CAS 5.0.0 - SAML and Shibboleth
236 views
Skip to first unread message
Elendrys Yagami
Dec 6, 2016, 6:08:02 AM12/6/16
to CAS Community
Hi there,
We here use CAS to have a centralized login service for our applications. We also have a Shibboleth Identity Provider that provides login services to remote federated application onto our user database.
We are currently upgrading both authentication systems and I'd like to have some feedback about the best strategy (as people here may know about these two softwares).
First, it is not clear for me, after reading the documentation, if the SAML implementation in CAS v5 may fully replace the Shibboleth IDP or if it is tied to the introduced softwares in the documentation pages (google, etc..) ?
Then what's your opinion about making Shibboleth authentication through CAS ? It seems to be non functional in the past, but things evolved a lot since.
For me it also makes Shibboleth apps dependent of CAS Service too.
Any feedback appreciated.
Thanks
We here use CAS to have a centralized login service for our applications. We also have a Shibboleth Identity Provider that provides login services to remote federated application onto our user database.
We are currently upgrading both authentication systems and I'd like to have some feedback about the best strategy (as people here may know about these two softwares).
First, it is not clear for me, after reading the documentation, if the SAML implementation in CAS v5 may fully replace the Shibboleth IDP or if it is tied to the introduced softwares in the documentation pages (google, etc..) ?
Then what's your opinion about making Shibboleth authentication through CAS ? It seems to be non functional in the past, but things evolved a lot since.
For me it also makes Shibboleth apps dependent of CAS Service too.
Any feedback appreciated.
Thanks
William G. Thompson, Jr.
Dec 9, 2016, 11:13:01 AM12/9/16
to CAS Community
Hi Elendrys,
It's a great question and of course a lot depends on your specific
situation. Here's my personal take...
CAS has proven itself over the years to be a fantastic and flexible
WebSSO platform, and with Misagh's leadership and help of the
community it has taken another huge leap with CAS5.0. The combination
of CAS and Shib has also been highly effective for many organizations,
especially when Shib is delegating to CAS for authentication.
CAS has for a long time had limited support for SAML and the 5.0
release take this to a new level. Likewise Shib recently introduced
some level of support for CAS protocol. My personal take is that the
protocol support is the least interesting part of the story, and that
it's the features and quality of the system that make the difference.
At Lafayette we are running the latest Shib IdP for InCommon
Federation services and a few bilateral arrangements, and CAS for
everything else. Shib delegates to CAS for authN, and CAS anchors the
SSO session and the user experience. We will be upgrading to CAS 5.0
soon and will be piloting MFA (DUO) with CAS. After that we will
likely start experimenting moving our bilateral SAML clients to CAS.
It looks like we will also likely get ADFS (with an o365 deployment).
The current plan is to have both Shib and ADFS delegate to CAS for
authentication so the we have a consistent SSO experience, and can
keep MFA and account/password policy/behavior mostly in one place.
Hope this helps.
Best,
Bill
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/94bea960-2487-4c3a-b1f6-914c07ee8c3c%40apereo.org.
It's a great question and of course a lot depends on your specific
situation. Here's my personal take...
CAS has proven itself over the years to be a fantastic and flexible
WebSSO platform, and with Misagh's leadership and help of the
community it has taken another huge leap with CAS5.0. The combination
of CAS and Shib has also been highly effective for many organizations,
especially when Shib is delegating to CAS for authentication.
CAS has for a long time had limited support for SAML and the 5.0
release take this to a new level. Likewise Shib recently introduced
some level of support for CAS protocol. My personal take is that the
protocol support is the least interesting part of the story, and that
it's the features and quality of the system that make the difference.
At Lafayette we are running the latest Shib IdP for InCommon
Federation services and a few bilateral arrangements, and CAS for
everything else. Shib delegates to CAS for authN, and CAS anchors the
SSO session and the user experience. We will be upgrading to CAS 5.0
soon and will be piloting MFA (DUO) with CAS. After that we will
likely start experimenting moving our bilateral SAML clients to CAS.
It looks like we will also likely get ADFS (with an o365 deployment).
The current plan is to have both Shib and ADFS delegate to CAS for
authentication so the we have a consistent SSO experience, and can
keep MFA and account/password policy/behavior mostly in one place.
Hope this helps.
Best,
Bill
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/94bea960-2487-4c3a-b1f6-914c07ee8c3c%40apereo.org.
Reply all
Reply to author
Forward
0 new messages