CAS as IDP w/ CAS REST v1 API and SAML 2.0 SP

[Curtis Ruck]

So, is there a way to get a SAMLResponse (given a SAMLRequest) if the user's session is established through the CAS v1 REST API?

We have a legacy desktop application that has used the CAS v1 REST API for years to authenticate users, but we have a new Service Provider that only supports SAML 2.0 (vice our historical usage of CAS 2.0/SAML 1.1 protocols).

Ideally, it looks like i'd need to turn the TGT into a properly signed TGC so it could be shoved into a cookie, and follow the 302 redirects on some requests to mimic the one of the Web Browser SSO Profiles, or a REST v1 request to something like /cas/v1/tickets/TGT-123?SAMLRequest=.......

Just trying to brainstorm what changes/extensions I'll need to make to support this.  I recognize the "right" answer long term is to replace the legacy authentication that uses the REST API and switch to an embedded browser, that goes through the standard browser authentication process, but that would be a much larger undertaking.

[Curtis Ruck]

On further investigation, it appears the SAML 2.0 SOAP/ECP profile almost works, except it requires reauthentication (slow) and only supports username/password (not X509).

I'm leaning towards creating a custom ECP implementation that consumes the REST provided TGT in the basic Authorization header, any thoughts.  Downside is the ECPProfileHandlerController is not designed for extension, so i'll have to copy+paste and modify it.

Thoughts?