Hi, We're replacing an old Spring/OpenSAML service provider microservice with an existing CAS implementation as the SP. This means we need to integrate our CAS 7.0 with a Shibboleth instance using SAML. The authentication delegation works fine. CAS sends user to the Shibboleth which then picks the first defined IDP in the metadata. However we're having a hard time figuring out how to use the Shibboleth's remote WAYF/Discovery Service so that the user can choose their IDP.
How would one go about integrating such a service with CAS? As far as I can tell, the old SP microservice just saves the original return URL (i.e. service in CAS terminology), redirects to the Discovery Service, and has a registered return URL in the SP metadata describet below. Returning to this predefined URL then starts the login process with the received IDP. <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="<SPs return url>" index="1"/> To me this looks like we need to do a custom server side redirect to the Shibboleth WAYF from CAS and save the service url to session or something similar. Then use the *org.apereo.cas:cas-server-support-saml-idp-discovery* package to handle the IDP redirect (wonder if it works with 7.0). Is this the correct way or is there a ready-made solution for remote DS? Tomi -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f6d08-9998-481d-9b97-5cafdd8d6c3en%40apereo.org.
