Hi Matt, I just checked out 3.4.2 code and looked at SAML related configs and java files, doesn't seem that they are any different than 3.3.x so may not support Browser POST profile. CAS has support for Browser Artifact profile where CAS receives a request with TARGET value and it responds back with SAMLart (SAML ticket) which SP needs to validate (by calling /cas/samlValidate) to get SAML response enclosed in SOAP body. I tried that with Salesforce and did not work.
I also looked at SAML 2.0 which is supported for Google (which POSTs SAML response) and then modified the response Template locally (just for verification) and have a working setup with Salesforce. My changes are expecting a request parameters (which will identify this service as a SalesforceSamlService and where response should be posted) and generates response in a format which Salesforce is expecting (by modifying the TEMPLATE_SAML_RESPONSE) . Not sure what I might need to add/change to comply with SAML 2.0 request/response format, so the next step for me is to study the protocol and see what I am missing. Thanks, Mihir On Wed, Aug 4, 2010 at 8:55 AM, Matt Brooks <m...@msbrooks.com> wrote: > Mihir, > > Yes, CAS version 3.4 supports SAML. CAS version 3.3 does not. > > I believe 3.4 supports POST profile, however, like I said earlier, I > haven't had a chance to test that it is actually working. I don't have a > production server running CAS version 3.4 up and running yet. SAML pretty > much requires a valid domain name and SSL certificate to work properly and > that's been my main issue right now with testing. > > -Matt B. > > > On Wed, Aug 4, 2010 at 10:15 AM, Mihir Patel <exploremi...@gmail.com>wrote: > >> Thanks for the reply, Matt. When you say newest CAS, is it version 3.4? >> >> We are using CAS 3.3.5 in our environment and trying to integrate SSO with >> Salesforce. First, we tried SAML 1.1 from CAS 3.3.5 but realized that CAS >> does not support browser POST profile ( >> http://en.wikipedia.org/wiki/SAML_1.1#Browser.2FPOST_Profile), can anyone >> confirm? >> >> Thanks, >> Mihir >> >> On Wed, Aug 4, 2010 at 5:09 AM, Matt Brooks <m...@msbrooks.com> wrote: >> >>> Mihir, >>> >>> The newest CAS server supports SAML 1.1 which salesforce supports. The >>> only catch is that there needs to be an email attribute added to the SAML >>> response from CAS. I am currently working on integrating salesforce and CAS >>> but have not got it working fully yet mainly due to production server setup >>> issues. I should be further along in a month or so, but pretty confident it >>> will work. >>> >>> Thanks, >>> -Matt B. >>> >>> >>> On Aug 4, 2010, at 1:26 AM, Mihir Patel <exploremi...@gmail.com> wrote: >>> >>> Hi, >>> >>> Does CAS 3.3 (or 3.4) provide Salesforce SAML 2.0 support? If not, is CAS >>> 3.5 going to provide the support going forward, if yes, what may be the time >>> line? >>> >>> Thanks, >>> Mihir >>> >>> -- >>> You are currently subscribed to >>> <cas-dev@lists.jasig.org>cas-dev@lists.jasig.org as: >>> <m...@msbrooks.com>m...@msbrooks.com >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> <http://www.ja-sig.org/wiki/display/JSG/cas-dev>http://www.ja-sig.org/wiki/display/JSG/cas-dev >>> >>> -- >>> You are currently subscribed to cas-dev@lists.jasig.org as: >>> exploremi...@gmail.com >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-dev >>> >>> >> -- >> You are currently subscribed to cas-dev@lists.jasig.org as: m...@msbrooks.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > exploremi...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
