New CAS metadata support in 3.4

Paul B. Henson henson at
Wed Nov 28 14:35:30 EST 2018

> From: Marvin Addison
> Sent: Wednesday, November 28, 2018 4:16 AM
> To: Shib Users <users at>
> I'm eager to get your feedback on this feature.

I definitely like the concept; per service certificates rather than global and embedded in an existing configuration file rather than requiring separate files. I will probably also like the implementation once I get it working :).

> I believe your problem is here. You need to use the KeyInfo and
> children from the namespace, not
> the SAML metadata namespace. I was burned by that myself recently.

Hmm. So just add the "ds:" prefix to the tags? Sometimes XML is a mysterious black box to me, the only sure sign that it is broken is when it fails to parse :). I don't feel so bad about having trouble getting it working when the guy that wrote it sometimes has the same issues ;).

> This line is troubling. A certificate validation error _should_ cause
> the proxy callback check to fail and prevent issuing a PGT. Could you
> please file a Jira issue and attach the logs above and your redacted
> cas-protocol.xml and relying-party.xml files?

Sure, I'll try to put together a minimal failure case.


Paul B. Henson  |  (909) 979-6361  |
Operating Systems and Network Analyst  |  henson at
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list