CASMetadataProfile
SAML Metadata Profile
IdP 3.4.0 supports adding CAS protocol endpoints to SAML metadata entries. The following CAS protocol operations may be registered:
- Single sign-on via
SPSSODescriptorwith one or moreAssertionConsumerServiceelements of bindinghttps://www.apereo.org/cas/protocol/login - Proxy via
SPSSODescriptorwith one or moreAssertionConsumerServiceelements of bindinghttps://www.apereo.org/cas/protocol/proxy - Single sign-out via
SPSSODescriptorwith a singleSingleLogoutServiceelement of bindinghttps://www.apereo.org/cas/protocol/logout
The following sections describe the specific metadata requirements for each type of protocol operation.
CAS Single Sign On
An entity advertises support for the CAS single sign-on protocol with an SPSSODescriptor that has the following characteristics:
- MUST include
https://www.apereo.org/cas/protocolprotocolSupportEnumerationattribute.
- Contains one or more
AssertionConsumerServiceelements that MUST have the following attributes:Bindingattribute with value ofhttps://www.apereo.org/cas/protocol/login.Locationattribute with a URL whereby some subset of service URLs start with the given value.
ACS endpoints are repeated with varying Location attributes until the full set of service URLs is covered.
CAS Proxy
An entity advertises support for the CAS proxy protocol with an SPSSODescriptor that has the following characteristics:
- MUST include
https://www.apereo.org/cas/protocolprotocolSupportEnumerationattribute.
- Contains one or more AssertionConsumerService elements that MUST have the following attributes:
Bindingattribute with value ofhttps://www.apereo.org/cas/protocol/proxy.Locationattribute that matches thepgtURLprotocol parameter. The presented protocol parameter value will be verified against this value as part of proxy callback URL validation.
- MAY define one or more signing certificates in the
KeyDescriptorelement that will be used as explicit TLS trust material when validating the certificate presented by the proxy callback endpoint.
CAS Single Sign-Out
An entity advertises support for the CAS single sign-out protocol by adding a SingleLogoutService endpoint to a SPSSODescriptor that supports CAS single sign-on. The SingleLogoutService has the following characteristics:
- Binding attribute with value of
https://www.apereo.org/cas/protocol/logout. - Location attribute with value of
urn:mace:shibboleth:profile:CAS:logout. A URN is used to indicate that the CAS proxy URL is dynamic and varies with the service URL to which a ticket was issued for SSO.
Example Metadata
An example representing a typical CAS entity follows:
CAS Metadata Entry
<EntityDescriptor entityID="https://alpha.example.org/">
<SPSSODescriptor protocolSupportEnumeration="https://www.apereo.org/cas/protocol">
<!-- Following certs are for defining explicit CAS proxy TLS trust -->
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDODCCAiCgAwIBAgIJAKpLQTw/WPXCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV
