CAS as SP using SAML?

[Yan Zhou]

HI there,

I have CAS delegated authN via SAML working. But I have trouble getting a much simpler flow to work.

I would like CAS to act as a SAML2 ServiceProvider, it accepts a HTTP POST with SAML Response (user is already authenticated by another Idp such as Okta, which Posts SAML response to CAS), after validation, it gets the URL defined  in RelayState or ACS, and redirect browser to that URL.  

Much like Idp initiated SSO flow, in this case, the initiating IdP is some other app such as Okta, user is already in Okta portal, he sets up a SAML 2.0 integration in Okta,  with SSO Url points to CAS endpoint, and relayState or ACS has the URL to be launched (e.g., points to another app protected by CAS).

I have trouble getting this work,  With CAS SSO profiles, they all assume CAS is the IdP, and therefore, accepts only AuthnRequest. This sounds a lot simpler than delegated AuthN, but I cannot get it to work.  

Here is what I am thinking, 

CAS is a Spring Boot app, which can act as SAML2 SP, that requires the Spring dependency,  spring-security-saml2-service-provider, which is Not included in CAS by default. Is this something I need to do to get what I want to work? In other words, CAS is always intended to be IdP, to be an SP like an app., we need to do something different.

An alternative is to have Okta points SSO Url to the App, but that is not what I am looking for in this flow. The App does Not understand SAML, it uses CAS for authN. I want CAS to be the SP, and then some mechanism to redirect to the App after CAS session is created. 

Thanks,

Yan

[Ray Bon]

Yan,

Cas is not an application that you 'log in to', but an application that 'logs you in'.

If you want to build this capability, pac4j, which is part of cas, can act as a service provider. Thought I do not know if it can be configured to handler more than one service. (If you do this once, you will be tempted to do it again.)

But this would mean that cas is an IdP (with proxy to okta) and a SP to the application at the same time. 

The simplest approach would be to send the user from okta to the target application login flow, which would redirect to cas just like the simple case of accessing the application first. Or okta could redirect to cas/login?service=... 

My experience with okta is using it as a service provider for our IdP, so I do not know what kind of capability it has.

Ray

On Mon, 2023-12-11 at 10:50 -0800, Yan Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.