-
Notifications
You must be signed in to change notification settings - Fork 2
/
cas-protocol.xml
84 lines (76 loc) · 4.63 KB
/
cas-protocol.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
| The CAS service registry defines verified relying parties by endpoint URI.
| The default implementation treats the ID of each entry as a regular expression defining a logical group of
| services whose URIs match the expression.
|
| This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
-->
<bean id="reloadableServiceRegistry"
class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
<property name="definitions">
<list>
<!--
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="proxying-services"
p:authorizedToProxy="true"
p:singleLogoutParticipant="true" />
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="non-proxying-services"
p:authorizedToProxy="false" /
-->
</list>
</property>
</bean>
<!--
| The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
| for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
| a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
| CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
| is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
| component is that the one-time use feature of service and proxy tickets is not available due to the lack
| of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
| If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
| configuration from the default 15000ms.
-->
<alias name="encodingTicketService" alias="shibboleth.CASTicketService" />
<!--
| Uncomment the following element and comment out the above to enable the previous default ticket service
| that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
| EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
-->
<!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->
<!--
| The predicate used to determine whether IdP session validation is performed during the process of granting
| a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
| granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
| at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
| evaluates to true under any condition, a server-side storage service must be enabled for IdP session
| storage. The most common non-default value is "alwaysTrue."
-->
<bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
class="com.google.common.base.Predicates"
factory-method="alwaysFalse" />
<!-- ============== Advanced CAS Configuration ============== -->
<!-- Configure a third-party ticket service. -->
<!--
<bean id="shibboleth.CASTicketService"
class="org.example.idp.cas.CustomTicketService" />
-->
<!-- Configure a third-party proxy authenticator. -->
<!--
<bean id="shibboleth.CASProxyAuthenticator"
class="org.example.idp.cas.CustomProxyAuthenticator" />
-->
</beans>