Using remote discovery service with delegated SAML authentication (CAS 7)

[Tomi Karlstedt]

Hi,

We're replacing an old Spring/OpenSAML service provider microservice with an existing CAS implementation as the SP. This means we need to integrate our CAS 7.0 with a Shibboleth instance using SAML. The authentication delegation works fine. CAS sends user to the Shibboleth which then picks the first defined IDP in the metadata. However we're having a hard time figuring out how to use the Shibboleth's remote WAYF/Discovery Service so that the user can choose their IDP.

How would one go about integrating such a service with CAS? As far as I can tell, the old SP microservice just saves the original return URL (i.e. service in CAS terminology), redirects to the Discovery Service, and has a registered return URL in the SP metadata describet below. Returning to this predefined URL then starts the login process with the received IDP.

<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="<SPs return url>" index="1"/>

To me this looks like we need to do a custom server side redirect to the Shibboleth WAYF from CAS and save the service url to session or something similar. Then use the org.apereo.cas:cas-server-support-saml-idp-discovery package to handle the IDP redirect (wonder if it works with 7.0). Is this the correct way or is there a ready-made solution for remote DS?

Tomi

[Michal Voců]

Hi Tomi,

   

   you may want to have a look at the https://github.com/mvocu/cas-server-cuni/tree/cuni-6.x-devel/src/main/java/cz/cuni/cas/opensaml

I have implemented there some flow changes to use external WAYF service for the CAS 6.5 version, but it may give you some guidance how to do it in CAS 7. There are also modifications to use eIDAS, but they should be easily identified and do not mix or depend on the WAYF code.

Regards,

Michal V.

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f6d08-9998-481d-9b97-5cafdd8d6c3en%40apereo.org.

[Tomi Karlstedt]

Hi Michal,

Thank you! This seems to be working. It is a bit unfortunate that this requires webflow customization as it will again make future CAS overlay version upgrades more complex. Hopefully a better support for external DS will be added later.

Tomi

[Ray Bon]

Tomi,

Do you mean to say that you are using the cas server (IdP) as a service provider, or a cas client?

The shibboleth SP can be configured for WAYF and IdP discovery.

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Tomi Karlstedt <tok...@reaktor.fi>
Sent: April 10, 2025 04:27
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Using remote discovery service with delegated SAML authentication (CAS 7)

 

You don't often get email from tok...@reaktor.fi. Learn why this is important

--