I think the original question was about using CAS without Shibboleth, and without ADFS -- i.e. go straight to CAS from O365. Which won't work well. You can go straight to Shib from O365, but only if you are willing to deal with adding ECP support to your IdP and also having several Microsoft clients (e.g. Lync) not work. You really are best off, at the moment, having ADFS in between, to handle the TRUST (active) protocol, while it defers the web passive to the IdP.
But Microsoft has introduced yet another wrinkle into the mix, in that some of their latest O365 mobile clients are now requesting a "non-industry standard" authentication context of 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password', and you have to "teach" your IdP to handle that. See the following for more on that: https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop Now, theoretically, Microsoft is in the midst of rolling out new versions of everything that will eventually result in being able to use SAMLv2/web passive for all authentications regardless of Microsoft client. But we aren't there yet today, one still has to worry about the special case of the Trust/active protocol using clients, and now, also, the special case of requested authentication methods that the "out of the box" Shib IdP isn't configured to handle. On Jun 25, 2015, at 1:58 PM, Christopher Myers <[email protected]> wrote: > I think you should be able to... > > Our O365 instance has accounts provisioned and syn'd through a PowerShell > script. > > We did a conference call with an O365 specialist a M$ a few months ago, and > we were told this about Shib: > > There are two different types of applications in the O365 suite: > WS-TRUST: Active protocols, which includes the physical Office clients > WS-Federation: Passive protocols, which are the web-based apps > > The TRUST protocol apps are not able to be shib'd at this point, but the > Federation protocol apps are. > > So as long as you're provisioning the accounts into the O365 environment, you > should be able to have the web apps shib-enabled. > > Chris > > > > >>> <[email protected]> 06/25/15 1:43 PM >>> > Ok, > Thanks you very much. > > > > Le 2015-06-25 02:21, Misagh Moayyed a écrit : > > At this point, I don’t think it's possible. Your other option would be > > to > > have ADFS <-> Shib <-> Shib/CAS Authn <-> CAS. 4.1.SNAPSHOT presents no > > such > > feature that I am aware of. If ADFS supports gets added, it would only > > be to > > make CAS, an ADFS client and not the other way around. > > > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] > >> Sent: Wednesday, June 24, 2015 1:58 PM > >> To: [email protected] > >> Subject: [cas-user] CAS 4.0 & AD & ADFS & OFFICE 365 > > > >> > >> Hello, > >> > >> I ask myself a question. Could you give me your opinion ? > >> > >> A person from Microsfot presents us the Office 365 solution in our > >> university. > >> > >> To connect to Office 365, they advise us to install an AD server with > >> a > >> frontal ADFS server that connects to our Shibboleth authentication > >> server > >> (I > >> understand that only CAS version 4.1 SNAPSHOT allows SAML2.0 with adfs > >> . > >> Maybe im wrong...) > >> > >> But I wonder : is it possible to simply connect the AD server with the > >> CAS > >> 4.0 and so do not use adfs server? > >> > >> The Web client goes through the CAS server and the AD server that > >> integrates > >> the connection and sends the profile to the AD server AZURE Office 365 > >> ... > >> is it possible? > >> > >> Thank you for your help > >> > >> Daniel CHARLOT > >> Université de Nice. -- Michael A. Grady IAM Architect, Unicon, Inc. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
