The CAS SAML implementation can work with non-CAS SAML implementations, namely Google Apps, JICS portal and few others. It depends, but it's safe to say that SAML2 support in CAS specifically is very limited. It may receive some attention in future versions.
In terms of (2), I think you'll find the situation with SAML implementations almost the same if not slightly worse. Unless the vendor is using an implementation you know of and can "trust", like the Shibboleth SP software, all bets are off...and since the protocol is more difficult to understand, troubleshooting would be more challenging too, IMO. > -----Original Message----- > From: Tom Poage [mailto:[email protected]] > Sent: Thursday, August 27, 2015 7:57 AM > To: [email protected] > Subject: Re: [cas-user] SAML 2 metadata for CAS SP? > > Ah, OK. So if I understand correctly, the CAS SAML implementation can not > interoperate with non-CAS SAML implementations i.e. only works with CAS. > > We've tended/started to avoid using CAS for vendor integrations (1) > because of a management wish to pursue SAML, (2) [no reflection on > official ones] a 'bad taste' from poorly-implemented CAS clients (the > protocol is so simple 'everyone' thinks they can write a client), and (3) > currently not running a service registry so trying to reduce the > dependency cf. control over clients. We still want to use CAS for SSO > because it's very good at that, only limit what services use it directly. > > Looking forward to when we can find/make time to deploy the integrated IdP > 3.x (which might solve some of the edge cases). > > Thanks. > Tom. > > > On Aug 26, 2015, at 3:47 PM, Misagh Moayyed <[email protected]> wrote: > > > > Yes. Your vendor has a CAS client, so it would need to talk to > > something that understands CAS. Whether that's the CAS server or the > > IdP's CAS support makes very little difference in terms of > > feasibility. You don't need to fetch metadata for anything SAML-like > > even if you went the IdP v3 route. > > > > Out of curiosity, why do you avoid that option? > > > >> -----Original Message----- > >> From: Tom Poage [mailto:[email protected]] > >> Sent: Wednesday, August 26, 2015 3:42 PM > >> To: [email protected] > >> Subject: Re: [cas-user] SAML 2 metadata for CAS SP? > >> > >> Unfortunately, we're still at IdP 2.x. > >> > >> We try to avoid this, but maybe all we can do is have the vendor use > >> CAS directly (which provides SSO for our IdP). > >> > >> Tom. > >> > >> On 08/26/2015 01:50 PM, Misagh Moayyed wrote: > >>> What version of the IdP is this? > >>> > >>> If your IdP is anything v3+, you can just turn on its CAS support, > >>> register the client and have it talk CAS protocol to the IdP directly. > >> > >> > >> -- > >> You are currently subscribed to [email protected] as: > >> [email protected] To unsubscribe, change settings or access > >> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] To unsubscribe, change settings or access > > archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
