Versions Compared

Old Version 15

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 16

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titlecas-protocol.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
       default-init-method="initialize"
       default-destroy-method="destroy">
    <!--
       | The CAS service registry defines verified relying parties by endpoint URI.
       | The default implementation treats the ID of each entry as a regular expression defining a logical group of
       | services whose URIs match the expression.
       |
       | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
       -->
    <bean id="reloadableServiceRegistry"
          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
        <property name="definitions">
            <list>
               <!-- CAS is ok for all https services within the DNS domain example.se -->
               <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                     c:regex="https:\/\/([A-Za-z0-9_-]+\.)*example\.se(:\d+)?\/.*"
                     p:group="CAS-forclients-in-example-se"
                     p:authorizedToProxy="false"
                     <!-- Change singleLogoutParticipant to true if you have enabled SAML single logout! -->
                     p:singleLogoutParticipant="false" />
                <!-- Default examples
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="proxying-services"
                      p:authorizedToProxy="true"
                      p:singleLogoutParticipant="true" />
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="non-proxying-services"
                      p:authorizedToProxy="false" /
                -->
            </list>
        </property>
    </bean>
    <!--
       | Advanced CAS configuration.
       |
       | Override default CAS components by creating aliases to custom components where the alias
       | is the same as the default component bean ID.
       -->
    <!--
    <bean id="cas.CustomTicketService"
          class="org.example.idp.cas.CustomTicketService" />
    <alias name="cas.CustomTicketService" alias="cas.TicketService" />
    <bean id="cas.CustomProxyAuthenticator"
          class="org.example.idp.cas.CustomProxyAuthenticator" />
    <alias name="cas.CustomProxyAuthenticator" alias="cas.ProxyAuthenticator" />
    -->
</beans>

...

Code Block
languagexml
titleAdd activationConditionRef="ReleaseEPTID" in attribute-resolver.xml
<!-- The source for this attribute is from the database StoredId and no longer the classic computedID  -->
<resolver:AttributeDefinition xsi:type="ad:SAML2NameID"
                              id="eduPersonTargetedID"
                              nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                              sourceAttributeID="persistentId"
                              <!-- This will only block the release but not the generation -->
                              activationConditionRef="ReleaseEPTID">
    <resolver:Dependency ref="StoredId" />
    <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
                               name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject"
                               name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
                               friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>


<!--
    This connector relies on global.xml for the Managed connection to the db.
    If you have a Active Directory data source change the sourceAttributeID to sAMAccountName
-->
<resolver:DataConnector id="StoredId"
                        xsi:type="StoredId"
                        xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                        generatedAttributeID="persistentId"
                        sourceAttributeID="uid"
                        salt="your random string here"
                        <!-- Important that this is here! Otherwise generation will still happen in the database! -->
                        activationConditionRef="ReleaseEPTID">
    <resolver:Dependency ref="uid" />
    <dc:BeanManagedConnection>MyGlobalDataSource</dc:BeanManagedConnection>
</resolver:DataConnector>

Activate CAS protocol

...

The basic CAS server functionality is now configured.

  • To activate the CAS server in Shibboleth you need to add two beans to the section shibboleth.DefaultRelyingParty in the file relying-party.xml.
Code Block
languagexml
titleAdd CAS configuration to relying-party.xml
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
    <property name="profileConfigurations">
        <list>
            <!-- ... -->
            <ref bean="CAS.LoginConfiguration"/>
            <ref bean="CAS.ValidateConfiguration" />
        </list>
    </property>
</bean>
  • To startup the CAS server you need to restart Shibboleth.