Re: [cas-user] CAS and ADFS integration

Wed, 26 Jan 2011 12:02:44 -0800 

> In short, merging SSO domains is difficult to impossible.
While difficult, I expect the merge is feasible if you're open to somewhat complex solutions.
ADFS can operate as a SAML Relying Party / Service Provider. There's a pretty good whitepaper on how to do this with Shibboleth. (Disclaimer: I haven't actually personally done this configuration of ADFS. In fact, I've never touched ADFS.) 

http://technet.microsoft.com/en-us/library/gg317734(WS.10).aspx
As Marvin notes, you can front Shibboleth with CAS so that it's the implementation of the user experience for authentication.
So, you can achieve CAS SSO across ADFS-using applications by configuring ADFS to rely upon Shibboleth for SAML-based user authentication and then configuring Shibboleth to rely upon CAS to implement the user experience of user authentication.
It's a bit, um, involved, but it should work, with the user logging in to CAS once, and then experiencing SSO each time the request traverses the stack. This approach may be attractive to folks getting value out of CAS in other ways. 

Andrew



On 01/26/2011 10:35 AM, Marvin Addison wrote:

We are now looking into integrating the system with ADFS (Active Directory 
Federation Services).

I'm not terribly familiar with ADFS, but it's my understanding it's
Microsoft's proprietary answer to Shibboleth and federated identity
management.  Assuming that's correct, this will be a difficult
integration if you want to avoid logging in again as you stated.  The
integration path with Shibboleth, in the simplest case, puts CAS in
front of Shib by making CAS the authentication provider for Shib; see
https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration for
more information.    I can imagine that if ADFS exposes a Web/Web
service API, you could do similar, but it won't fulfill the
requirement to avoid reauthentication.  In short, merging SSO domains
is difficult to impossible.

M




--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to