Jasig › Jasig CAS › CAS Developers

Integrating a SAML 2.0 IdP with CAS

5 messages Options
Embed this post
Permalink
Sergio Andreozzi-2

Integrating a SAML 2.0 IdP with CAS

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)

Dear all,

 

In our scenario, we have a number of Web application which rely on a CAS server for authentication and SSO.

We are also planning the deployment of a SAML 2.0 IdP to enable federation with external domains.

 

The ideal scenario is that SSO will work both on internal and external/federated services. Our wish would be to preserve the CAS-ified applications and work at the CAS server level so that this can act as a gateway to a SAML 2.0 IdP, get the SAML assertion and translate back to a CAS token for the web applicatons.

 

I found the following post, but I’m not aware of any further activity

http://tp.its.yale.edu/pipermail/cas/2006-February/002162.html

I’d like to get in touch with people who implemented the above scenario to understand the approach and impact.

 

 

Thanks, Sergio

 

 

--

Sergio Andreozzi

CeSIA - Centro per lo Sviluppo e Gestione Servizi Informatici d’Ateneo

Alma Mater Studiorum - Università di Bologna

Viale Filopanti, 3 - 40126 Bologna - Italy

+39 051 209 5845 - http://www.cesia.unibo.it

 

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
Marvin Addison

Re: Integrating a SAML 2.0 IdP with CAS

Reply Threaded More More options
Print post
Permalink
> I found the following post, but I’m not aware of any further activity
>
> http://tp.its.yale.edu/pipermail/cas/2006-February/002162.html

This thread discusses fronting CAS with Shib, but I'm not aware of any
reasonable way to do that.  It is very straightforward, on the other
hand, to front Shib with CAS -- CAS becomes the authentication
provider for Shib.  I have written detailed instructions for this
setup at http://www.ja-sig.org/wiki/display/CASUM/Shibboleth-CAS+Integration.
 Note that the Shibbolized services are _not_ part of the CAS SSO
session in this scenario; Shib and CAS maintain parallel and
independent SSO sessions.  If you want that functionality, you are
likely to encounter substantial work customizing CAS and/or Shib.  I
would recommend against it.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
Scott Battaglia-2

Re: Integrating a SAML 2.0 IdP with CAS

Reply Threaded More More options
Print post
Permalink
It should be possible to put an SP in front of CAS and then use the "trusted" method of authentication (i.e. getRemoteUser).  You'll need custom plugins to translate the headers that the SP sends into the CAS principal.

Cheers,
Scott


On Mon, Oct 19, 2009 at 11:14 AM, Marvin Addison <[hidden email]> wrote:
> I found the following post, but I’m not aware of any further activity
>
> http://tp.its.yale.edu/pipermail/cas/2006-February/002162.html

This thread discusses fronting CAS with Shib, but I'm not aware of any
reasonable way to do that.  It is very straightforward, on the other
hand, to front Shib with CAS -- CAS becomes the authentication
provider for Shib.  I have written detailed instructions for this
setup at http://www.ja-sig.org/wiki/display/CASUM/Shibboleth-CAS+Integration.
 Note that the Shibbolized services are _not_ part of the CAS SSO
session in this scenario; Shib and CAS maintain parallel and
independent SSO sessions.  If you want that functionality, you are
likely to encounter substantial work customizing CAS and/or Shib.  I
would recommend against it.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev


-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
Scott Battaglia-2

Re: Integrating a SAML 2.0 IdP with CAS

Reply Threaded More More options
Print post
Permalink
In reply to this post by Sergio Andreozzi-2
On Wed, Oct 21, 2009 at 5:14 AM, Sergio Andreozzi <[hidden email]> wrote:
<snip />

For Scott:
- you talked about CAS contacting an SP and not an IdP; this means that the suggested scenario is CAS contacting an SP which in turns retrieve security assertions from the IdP?

Yes, CAS essentially becomes an application that is fronted by an SP, which in turn can contact an IdP.
 
- is the getRemoteUser, the way to go for this investigation?

Assuming all you need is username, then yes.  If you need more than that you'll have to write some code to plug in.

Cheers,
Scott

 


Thanks, Sergio



--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
Brian Koehmstedt

Re: Integrating a SAML 2.0 IdP with CAS

Reply Threaded More More options
Print post
Permalink
In reply to this post by Sergio Andreozzi-2
You may be interested in CASShib (which fronts CAS with a Shibboleth
SP).  That way your existing CAS applications can become federated.

http://code.google.com/p/casshib/

Sergio Andreozzi wrote:

> Dear all,
>
>  
>
> In our scenario, we have a number of Web application which rely on a CAS
> server for authentication and SSO.
>
> We are also planning the deployment of a SAML 2.0 IdP to enable
> federation with external domains.
>
>  
>
> The ideal scenario is that SSO will work both on internal and
> external/federated services. Our wish would be to preserve the CAS-ified
> applications and work at the CAS server level so that this can act as a
> gateway to a SAML 2.0 IdP, get the SAML assertion and translate back to
> a CAS token for the web applicatons.
>
>  
>
> I found the following post, but I’m not aware of any further activity
>
> http://tp.its.yale.edu/pipermail/cas/2006-February/002162.html
>
> I’d like to get in touch with people who implemented the above scenario
> to understand the approach and impact.
>
>  
>
>  
>
> Thanks, Sergio
>
>  
>
>  
>
> --
>
> Sergio Andreozzi
>
> CeSIA - Centro per lo Sviluppo e Gestione Servizi Informatici d’Ateneo
>
> Alma Mater Studiorum - Università di Bologna
>
> Viale Filopanti, 3 - 40126 Bologna - Italy
>
> +39 051 209 5845 - http://www.cesia.unibo.it
>
>  
>
> --
> You are currently subscribed to [hidden email] <mailto:[hidden email]> as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
>


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
Free Embeddable Forum Powered by Nabble Help