...
Code Block |
---|
language | xml |
---|
title | cas-protocol.xml |
---|
|
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<!--
| The CAS service registry defines verified relying parties by endpoint URI.
| The default implementation treats the ID of each entry as a regular expression defining a logical group of
| services whose URIs match the expression.
|
| This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
-->
<bean id="reloadableServiceRegistry"
class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
<property name="definitions">
<list>
<!-- CAS is ok for all https services within the DNS domain example.se -->
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https:\/\/([A-Za-z0-9_-]+\.)*example\.se(:\d+)?\/.*"
p:group="CAS-forclients-in-example-se"
p:authorizedToProxy="false"
<!-- Change singleLogoutParticipant to true if you have enabled SAML single logout! -->
p:singleLogoutParticipant="false" />
<!-- Default examples
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="proxying-services"
p:authorizedToProxy="true"
p:singleLogoutParticipant="true" />
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
p:group="non-proxying-services"
p:authorizedToProxy="false" /
-->
</list>
</property>
</bean>
<!--
| Advanced CAS configuration.
|
| Override default CAS components by creating aliases to custom components where the alias
| is the same as the default component bean ID.
-->
<!--
<bean id="cas.CustomTicketService"
class="org.example.idp.cas.CustomTicketService" />
<alias name="cas.CustomTicketService" alias="cas.TicketService" />
<bean id="cas.CustomProxyAuthenticator"
class="org.example.idp.cas.CustomProxyAuthenticator" />
<alias name="cas.CustomProxyAuthenticator" alias="cas.ProxyAuthenticator" />
-->
</beans> |
...
Code Block |
---|
language | xml |
---|
title | Add activationConditionRef="ReleaseEPTID" in attribute-resolver.xml |
---|
|
<!-- The source for this attribute is from the database StoredId and no longer the classic computedID -->
<resolver:AttributeDefinition xsi:type="ad:SAML2NameID"
id="eduPersonTargetedID"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="persistentId"
<!-- This will only block the release but not the generation -->
activationConditionRef="ReleaseEPTID">
<resolver:Dependency ref="StoredId" />
<resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
<resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
<!--
This connector relies on global.xml for the Managed connection to the db.
If you have a Active Directory data source change the sourceAttributeID to sAMAccountName
-->
<resolver:DataConnector id="StoredId"
xsi:type="StoredId"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
generatedAttributeID="persistentId"
sourceAttributeID="uid"
salt="your random string here"
<!-- Important that this is here! Otherwise generation will still happen in the database! -->
activationConditionRef="ReleaseEPTID">
<resolver:Dependency ref="uid" />
<dc:BeanManagedConnection>MyGlobalDataSource</dc:BeanManagedConnection>
</resolver:DataConnector> |
Activate CAS protocol
...
The basic CAS server functionality is now configured.
- To activate the CAS server in Shibboleth you need to add two beans to the section shibboleth.DefaultRelyingParty in the file relying-party.xml.
Code Block |
---|
language | xml |
---|
title | Add CAS configuration to relying-party.xml |
---|
|
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<!-- ... -->
<ref bean="CAS.LoginConfiguration"/>
<ref bean="CAS.ValidateConfiguration" />
</list>
</property>
</bean>
|
- To startup the CAS server you need to restart Shibboleth.