Just to make sure your terminology is right: - The Service Provider is the service that you, as a user, want to use. For example, here at The New School we have Adobe Creative Cloud, Tableau, Workday, Zoom, etc. as SPs. - The Identity Provider (IdP) is the system that the user authenticates against. The IdP is connected to our Active Directory, and prompts users for their usernames and passwords (and, perhaps, Duo MFA). It returns success/failure to the SP that called it, along with (perhaps) user attributes like name, email address, etc.
So if I go to https://newschool.workday.com (for example), that's the SP. Workday redirects me to our CAS server (sso.newschool.edu -- the IdP), where I enter my username and password, and then perform a Duo authentication. CAS then sends "success" and some attributes back to Workday, and I'm logged in. So if the vendor you're trying to connect with is really the Identity Provider, then I assume what you're wanting to happen is, when a user gets redirected to your CAS server to authenticate, you want the CAS server to consult with the vendor IdP instead of with your local LDAP (or whatever) to authenticate the user. In that case, you don't want CAS to be an IdP, you want to configure it for delegated authentication: That's described here: https://apereo.github.io/cas/development/integration/Delegate-Authentication.html If, on the other hand, what you're expecting to happen is that when the user is talking to the vendor's IdP you want the user to be sent to your CAS server to authenticate instead of authenticating against whatever local user database the IdP has, you need to configure the IdP to redirect to CAS (usually as a CAS service). This is what we used to do with Shibboleth in the CAS 3.x days, for example, to let CAS "support" SAML2 SPs. But how you do that is IdP-dependent, and you'll probably need to talk to your vendor for help. Does that clarify anything for you? -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Tue, May 8, 2018 at 2:29 PM, John D Giotta <jdgio...@gmail.com> wrote: > Ok, this is just a guess here, but the vendor I'm trying to implement CAS > SAML to is for Identity Provider. Is it possible we've got this confused, > because our metadata.xml is setup for SPSSODescriptor. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/f70ba402-2e30-4950-8be4- > 23ef0ab04e62%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f70ba402-2e30-4950-8be4-23ef0ab04e62%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMfDyo1ADdG72baKq2yo7kLfxb%2B-pU1v8wXhd3Z5KCCKQ%40mail.gmail.com.