cas-protocol.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
       default-init-method="initialize"
       default-destroy-method="destroy">

    <!--
       | The CAS service registry defines verified relying parties by endpoint URI.
       | The default implementation treats the ID of each entry as a regular expression defining a logical group of
       | services whose URIs match the expression.
       |
       | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
       -->
    <bean id="reloadableServiceRegistry"
          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
        <property name="definitions">
            <list>
                <!--
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="proxying-services"
                      p:authorizedToProxy="true"
                      p:singleLogoutParticipant="true" />
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="non-proxying-services"
                      p:authorizedToProxy="false" /
                -->
            </list>
        </property>
    </bean>

    <!--
       | Uncomment this bean if you want to override the default list of CAS service registries.
       | The default configuration tries to find the relying party in a SAML metadata source and falls back to
       | reloadableServiceRegistry if a match is not found.
       -->
    <!--<util:list id="shibboleth.CASServiceRegistries">
        <ref bean="shibboleth.CASMetadataServiceRegistry" />
        <ref bean="shibboleth.CASServiceRegistry" />
    </util:list>-->

    <!--
       | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
       | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
       | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
       | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
       | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
       | component is that the one-time use feature of service and proxy tickets is not available due to the lack
       | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
       | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
       | configuration from the default 15000ms.
       -->
    <alias name="encodingTicketService" alias="shibboleth.CASTicketService" />

    <!--
       | Uncomment the following element and comment out the above to enable the previous default ticket service
       | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
       | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
       -->
    <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->

    <!--
       | The predicate used to determine whether IdP session validation is performed during the process of granting
       | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
       | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
       | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
       | evaluates to true under any condition, a server-side storage service must be enabled for IdP session
       | storage. The most common non-default value is "alwaysTrue."
       -->
    <bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
          class="com.google.common.base.Predicates"
          factory-method="alwaysFalse" />

    <!--
       | Uncomment the following bean if you want to ignore jsessionid artifacts in service URLs.
       | Those sorts of URLs are commonly emitted by Java servlet-based web applications.
       -->
    <!--<bean id="shibboleth.CASServiceComparator"
          class="net.shibboleth.idp.cas.service.impl.DefaultServiceComparator"
          c:parameterNames="[a-z]+sessionid" />-->

    <!--
       | Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
       | Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
       | This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
       | which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
       | certificates are recommended.
       -->
    <util:list id="shibboleth.CASProxyTrustedCertificates" value-type="java.lang.String">
        <!--<value>%{idp.home}/credentials/your_ca.pem</value>-->
    </util:list>


    <!-- ============== Advanced CAS Configuration ============== -->

    <!-- Configure a third-party ticket service. -->
    <!--
    <bean id="shibboleth.CASTicketService"
          class="org.example.idp.cas.CustomTicketService" />
    -->
</beans>
	<?xml version="1.0" encoding="UTF-8"?>
	<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:c="http://www.springframework.org/schema/c"
	xmlns:p="http://www.springframework.org/schema/p"
	xmlns:util="http://www.springframework.org/schema/util"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
	http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
	http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
	default-init-method="initialize"
	default-destroy-method="destroy">

	<!--
	\| The CAS service registry defines verified relying parties by endpoint URI.
	\| The default implementation treats the ID of each entry as a regular expression defining a logical group of
	\| services whose URIs match the expression.
	\|
	\| This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
	-->
	<bean id="reloadableServiceRegistry"
	class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
	<property name="definitions">
	<list>
	<!--
	<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
	c:regex="https://([A-Za-z0-9_-]+\.)example\.org(:\d+)?/."
	p:group="proxying-services"
	p:authorizedToProxy="true"
	p:singleLogoutParticipant="true" />
	<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
	c:regex="http://([A-Za-z0-9_-]+\.)example\.org(:\d+)?/."
	p:group="non-proxying-services"
	p:authorizedToProxy="false" /
	-->
	</list>
	</property>
	</bean>

	<!--
	\| Uncomment this bean if you want to override the default list of CAS service registries.
	\| The default configuration tries to find the relying party in a SAML metadata source and falls back to
	\| reloadableServiceRegistry if a match is not found.
	-->
	<!--<util:list id="shibboleth.CASServiceRegistries">
	<ref bean="shibboleth.CASMetadataServiceRegistry" />
	<ref bean="shibboleth.CASServiceRegistry" />
	</util:list>-->

	<!--
	\| The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
	\| for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
	\| a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
	\| CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
	\| is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
	\| component is that the one-time use feature of service and proxy tickets is not available due to the lack
	\| of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
	\| If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
	\| configuration from the default 15000ms.
	-->
	<alias name="encodingTicketService" alias="shibboleth.CASTicketService" />

	<!--
	\| Uncomment the following element and comment out the above to enable the previous default ticket service
	\| that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
	\| EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
	-->
	<!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->

	<!--
	\| The predicate used to determine whether IdP session validation is performed during the process of granting
	\| a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
	\| granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
	\| at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
	\| evaluates to true under any condition, a server-side storage service must be enabled for IdP session
	\| storage. The most common non-default value is "alwaysTrue."
	-->
	<bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
	class="com.google.common.base.Predicates"
	factory-method="alwaysFalse" />

	<!--
	\| Uncomment the following bean if you want to ignore jsessionid artifacts in service URLs.
	\| Those sorts of URLs are commonly emitted by Java servlet-based web applications.
	-->
	<!--<bean id="shibboleth.CASServiceComparator"
	class="net.shibboleth.idp.cas.service.impl.DefaultServiceComparator"
	c:parameterNames="[a-z]+sessionid" />-->

	<!--
	\| Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
	\| Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
	\| This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
	\| which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
	\| certificates are recommended.
	-->
	<util:list id="shibboleth.CASProxyTrustedCertificates" value-type="java.lang.String">
	<!--<value>%{idp.home}/credentials/your_ca.pem</value>-->
	</util:list>


	<!-- ============== Advanced CAS Configuration ============== -->

	<!-- Configure a third-party ticket service. -->
	<!--
	<bean id="shibboleth.CASTicketService"
	class="org.example.idp.cas.CustomTicketService" />
	-->
	</beans>