108 lines
6.0 KiB
XML
108 lines
6.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns:c="http://www.springframework.org/schema/c"
|
|
xmlns:p="http://www.springframework.org/schema/p"
|
|
xmlns:util="http://www.springframework.org/schema/util"
|
|
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
|
|
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
|
|
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
|
|
default-init-method="initialize"
|
|
default-destroy-method="destroy">
|
|
|
|
<!--
|
|
| The CAS service registry defines verified relying parties by endpoint URI.
|
|
| The default implementation treats the ID of each entry as a regular expression defining a logical group of
|
|
| services whose URIs match the expression.
|
|
|
|
|
| This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
|
|
-->
|
|
<bean id="reloadableServiceRegistry"
|
|
class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
|
|
<property name="definitions">
|
|
<list>
|
|
<!--
|
|
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
|
|
c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
|
|
p:group="proxying-services"
|
|
p:authorizedToProxy="true"
|
|
p:singleLogoutParticipant="true" />
|
|
<bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
|
|
c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
|
|
p:group="non-proxying-services"
|
|
p:authorizedToProxy="false" /
|
|
-->
|
|
</list>
|
|
</property>
|
|
</bean>
|
|
|
|
<!--
|
|
| Uncomment this bean if you want to override the default list of CAS service registries.
|
|
| The default configuration tries to find the relying party in a SAML metadata source and falls back to
|
|
| reloadableServiceRegistry if a match is not found.
|
|
-->
|
|
<!--<util:list id="shibboleth.CASServiceRegistries">
|
|
<ref bean="shibboleth.CASMetadataServiceRegistry" />
|
|
<ref bean="shibboleth.CASServiceRegistry" />
|
|
</util:list>-->
|
|
|
|
<!--
|
|
| The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
|
|
| for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
|
|
| a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
|
|
| CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
|
|
| is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
|
|
| component is that the one-time use feature of service and proxy tickets is not available due to the lack
|
|
| of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
|
|
| If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
|
|
| configuration from the default 15000ms.
|
|
-->
|
|
<alias name="encodingTicketService" alias="shibboleth.CASTicketService" />
|
|
|
|
<!--
|
|
| Uncomment the following element and comment out the above to enable the previous default ticket service
|
|
| that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
|
|
| EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
|
|
-->
|
|
<!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->
|
|
|
|
<!--
|
|
| The predicate used to determine whether IdP session validation is performed during the process of granting
|
|
| a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
|
|
| granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
|
|
| at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
|
|
| evaluates to true under any condition, a server-side storage service must be enabled for IdP session
|
|
| storage. The most common non-default value is "alwaysTrue."
|
|
-->
|
|
<bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
|
|
class="com.google.common.base.Predicates"
|
|
factory-method="alwaysFalse" />
|
|
|
|
<!--
|
|
| Uncomment the following bean if you want to ignore jsessionid artifacts in service URLs.
|
|
| Those sorts of URLs are commonly emitted by Java servlet-based web applications.
|
|
-->
|
|
<!--<bean id="shibboleth.CASServiceComparator"
|
|
class="net.shibboleth.idp.cas.service.impl.DefaultServiceComparator"
|
|
c:parameterNames="[a-z]+sessionid" />-->
|
|
|
|
<!--
|
|
| Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
|
|
| Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
|
|
| This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
|
|
| which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
|
|
| certificates are recommended.
|
|
-->
|
|
<util:list id="shibboleth.CASProxyTrustedCertificates" value-type="java.lang.String">
|
|
<!--<value>%{idp.home}/credentials/your_ca.pem</value>-->
|
|
</util:list>
|
|
|
|
|
|
<!-- ============== Advanced CAS Configuration ============== -->
|
|
|
|
<!-- Configure a third-party ticket service. -->
|
|
<!--
|
|
<bean id="shibboleth.CASTicketService"
|
|
class="org.example.idp.cas.CustomTicketService" />
|
|
-->
|
|
</beans> |