{"type":"doc","content":[{"type":"paragraph","content":[{"text":"IdP 3.4.0 provides a new facility to register CAS services in SAML metadata. The following CAS protocol configuration points are configurable via metadata:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"One or more CAS service URLs associated with a single logical CAS service.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"CAS proxy callback URL and trusted certificates.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"CAS single logout participation.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The full specification is described in detail in the ","type":"text"},{"text":"CAS metadata profile","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/SC/pages/1879344655"}}]},{"text":" specification, but there are a few notable configuration points for creating a CAS protocol entry in SAML metadata.","type":"text"}]},{"type":"paragraph","content":[{"text":"Additionally, note that the resulting relying party \"identifier\" used throughout the IdP as a policy tool is now configurable. By default, it matches previous behavior and will be the CAS server URL, but the ","type":"text"},{"text":"idp.cas.relyingPartyIdFromMetadata","type":"text","marks":[{"type":"strong"}]},{"text":" property can be enabled to allow the entityID from the SAML metadata instance to be exposed in its place. The use of this property is recommended and seems to be more intutive to most deployers.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"CAS Protocol Support","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"SPSSODescriptor","type":"text","marks":[{"type":"em"}]},{"text":" is the container for all CAS protocol configuration bits. Add ","type":"text"},{"text":"https://www.apereo.org/cas/protocol","type":"text","marks":[{"type":"em"}]},{"text":" to the ","type":"text"},{"text":"protocolSupportEnumeration","type":"text","marks":[{"type":"em"}]},{"text":" attribute to identify an entity that supports the CAS protocol.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Service URLs","type":"text"}]},{"type":"paragraph","content":[{"text":"One or more ","type":"text"},{"text":"AssertionConsumerService","type":"text","marks":[{"type":"em"}]},{"text":" elements with the binding ","type":"text"},{"text":"https://www.apereo.org/cas/protocol/login","type":"text","marks":[{"type":"em"}]},{"text":" identify the base service URLs that will request service tickets from the IdP. \"Starts with\" matching is used to select a given service URL with a metadata ACS URL, but no wildcards are supported. Consider an example:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"The entry above would match the following service URLs:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://alpha.example.org/users","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://alpha.example.org/admins?grp=1","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"https://alpha.example.org/secure/dashboard","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"In order to index ACS endpoints to support the matching process, a CAS-specific index, ","type":"text"},{"text":"shibboleth.CASMetadataIndices, ","type":"text","marks":[{"type":"em"}]},{"text":"must be applied to metadata sources that contain CAS protocol entries. The following configuration snippet from ","type":"text"},{"text":"conf/metadata-providers.xml","type":"text","marks":[{"type":"em"}]},{"text":" provides an example:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"CAS Metadata Example","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n\n \n samlmd:SPSSODescriptor\n \n ","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Proxy Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"One or more ","type":"text"},{"text":"AssertionConsumerService","type":"text","marks":[{"type":"em"}]},{"text":" elements with the binding ","type":"text"},{"text":"https://www.apereo.org/cas/protocol/proxy","type":"text","marks":[{"type":"em"}]},{"text":" identify proxy callback endpoints. The appearance of at least one ACS endpoint with the proxy binding is an implicit signal to permit proxying; conversely, if no there is no ACS element defined with the proxy binding, then the service is not authorized to proxy.","type":"text"}]},{"type":"paragraph","content":[{"text":"Using SAML metadata to register proxying CAS services is a best practice since it affords the most secure method of configuring TLS trust. A best practice for configuring CAS proxy callback endpoints is to generate a self-signed certificate for the HTTPS endpoint and register it in metadata as follows:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Per-service TLS trust configuration","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV\n BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2\n NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3\n DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS\n 3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9\n 2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv\n R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr\n ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE\n dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G\n A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt\n sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC\n CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M\n mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL\n e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9\n h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH\n nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg\n t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao\n I1TQuJgghwPvPE9x\n \n \n ...\n \n","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Single Logout","type":"text"}]},{"type":"paragraph","content":[{"text":"A CAS service registers its intent to participate in single logout by adding a ","type":"text"},{"text":"SingleLogoutService","type":"text","marks":[{"type":"em"}]},{"text":" element as follows.","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that the location is a URN, which is intentional, since the CAS logout endpoint cannot be statically defined.","type":"text"}]}],"version":1}

Browser not supported