conf-from-container/conf/cas-protocol.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
       default-init-method="initialize"
       default-destroy-method="destroy">

    <!--
       | The CAS service registry defines verified relying parties by endpoint URI.
       | The default implementation treats the ID of each entry as a regular expression defining a logical group of
       | services whose URIs match the expression.
       |
       | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
       -->
    <bean id="reloadableServiceRegistry"
          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
        <property name="definitions">
            <list>
                <!--
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="proxying-services"
                      p:authorizedToProxy="true"
                      p:singleLogoutParticipant="true" />
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="non-proxying-services"
                      p:authorizedToProxy="false" /
                -->
            </list>
        </property>
    </bean>

    <!--
       | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
       | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
       | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
       | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
       | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
       | component is that the one-time use feature of service and proxy tickets is not available due to the lack
       | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
       | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
       | configuration from the default 15000ms.
       -->
    <alias name="encodingTicketService" alias="shibboleth.CASTicketService" />

    <!--
       | Uncomment the following element and comment out the above to enable the previous default ticket service
       | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
       | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
       -->
    <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->

    <!--
       | The predicate used to determine whether IdP session validation is performed during the process of granting
       | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
       | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
       | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
       | evaluates to true under any condition, a server-side storage service must be enabled for IdP session
       | storage. The most common non-default value is "alwaysTrue."
       -->
    <bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
          class="com.google.common.base.Predicates"
          factory-method="alwaysFalse" />


    <!-- ============== Advanced CAS Configuration ============== -->

    <!-- Configure a third-party ticket service. -->
    <!--
    <bean id="shibboleth.CASTicketService"
          class="org.example.idp.cas.CustomTicketService" />
    -->

    <!-- Configure a third-party proxy authenticator. -->
    <!--
    <bean id="shibboleth.CASProxyAuthenticator"
          class="org.example.idp.cas.CustomProxyAuthenticator" />
    -->
</beans>