Thanks for the feedback. I agree with you observations on the mod_auth_cas configuration. I don't maintain our Shib installation but asked the admin if renew was turned on. He claimed it isn't.
-Bryan From: [email protected] [mailto:[email protected]] On Behalf Of Eric Pierce Sent: Wednesday, July 06, 2011 12:01 PM To: [email protected] Subject: Re: [cas-user] CAS and Shib question Using CAS as the WebSSO for Shibboleth definitely works - I've used it for 2+ years (with Shib 1.3 and 2.x) and haven't had any problems. It's most likely a config problem with mod_auth_cas because the CAS ticket validation happens there. You'll probably want to set 'CASDebug On' to see if that shines any light on the issue, but my first guess is that CASRenew is turned on, that would explain the behavior you're seeing. Here are the settings I'm using: CASVersion 2 CASDebug Off CASValidateServer Off CASLoginURL https://webauth.usf.edu/login CASValidateURL https://webauth.usf.edu/serviceValidate CASCookiePath /var/www/cas-tmp/ <Location /idp/Authn/RemoteUser> AuthType CAS require valid-user </Location> On Wed, Jul 6, 2011 at 11:51 AM, Bryan Wooten <[email protected]<mailto:[email protected]>> wrote: We are in the process of deploying a 3rd party application that authenticates against our 1.3 Shibboleth IDP. Our Shibboleth IDP uses our CAS server for its authentication (Tomcat using mod_auth_cas). So we hoping a login to one of our in house CASified applications would result in an SSO experience with the 3rd party application. But this is not the case. No matter the order the applications are accessed the user is always prompted for credentials. The users don't like this especially since they get the exact same CAS login screen twice. I am not sure why we get this behavior, but I am not surprised either. What confuses me is that whether signing into our in house application or the 3rd party application the users browser is redirected to the CAS login screen. I thought this would be sufficient to enable SSO. Anyway I do understand Shib and CAS are 2 distinct SSO solutions so it is not surprising to get this behavior. Does anyone have any thoughts on this? Cheers, Bryan -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected]<mailto:[email protected]> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
