4.x SAML documentation

[David Curry]

Hopefully this isn't too dumb a question; I haven't been able to find a definitive answer anywhere.

Right now we're using CAS 3.5.x (we're waiting for summer and 4.3.x with MFA) as our primary authentication/single sign-on. We also have Shibboleth 2.4.x for those few services that don't support CAS; it's configured with shib-cas-authn2 to redirect to CAS to perform the authentication, which makes everything transparent to the users. All in all, this has been working really well.

Is the improved SAML support in CAS 4.x going to let us achieve the same end result of users only having to authenticate once and then be able to access both CAS-based and SAML-based services? In other words, is the intention that we'll be able to get rid of Shibboleth, since we're not using it for anything special, and just do it all with CAS 4.x?

As a follow-up, is the improved SAML support and CAS/SAML interaction documented yet? The only stuff I can find on the web site appears to be the same "we support SAML1 and SAML2 only as much as Google Apps needs" stuff that's been there since forever. Should I be looking somewhere else?

Thanks,

Dave Curry

The New School

[Misagh Moayyed]

http://jasig.github.io/cas/development/installation/Configuring-SAML2-Authentication.html

 

Whether this works for your needs or not is something you should of course seriously evaluate prior to making the jump. There are overlays and such available for enthusiasts to try out this functionality and report feedback, and of course if/when you do and find missing pieces, we’d love to work with you and collaborate to add what might be missing.

 

The changes are in the master branch, which is a functional but fairly moving target at this point. If you know what you’re doing and are comfortable merging changes back and forth, you’d be fine. But just as equally, you may want to give it one or two weeks before grabbing the latest snapshot.

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/425abc37-f273-41cb-9322-741ef508c025%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[David Curry]

Thanks for the link, that gives me a better understanding.  But just to confirm (I'm being a little dense), if I have a mix of CAS-style and SAML-style services listed in the services registry, a user should generally only have to enter his or her username and password one time to access all those services, correct? (I realize we'd have to test it all, I'm just looking for a "yeah, that's the idea" or "no, not at all" sort of confirmation.)

I've been holding off on trying the snapshots so far, due mostly to other things on my plate, but also because I'm waiting for 4.3.x and MFA to get a little closer, as we want that, too. I sorta kinda get the overlays and stuff, and even some coding, in that I managed to figure out how to build an MFA module for our two-factor solution (Swivel PINsafe) using CAS 3.6 and the Unicon plug-in. But there was a lot of trial and error and Googling involved, so I'm not sure so much that I know what I'm doing, it's more like I know how to bash it all into some sort of working order. :-)

My current plan, since we can't change anything until after the semester ends anyway, is to pay very close attention in your CAS 4.x workshop and talks at Open Apereo next month and THEN dive into it.

Thanks,

--Dave

[Misagh Moayyed]

Thanks for the link, that gives me a better understanding.  But just to confirm (I'm being a little dense), if I have a mix of CAS-style and SAML-style services listed in the services registry, a user should generally only have to enter his or her username and password one time to access all those services, correct? (I realize we'd have to test it all, I'm just looking for a "yeah, that's the idea" or "no, not at all" sort of confirmation.)

[>] Yes that is the premise of SSO, regardless of protocol. Works the same for OAuth, OpenID, etc.

 

I've been holding off on trying the snapshots so far, due mostly to other things on my plate, but also because I'm waiting for 4.3.x and MFA to get a little closer, as we want that, too. I sorta kinda get the overlays and stuff, and even some coding, in that I managed to figure out how to build an MFA module for our two-factor solution (Swivel PINsafe) using CAS 3.6 and the Unicon plug-in.

[>] Is that something you could sharer with us? Is the code/config up on Github somewhere? Wondering if that’s something we could include in CAS as an MFA option, but I don’t know how popular it is. Admitted, first time I hear about them :)

But there was a lot of trial and error and Googling involved, so I'm not sure so much that I know what I'm doing, it's more like I know how to bash it all into some sort of working order. :-)

My current plan, since we can't change anything until after the semester ends anyway, is to pay very close attention in your CAS 4.x workshop and talks at Open Apereo next month and THEN dive into it.

[>] Great! Bring a laptop and lots of questions.

 

Thanks,

--Dave

 

[David Curry]

I've been holding off on trying the snapshots so far, due mostly to other things on my plate, but also because I'm waiting for 4.3.x and MFA to get a little closer, as we want that, too. I sorta kinda get the overlays and stuff, and even some coding, in that I managed to figure out how to build an MFA module for our two-factor solution (Swivel PINsafe) using CAS 3.6 and the Unicon plug-in.

[>] Is that something you could sharer with us? Is the code/config up on Github somewhere? Wondering if that’s something we could include in CAS as an MFA option, but I don’t know how popular it is. Admitted, first time I hear about them :)

Unfortunately it's not in Github. But give me a few days to clean it up and I can send you a tarball or something. It's not one of the most popular systems, although the company has been around for quite some time. We like it because it has a variety of implementation options all with the same product, to provide different levels of trade-off between security and ease-of-use.

--Dave

[Misagh Moayyed]

Great. Look forward to it.

 

Speaking for myself, my only semi-obvious requirements for considering this sort of change are that the dependencies/libraries your extension depends on must be available in some sort of central repository, preferably maven central, and that we should have access to individual test accounts under a demo/test subscription level so we can in some reasonable form maintain it. Otherwise, as awesome as it may be, we can’t quite accept it.

 

I’d still love to review it nonetheless.

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of David Curry

Sent: Friday, April 22, 2016 5:11 AM
To: CAS Community <cas-...@apereo.org>

--

You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7cb9ec09-fd81-4905-8719-09f9126e00af%40apereo.org.