So, after reading the various documentation sources, this is my
current understanding of how I could pass a CAS authenticated user
through a SAML 1.1 enabled service. The below high-level walkthrough
describes our intended setup (uPortal, CAS, a CAS-enabled web service
for SAML assertions, and the Juniper VPN appliance). Does this sound
right?
1) User navigates to uPortal, gets redirected to CAS.
2) User authenticates to CAS, is granted a ticket, is redirected to
uPortal.
3) User clicks a link in some channel to the VPN, or a resource behind
the VPN.
4) The VPN redirects to a CAS-ified web service that validates the
ticket, generates a SAML response package with artifact and other
useful things, posts back to the VPN device.
5) The VPN receives the response, and if it's good, logs the user into
the VPN and presents them with the requested resource.
So, for step 4, we'd need to build a web service using a CAS client
that supports SAML responses, yes? Discussion on the phpCAS list seems
to indicate that 1.1.0RC1 supports that, and I'd guess some of the
other clients do as well.
-Aaron
---------------------------------
Aaron Fuleki
Web Services Manager
Denison University
740.587.5752
---------------------------------
On Jun 16, 2009, at 4:26 PM, Rich wrote:
I'm using SOAP UI ... I have combined and followed the instructions
on these 2 pages.
http://sysbible.org/x/2009/03/06/how-to-test-cas-saml-using-soapui/
https://sp.princeton.edu/oit/sdp/CAS/Wiki%20Pages/CAS%20samlValidate%20walkthrough.aspx
On Tue, Jun 16, 2009 at 4:17 PM, Aaron Fuleki <[email protected]>
wrote:
What exactly is the browser interaction? Does a special service
need to be setup or configured?
I'm more than happy to start backfilling this stuff into the wiki as
I figure it out.
-Aaron
---------------------------------
Aaron Fuleki
Web Services Manager
Denison University
740.587.5752
---------------------------------
On Jun 16, 2009, at 2:11 PM, Scott Battaglia wrote:
As of right now we merely support the web artifact profile which
requires interaction with the web browser. CAS4 will have a more
complete implementation of the SAML2 spec.
On Mon, Jun 15, 2009 at 1:45 PM, Aaron Fuleki <[email protected]>
wrote:
Hey folks,
What does it take to get a CAS 3 server to provide SAML 1.1
responses to non-CAS services? Is that supported out of the box, or
is there configuration to be done? We're currently demo'ing a VPN/
remote access appliance (IVE from Juniper Systems), which claims to
support SAML 1.1. After digging through their docs, it seems like
it can be configured to accept SAML "artifacts" and "assertions" to
achieve SSO using an external auth system (like CAS). The user
interface wants the address of where to find the SAML server, and
the name of the attribute in the response that will contain the user
ID for the current session.
The SAML 1.1 page of the CAS 3 manual is completely blank (http://www.ja-sig.org/wiki/display/CASUM/SAML+1.1
), and my mailing list searches for SAML topics seem to pertain to
client development.
-Aaron
---------------------------------
Aaron Fuleki
Web Services Manager
Denison University
740.587.5752
---------------------------------
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
