We have one Tomcat instance with both Shibboleth and CAS. Not sure if that's the recommended or the best, but we only have one instance so we aren't playing with load balancers. Thank $DEITY for that :)
What the flow for us will be: 1) Client goes to O365 2) Client gets redirected to ADFS 3) Client logs in to ADFS and gets redirected to O365. For any service using CAS, the flow will be: 1) Client goes to $SERVICE 2) Client gets redirected to CAS, CAS redirects to ADFS 3) Client logs in to ADFS and gets sent back to CAS 4) CAS accepts ADFS' assertion, generates a token, and redirects the client back to $SERVICE For a Shibboleth service, it's $SERVICE -> Shibboleth -> CAS -> ADFS, the client logs in, then ADFS -> CAS -> Shibboleth -> $SERVICE. In all cases, all clients always see the ADFS login page and never see the CAS or Shib login pages. On 2013 Jun 18, at 2:05 PM, "Whittaker, Geoffrey" <[email protected]> wrote: > 42. Got it... ;) > > I appreciate the help. I'm about to start trying to stand up the shib box > this afternoon. I'll follow the stuff in the two links and see where that > gets me. > > Do you use two separate servers in production? I'm toying with the idea of > hosting two separate Tomcat instances on one box. > > If you would, give me one last sanity check... > > 1. Client goes to O365 and gets directed to SHIB > 2. SHIB gets credentials and passes them to CAS for Authentication (presume > success) > 3. SHIB goes to ADFS to get the attributes and sends them via SAML 2.0 to O365 > > Is that how this is supposed to work? I hope so... :) > > > Geoff > > -----Original Message----- > From: Joel Goguen [mailto:[email protected]] > Sent: Tuesday, June 18, 2013 11:41 AM > To: [email protected] > Subject: Re: [cas-user] Office 365, SAML2.0 and CAS > > I think it would be easier to go with what you have right now and fill in the > gaps. Beyond the links I included, the only way to get more specific would be > (I think) to start posting my configuration files, which may end up being > more confusing if you've gotten used to your current layout and it's markedly > different. > > What do you mean by 'how I have secured it"? Who is allowed to use it? All > users with a valid account in good standing. What services use CAS or Shib? > We prefer CAS where possible, Shibboleth for services that don't support CAS. > Something else? 42 is the answer to life, the universe, and everything. :) > > On 2013 Jun 18, at 11:55 AM, "Whittaker, Geoffrey" <[email protected]> > wrote: > >> Thank you for replying. >> >> I'm having to take a crash course on Shib, CAS, ADFS, and O365. Can you >> explain in a little more detail how you configured this to work, and how you >> secured it? I have to try to get something running here in the next few >> days. >> >> Thanks again for your help. >> >> Geoff >> >> -----Original Message----- >> From: Joel Goguen [mailto:[email protected]] >> Sent: Monday, June 17, 2013 11:07 AM >> To: [email protected] >> Subject: Re: [cas-user] Office 365, SAML2.0 and CAS >> >> On 2013 Jun 17, at 11:57 AM, Marvin S. Addison <[email protected]> >> wrote: >> >>>> Is there any documentation about the configuration you described? >>>> I've never worked with Shibolith, ADFS, or O365. >>> >>> I'm not aware of any, but I honestly haven't looked very hard. We abandoned >>> the integration effort I mentioned before we got to the point of developing >>> a detailed implementation plan. I am aware that there are folks in the CAS >>> community that have done this (USF), so maybe they can speak up. >>> >>> M >> We're in the process of setting up CAS <-> ADFS <-> O365 right now. I've not >> yet tested the full chain, but the fact that the CAS <-> ADFS link works >> perfectly and the ADFS <-> O365 link works perfectly suggests to me that the >> whole thing should be a smooth transition. We also have Shibboleth in the >> mix, but for us Shibboleth delegates to CAS so a user accessing a Shibboleth >> service currently follows a Shib <-> CAS link, and after the switch will >> follow Shib <-> CAS <-> ADFS. >> >> I used https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration to >> set up the Shib/CAS link, and >> http://sites.ewu.edu/jgasper/ws-federation-cas-user-manual/ to set up the >> CAS/ADFS link. >> >> -- >> Joel Goguen >> Developer / System Administrator >> Enterprise Solutions >> Information Technology Services >> University of New Brunswick >> E-mail: [email protected] >> Phone: (506) 453-4872 >> Fax: (506) 453-3590 >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access >> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access archives, >> see http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > > -- > Joel Goguen > Developer / System Administrator > Enterprise Solutions > Information Technology Services > University of New Brunswick > E-mail: [email protected] > Phone: (506) 453-4872 > Fax: (506) 453-3590 > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Joel Goguen Developer / System Administrator Enterprise Solutions Information Technology Services University of New Brunswick E-mail: [email protected] Phone: (506) 453-4872 Fax: (506) 453-3590 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
