported strategy of loading trust anchors into the global JVM cacert keystore.

The xsi:type of the credential referenced is usually defined in the urn:mace:shibboleth:2.0:security namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-security.xsd

This namespace must be declared in the file (it was not collapsed into the urn:mace:shibboleth:2.0:resolver namespace due to the fact that it has use in the MetadataConfiguration in rare cases).

Reference

The XML Attributes and Elements supported will vary based on the specific credential type.

Credential Types

Credential types are distinguished by their xsi:type. Some of the typical types used with this element are:

  • sec:X509ResourceBacked

  • sec:X509Inline

See the Credentials topic for details on configuring credentials of various types.

Example

A certificate loaded from a file specified in a property.
<resolver:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </resolver:StartTLSTrustCredential>