If I understand the CAS-Shibboleth option, it requires you to use CAS as your central authentication. In our environment, our IdP is the central authentication and we do not have CAS anywhere. We are trying to integrate with a 3rd party who uses CAS so we need their CAS to integrate with SAML IdP Initiated SSO. This is what I am looking to accomplish.
On Thu, Dec 19, 2013 at 8:00 PM, Andrew Morgan <[email protected]> wrote: > On Thu, 19 Dec 2013, Craig St. Jean wrote: > > As I understand it, I can use /samlValidate so CAS mimics a SAML 1.1 >> Identity Provider to provide integration with SAML Service Providers. >> >> In my organization, we use a SAML Identity Provider for providing SSO with >> external companies. For example we integrate with Office 365 via SAML >> where Office 365 is the Service Provider and our internal Identity >> Provider >> is the Identity Provider. >> >> We now have a requirement to integrate with a company that is using CAS. >> Is there any way to establish trust between CAS and a SAML Identity >> Provider such that a user signed into our Identity Provider can then >> switch >> over to this external application without logging in again? I'm thinking >> as a worst case we may be able to create a SAML Service Provider >> application that then uses the CAS RESTful API to log the user in with >> generated usernames/passwords (since we already have established trust >> against our Identity Provider). Of course the downside to this is that >> the >> external company would have to install this application on their end and >> we >> would have to maintain it through the versions. >> >> Do we have any other options? Am I overthinking things? >> > > You don't say which SAML IdP softare you are using, but have you looked at > the CAS-Shibboleth integration options? There is a light-weight > integration via REMOTE_USER in Shibboleth. There is a more full-featured > integration using some code developed by Unicon. > > I used the simplye REMOTE_USER method to have Shibboleth delegate > authentication to CAS. When our users access Google, they are redirected > through Shibboleth to CAS, then back through Shibboleth to Google. It > works quite well. > > Andy > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
