We are running CAS v6.6.3 and Spring Boot v2.7.3 with two production nodes
behind an LB. Hazelcast is used for managing tickets. CAS ticket timeouts
are the default.
We are using shib-cas-authenticator v4.0.0 for external auth from our
Shibboleth IdP (v4.1.6). Most, but not all, SAML services on the IdP go to
CAS and there are numerous services that are CAS-only.
We have an implementation of Campus Cloud by Ready Education (makers of
CampusGroups) as a portal to access third-party services that are
integrated with the IdP or CAS. The Ready Education (RE) service itself
uses SAML and shib-cas for SSO. The desired behavior is a user who is
logged into RE / Campus Cloud should not be prompted to auth to a service
they access from a tile within RE. The RE session itself only ends when a
user clicks 'log out'.
There is no CAS client in front of RE. What RE does is create and pass its
own auth token that CAS checks for using custom JAVA code. I'm not certain
whether CAS creates tickets / sessions based on the presence of that
token.The two CAS-only services we added as tiles to RE work as expected.
The links on the tiles are in the form of $CAS_login_url?$service_url.
The one Shib-CAS service we added to RE doesn't work as desired. The
service login URL initiates a SAML transaction and the user is prompted to
authenticate. Our IdP controls SSO sessions, not CAS. Shib isn't aware of
the RE auth token, plus it wouldn't know what to do with it. The question
of how to make Shib aware of the RE token, possibly by configuring it to
receive, store, and pass back the token to CAS might be a question for the
Shib list.
Because of the shib-cas-authenticator integration, I'm starting with this
list. Is anyone using RE's Campus Cloud or another portal platform with
shib-cas-authenticator?
Though we're not particularly looking to replace the existing RE token java
code, I question whether the implementation couldn't be streamlined by
using CAS proxy tickets, particularly if they could be used in the Shib-CAS
flow to provide seamless SSO.
Alternatively, could CAS create an ST based on the presence of the RE token
to pass with the entityID of the Shib-CAS service in the assertion back to
the IdP?
Any insight is much appreciated.
Janemarie
--
*Janemarie Duh*
UD Information Technologies
*Identity and Access Management Specialist*
[email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADt-A4_E9J%2BbNw439_sJpqiARLw-D1qd%3DALDrzK7S-224e-RTg%40mail.gmail.com.
