Integrating with Okta SAML IDP

[Soumya Tripathy]

Hi all,

I was going through the https://apereo.github.io/2017/05/26/cas-shibsp-samlidp/ blog and implemented upto step 5 where /logon endpoint is intercepted by Apache Shibboleth SP and was successfully redirected to okta IDP. I'm using CAS-5.1.0.

Following are my Okta configuration:

Single Sign On URL: https://cas.sample-app/Shibboleth.sso/SAML2/POST

Recipient UR: https://cas.sample-app/Shibboleth.sso/SAML2/POST

Destination URL: https://cas.sample-app/Shibboleth.sso/SAML2/POST

Audience Restriction: https://cas.sample-app/sp/shibboleth (My SP entityId)

Default Relay State: https://cas.sample-app:8443/cas/login

ATTRIBUTE STATEMENTS

Name      Name Format      Value

Email     Unspecified          ${user.email}

And in CAS I have turned on the trusted authentication with the following configuration: 

cas.authn.trusted.principalAttribute=Email

Issue is though I have provided the Default Relay State in my IDP configuration, post authentication SP is not redirecting the response to my CAS server. Rather it is redirected tohttp://localhost/cas/login

Any help will be appreciated.

Thanks

Soumya 

[Song, Doe-Hyun]

Hello,

 

I am trying to understand use cases for the Shibbolizing Apereo CAS.

https://apereo.github.io/2017/05/26/cas-shibsp-samlidp/

 

My use case,

CAS supports multiple clients with CAS protocol.

CAS supports one client with its own security domain. CAS is working as SP Federated server while the client’s authentication system becomes Idp. CAS delegates authentication to IdP through SAML2. For this we need to provide SP initiated SSO.

 

 

Current Setting:

Mod_auth_cas is installed at Apache

CAS Server is running at standalone tomcat8.5 (not embedded)

Many client uses our CAS to access applications protected through Mod_Auth_CAS.

One client wants to use their own security domain.  The client’s security domain will have IdP and our CAS server is SP federated server.

 

Questions from Blog,

Per blog, “Step 2. Requests to CAS /login endpoint are intercepted by the SP and Apache.”

Does it mean all requests will be intercept by the SP and Apache?

My use case is that except users at one client, every user should be authenticated through normal CAS login screen.

 

Per blog, “Ensure CAS could easily lend itself to be intercepted by Apache when running in embedded mode.”

Does it mean patch is not applied when CAS is running in standalone Tomcat mode?

 

 

Does Shibbolizing CAS support my use case?  

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d8a62619-cfc9-4f18-9381-cce14f2b5ce2%40apereo.org.

The information contained in this e-mail and any attachments is confidential and
intended only for the recipient. If you are not the intended recipient, the
information contained in this message may not be used, copied, or forwarded to
third parties or otherwise distributed for any other purpose. Please notify the
sender if you received this e-mail in error and delete the e-mail and its
attachments promptly.  Nothing in this e-mail may be used or deemed to form the
basis of a contractual or any other legally binding obligation unless separately
confirmed in writing by an authorized representative of ARMADA.