On Thu, 19 Dec 2013, Craig St. Jean wrote:
As I understand it, I can use /samlValidate so CAS mimics a SAML 1.1
Identity Provider to provide integration with SAML Service Providers.
In my organization, we use a SAML Identity Provider for providing SSO with
external companies. For example we integrate with Office 365 via SAML
where Office 365 is the Service Provider and our internal Identity Provider
is the Identity Provider.
We now have a requirement to integrate with a company that is using CAS.
Is there any way to establish trust between CAS and a SAML Identity
Provider such that a user signed into our Identity Provider can then switch
over to this external application without logging in again? I'm thinking
as a worst case we may be able to create a SAML Service Provider
application that then uses the CAS RESTful API to log the user in with
generated usernames/passwords (since we already have established trust
against our Identity Provider). Of course the downside to this is that the
external company would have to install this application on their end and we
would have to maintain it through the versions.
Do we have any other options? Am I overthinking things?
You don't say which SAML IdP softare you are using, but have you looked at
the CAS-Shibboleth integration options? There is a light-weight
integration via REMOTE_USER in Shibboleth. There is a more full-featured
integration using some code developed by Unicon.
I used the simplye REMOTE_USER method to have Shibboleth delegate
authentication to CAS. When our users access Google, they are redirected
through Shibboleth to CAS, then back through Shibboleth to Google. It
works quite well.
Andy
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
