<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
       default-init-method="initialize"
       default-destroy-method="destroy">

    <!--
       | The CAS service registry defines verified relying parties by endpoint URI.
       | The default implementation treats the ID of each entry as a regular expression defining a logical group of
       | services whose URIs match the expression.
       |
       | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
       -->
    <bean id="reloadableServiceRegistry"
          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
        <property name="definitions">
            <list>
                <!--
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="proxying-services"
                      p:authorizedToProxy="true"
                      p:singleLogoutParticipant="true" />
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
                      p:group="non-proxying-services"
                      p:authorizedToProxy="false" /
                -->
            </list>
        </property>
    </bean>

    <!--
       | Uncomment this bean if you want to override the default list of CAS service registries.
       | The default configuration tries to find the relying party in a SAML metadata source and falls back to
       | reloadableServiceRegistry if a match is not found.
       -->
    <!--<util:list id="shibboleth.CASServiceRegistries">
        <ref bean="shibboleth.CASMetadataServiceRegistry" />
        <ref bean="shibboleth.CASServiceRegistry" />
    </util:list>-->

    <!--
       | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
       | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
       | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
       | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
       | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
       | component is that the one-time use feature of service and proxy tickets is not available due to the lack
       | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
       | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
       | configuration from the default 15000ms.
       -->
    <alias name="encodingTicketService" alias="shibboleth.CASTicketService" />

    <!--
       | Uncomment the following element and comment out the above to enable the previous default ticket service
       | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
       | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
       -->
    <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->

    <!--
       | The predicate used to determine whether IdP session validation is performed during the process of granting
       | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
       | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
       | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
       | evaluates to true under any condition, a server-side storage service must be enabled for IdP session
       | storage. The most common non-default value is "alwaysTrue."
       -->
    <bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
          class="com.google.common.base.Predicates"
          factory-method="alwaysFalse" />

    <!--
       | Uncomment the following bean if you want to ignore jsessionid artifacts in service URLs.
       | Those sorts of URLs are commonly emitted by Java servlet-based web applications.
       -->
    <!--<bean id="shibboleth.CASServiceComparator"
          class="net.shibboleth.idp.cas.service.impl.DefaultServiceComparator"
          c:parameterNames="[a-z]+sessionid" />-->

    <!--
       | Define the list of static certificates that you trust to secure CAS proxy callback endpoints.
       | Typically these are CA certificates and apply to _all_ CAS proxy callback endpoints.
       | This facility complements the capability to supply relying-party-specific certificates in SAML metadata,
       | which is the preferred mechanism to specify CAS proxy trust material. In the case of metadata, self-signed
       | certificates are recommended.
       -->
    <util:list id="shibboleth.CASProxyTrustedCertificates" value-type="java.lang.String">
        <!--<value>%{idp.home}/credentials/your_ca.pem</value>-->
    </util:list>


    <!-- ============== Advanced CAS Configuration ============== -->

    <!-- Configure a third-party ticket service. -->
    <!--
    <bean id="shibboleth.CASTicketService"
          class="org.example.idp.cas.CustomTicketService" />
    -->
</beans>