CASMetadataProfile


SAML Metadata Profile

IdP 3.4.0 supports adding CAS protocol endpoints to SAML metadata entries. The following CAS protocol operations may be registered:

  1. Single sign-on via SPSSODescriptor with one or more AssertionConsumerService elements of binding https://www.apereo.org/cas/protocol/login
  2. Proxy via SPSSODescriptor with one or more AssertionConsumerService elements of binding https://www.apereo.org/cas/protocol/proxy
  3. Single sign-out via SPSSODescriptor with a single SingleLogoutService element of binding https://www.apereo.org/cas/protocol/logout

The following sections describe the specific metadata requirements for each type of protocol operation.

CAS Single Sign On

An entity advertises support for the CAS single sign-on protocol with an SPSSODescriptor that has the following characteristics:

  • MUST include https://www.apereo.org/cas/protocol in the protocolSupportEnumeration attribute.
  • Contains one or more AssertionConsumerService elements that MUST have the following attributes:
    • Binding attribute with value of https://www.apereo.org/cas/protocol/login.
    • Location attribute with a URL whereby some subset of service URLs start with the given value.

ACS endpoints are repeated with varying Location attributes until the full set of service URLs is covered.

CAS Proxy

An entity advertises support for the CAS proxy protocol with an SPSSODescriptor that has the following characteristics:

  • MUST include https://www.apereo.org/cas/protocol in the protocolSupportEnumeration attribute.
  • Contains one or more AssertionConsumerService elements that MUST have the following attributes:
    • Binding attribute with value of https://www.apereo.org/cas/protocol/proxy.
    • Location attribute that matches the pgtURL protocol parameter. The presented protocol parameter value will be verified against this value as part of proxy callback URL validation.
  • MAY define one or more signing certificates in the KeyDescriptor element that will be used as explicit TLS trust material when validating the certificate presented by the proxy callback endpoint.

CAS Single Sign-Out

An entity advertises support for the CAS single sign-out protocol by adding a SingleLogoutService endpoint to a SPSSODescriptor that supports CAS single sign-on. The SingleLogoutService has the following characteristics:

  • Binding attribute with value of https://www.apereo.org/cas/protocol/logout.
  • Location attribute with value of urn:mace:shibboleth:profile:CAS:logout. A URN is used to indicate that the CAS proxy URL is dynamic and varies with the service URL to which a ticket was issued for SSO.

Example Metadata

An example representing a typical CAS entity follows:

CAS Metadata Entry
<EntityDescriptor entityID="https://alpha.example.org/">
    <SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
        <!-- Following certs are for defining explicit CAS proxy TLS trust -->
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV
                        BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2
                        NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
                        DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS
                        3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9
                        2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv
                        R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr
                        ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE
                        dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G
                        A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt
                        sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC
                        CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M
                        mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL
                        e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9
                        h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH
                        nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg
                        t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao
                        I1TQuJgghwPvPE9x
                    </ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIDRTCCAi2gAwIBAgIJAJWAmqfrwZdvMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
                        BAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzAeFw0xODA2MTgxNjUwMThaFw0xODA3
                        MTgxNjUwMThaMCAxHjAcBgNVBAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzCCASIw
                        DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdLNFRwzRYG0CNHc/W8diRpoBOM
                        0pPFs0effNLeYucSC6Q5UWuv5xEHIopRBBvwwg+S68qvPeWegKg7CUUxE+KC0KGO
                        jdQkZNgQxj3ZJBCvbhTqcT/d3aoVp/Y80hbVKKdKPFsTXF5PRt0txNkdRwTbIR8c
                        oWFyBcgmmu9HVx4EkG9hicBO4+BTEyOraSziRfEbSc2VPXdDAF/KQG/ojVaSRzTq
                        YS+QzMo23OtrIErU/KBUE1UxRAAWftO/pzbwG1UsUT1IgqP7llym5aS6NU0kXV1h
                        02Z8DPc+K4R0+3bKXe3av+/gI/5TyQGVCzoDzfFisDQywedRg6t8vdRNa1kCAwEA
                        AaOBgTB/MB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBQBgNVHSMESTBH
                        gBT/5yBm3mXtsYDvz11kTHsPVGeRcKEkpCIwIDEeMBwGA1UEAxMVYWxwaGEuZGV2
                        LmV4YW1wbGUub3JnggkAlYCap+vBl28wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
                        AQsFAAOCAQEAZJvp0luHvSlb1pSNpH1roT3R35FyZc+rLJWzmtVAdjt0eQU4q6da
                        /lQ/83ntRj82GOxZEbyJwyhXLaav2nTe7N+wQoz6maTYXMX8Q9DZVLihy1SSrCY6
                        bLi2+byxKORw9GXrVaul8yckElyvx2HxMg8iXcLmuG1pVb1bk8BlnwHNDPZYTNMY
                        iPgHtdsquziKrb08y/fjNiyeEIFlHloK+b4jggjOUbQ/jTkLkG6mkRQwu1NolvvB
                        BBr0q/P8Z86TMmdp1deZEqQMVY6uWNgVs5Ci0piyQdKJjOvaGE/XXItD8blH3d4O
                        SsADjh/HEFpp0Pu5ypQNryzdNL+6sw4XyQ==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.example.org/"
                index="1"/>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/login"
                Location="https://alpha.dev.example.org/"
                index="2"/>
        <AssertionConsumerService
                Binding="https://www.apereo.org/cas/protocol/proxy"
                Location="https://alpha.example.org/proxy_receptor"
                index="3"/>
        <SingleLogoutService
                Binding="https://www.apereo.org/cas/protocol/logout"
                Location="urn:mace:shibboleth:profile:CAS:logout"/>
    </SPSSODescriptor>
</EntityDescriptor>