BAMTEWFscGhhLmV4YW1wbGUub3JnMB4XDTE4MDYxODE2NDE0NVoXDTE4MDcxODE2
NDE0NVowHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDHSzRUcM0WBtAjR3P1vHYkaaATjNKTxbNHn3zS
3mLnEgukOVFrr+cRByKKUQQb8MIPkuvKrz3lnoCoOwlFMRPigtChjo3UJGTYEMY9
2SQQr24U6nE/3d2qFaf2PNIW1SinSjxbE1xeT0bdLcTZHUcE2yEfHKFhcgXIJprv
R1ceBJBvYYnATuPgUxMjq2ks4kXxG0nNlT13QwBfykBv6I1Wkkc06mEvkMzKNtzr
ayBK1PygVBNVMUQAFn7Tv6c28BtVLFE9SIKj+5ZcpuWkujVNJF1dYdNmfAz3PiuE
dPt2yl3t2r/v4CP+U8kBlQs6A83xYrA0MsHnUYOrfL3UTWtZAgMBAAGjfTB7MB0G
A1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBMBgNVHSMERTBDgBT/5yBm3mXt
sYDvz11kTHsPVGeRcKEgpB4wHDEaMBgGA1UEAxMRYWxwaGEuZXhhbXBsZS5vcmeC
CQCqS0E8P1j1wjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAb/o/M
mt/nSHOfcjnNJS/LpouaewkoWkQn+FaXZOOvHDYhWur+mHVDpjoszUfgrTX2npmL
e8Q94bHd+cQrJpZFiYRX8l0p7dAH5Q6Ya/AnHuzGeyQ9fXiDMSWcsg2INcWi7oL9
h9+V3idcSzgAo1b7+ESSToPj7OG8tgjEp2C9jy0IKEwoApuQtRzxD1XHZFBFwwuH
nIXWxgctJPU1C+1W9b4bkFSyEGz8/HM7D9feDHbn2AKuRgd99aaOY9D59topf2Zg
t5sUTWWl54eaF5qoXKY/jdl84Tnmo8GeUufCrS0T6YQGI1LTpicPbqf7zHihQTao
I1TQuJgghwPvPE9x
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509Certificate>
MIIDRTCCAi2gAwIBAgIJAJWAmqfrwZdvMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
BAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzAeFw0xODA2MTgxNjUwMThaFw0xODA3
MTgxNjUwMThaMCAxHjAcBgNVBAMTFWFscGhhLmRldi5leGFtcGxlLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdLNFRwzRYG0CNHc/W8diRpoBOM
0pPFs0effNLeYucSC6Q5UWuv5xEHIopRBBvwwg+S68qvPeWegKg7CUUxE+KC0KGO
jdQkZNgQxj3ZJBCvbhTqcT/d3aoVp/Y80hbVKKdKPFsTXF5PRt0txNkdRwTbIR8c
oWFyBcgmmu9HVx4EkG9hicBO4+BTEyOraSziRfEbSc2VPXdDAF/KQG/ojVaSRzTq
YS+QzMo23OtrIErU/KBUE1UxRAAWftO/pzbwG1UsUT1IgqP7llym5aS6NU0kXV1h
02Z8DPc+K4R0+3bKXe3av+/gI/5TyQGVCzoDzfFisDQywedRg6t8vdRNa1kCAwEA
AaOBgTB/MB0GA1UdDgQWBBT/5yBm3mXtsYDvz11kTHsPVGeRcDBQBgNVHSMESTBH
gBT/5yBm3mXtsYDvz11kTHsPVGeRcKEkpCIwIDEeMBwGA1UEAxMVYWxwaGEuZGV2
LmV4YW1wbGUub3JnggkAlYCap+vBl28wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAZJvp0luHvSlb1pSNpH1roT3R35FyZc+rLJWzmtVAdjt0eQU4q6da
/lQ/83ntRj82GOxZEbyJwyhXLaav2nTe7N+wQoz6maTYXMX8Q9DZVLihy1SSrCY6
bLi2+byxKORw9GXrVaul8yckElyvx2HxMg8iXcLmuG1pVb1bk8BlnwHNDPZYTNMY
iPgHtdsquziKrb08y/fjNiyeEIFlHloK+b4jggjOUbQ/jTkLkG6mkRQwu1NolvvB
BBr0q/P8Z86TMmdp1deZEqQMVY6uWNgVs5Ci0piyQdKJjOvaGE/XXItD8blH3d4O
SsADjh/HEFpp0Pu5ypQNryzdNL+6sw4XyQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService
Binding="https://www.apereo.org/cas/protocol/login"
Location="https://alpha.example.org/"
index="1"/>
<AssertionConsumerService
Binding="https://www.apereo.org/cas/protocol/login"
Location="https://alpha.dev.example.org/"
index="2"/>
<AssertionConsumerService
Binding="https://www.apereo.org/cas/protocol/proxy"
Location="https://alpha.example.org/proxy_receptor"
index="3"/>
<SingleLogoutService
Binding="https://www.apereo.org/cas/protocol/logout"
Location="urn:mace:shibboleth:profile:CAS:logout"/>
</SPSSODescriptor>
</EntityDescriptor>
, multiple selections available,