Enterprise Single Sign-On for All

View on GitHub

WORKERS AHEAD!

You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.

To view the documentation for a specific Apereo CAS server release, please choose an appropriate version. The release schedule is available here.

SAML2 Metadata Management

The following CAS endpoints handle the generation of SAML2 metadata:

/idp/metadata

This endpoint will display the CAS IdP SAML2 metadata upon receiving a GET request. If metadata is already available and generated, it will be displayed. If metadata is absent, one will be generated automatically. CAS configuration below dictates where metadata files/keys will be generated and stored.

Note that the endpoint can accept a service parameter either by entity id or numeric identifier. This parameter is matched against the CAS service registry allowing the endpoint to calculate and combine any identity provider metadata overrides that may have been specified.

The following settings and properties are available from the CAS configuration catalog:

_{The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.}

_{The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value.}

cas.authn.saml-idp.metadata.core.cache-expiration=PT24H

How long should metadata be cached.

This settings supports the java.time.Duration syntax ^[?].

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.fail-fast=true

Whether invalid metadata should eagerly fail quickly on startup once the resource is parsed.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.require-valid-metadata=true

Whether valid metadata is required.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.slo-service-post-binding-enabled=true

Whether metadata generation process should support SLO service POST binding.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.slo-service-redirect-binding-enabled=true

Whether metadata generation process should support SLO service REDIRECT binding.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.sso-service-post-binding-enabled=true

Whether metadata generation process should support SSO service POST binding.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.sso-service-post-simple-sign-binding-enabled=true

Whether metadata generation process should support SSO service POST SimpleSign binding.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.sso-service-redirect-binding-enabled=true

Whether metadata generation process should support SSO service REDIRECT binding.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

cas.authn.saml-idp.metadata.core.sso-service-soap-binding-enabled=true

Whether metadata generation process should support SSO service SOAP binding.

org.apereo.cas.configuration.model.support.saml.idp.metadata.CoreSamlMetadataProperties.

# How long should metadata be cached.
# cas.authn.saml-idp.metadata.core.cache-expiration=PT24H

# Whether invalid metadata should eagerly fail quickly on startup once the resource is parsed.
# cas.authn.saml-idp.metadata.core.fail-fast=true

# Whether valid metadata is required.
# cas.authn.saml-idp.metadata.core.require-valid-metadata=true

# Whether metadata generation process should support SLO service POST binding.
# cas.authn.saml-idp.metadata.core.slo-service-post-binding-enabled=true

# Whether metadata generation process should support SLO service REDIRECT binding.
# cas.authn.saml-idp.metadata.core.slo-service-redirect-binding-enabled=true

# Whether metadata generation process should support SSO service POST binding.
# cas.authn.saml-idp.metadata.core.sso-service-post-binding-enabled=true

# Whether metadata generation process should support SSO service POST SimpleSign binding.
# cas.authn.saml-idp.metadata.core.sso-service-post-simple-sign-binding-enabled=true

# Whether metadata generation process should support SSO service REDIRECT binding.
# cas.authn.saml-idp.metadata.core.sso-service-redirect-binding-enabled=true

# Whether metadata generation process should support SSO service SOAP binding.
# cas.authn.saml-idp.metadata.core.sso-service-soap-binding-enabled=true

Configuration Metadata

The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

Be Selective

This section is me