[cas-user] SAML 2.0 /Federated Identity

[Hardik J Sheth]

Does Jasig CAS 3.5.2 supports SAML 2.0, Federated Identity?

What is the release plan for CAS 4.0. When will it get released?

Does the Jasig CAS latest version supports OAuth 2.0 and Open ID 2.0?
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Jérôme LELEU]

Hi,

2013/10/16 Hardik J Sheth <h.s...@tcs.com>

Does Jasig CAS 3.5.2 supports SAML 2.0, Federated Identity?

No, CAS 3.5.2 has very basic SAML supports : basic login request, Google SAML 2.0, returned attributes through service ticket validation.

 

What is the release plan for CAS 4.0. When will it get released?

The 4.0.0 RC2 will be released next week, one month more for the GA, some weeks later for the final release...

 

Does the Jasig CAS latest version supports OAuth 2.0 and Open ID 2.0?

CAS server 3.5.2 can behave like an OAuth server with protocol version 2.0 : it only supports the authorization code grant type. A module also exists to support OpenID and I think it works for version 2.0.

Best,

Jérôme

 

--
You are currently subscribed to cas-...@lists.jasig.org as: lel...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Hardik J Sheth]

Thanks Jerome for your reply.

Will CAS 4.0 release have full SAML 2.0 capability?

Will it be possible to do Federated SSO using CAS 4.0?

[Marvin S. Addison]

> Will CAS 4.0 release have full SAML 2.0 capability?

No. CAS-Shibboleth integration is the recommended stategy if you want
both CAS and SAML support.

> Will it be possible to do Federated SSO using CAS 4.0?

Not using CAS by itself; it can be used as the authentication provider
for a federated SSO product like Shib.

M

[William G. Thompson, Jr.]

On Wed, Oct 16, 2013 at 5:26 AM, Hardik J Sheth <h.s...@tcs.com> wrote:
> Thanks Jerome for your reply.
>

> Will CAS 4.0 release have full SAML 2.0 capability?

What do you mean by "full SAML2.0 capability"?

If you mean complete coverage of the SAML2 specification, than that
answer is a definite no.

If you mean ability to do SAML2 Web Browser SSO Profile, than the
answer is at least enough to interop with Google Apps and some others.

I should point out that it is unclear if there is any complete
implementation of the "full" SAML2 spec, as even Shibboleth skips some
of it.

>
> Will it be possible to do Federated SSO using CAS 4.0?

What do you mean by "Federated SSO"?

If you mean WebSSO across domains, then the answer is yes. CAS has
always been able to do WebSSO across domains and CAS4 doesn't change
that.

If you mean WebSSO across domains via SAML, see above about limited
SAML2 Web Browser SSO Profile support.

If you mean consuming aggregated SAML metadata to order to participate
in a federation like InCommon, the answer is no. You are better off
with Shibboleth or better yet CAS/Shibboleth.

Best,
Bill



>
>
> --
> You are currently subscribed to cas-...@lists.jasig.org as: wgt...@gmail.com

[Maxime BOSSARD]

Hi, 

In fact we developped a plugin for CAS to integrate a SAML SP in it to be able to plug it in a SAML federation.

The plugin allow the CAS server to be seen like a simple SP and grant access to all services protected by the CAS server.

We implemented it with OpenSaml 2.

The plugin is able to deal with SAML 2.0 Authn and SLO protocols with Redirect and POST binding.

We are able to retrieve SAML attributes in AuthnResponses to propagate the authentication on the CAS server. 

The plugin is available here https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2 with few documentations.

If Jasig is interested with it, we could help to integrate it in the project.

2013/10/22 William G. Thompson, Jr. <wgt...@gmail.com>

You are currently subscribed to cas-...@lists.jasig.org as: mxbo...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

--
Regards,

Maxime BOSSARD.

[Kevin P. Foote]

On Tue, 22 Oct 2013, Maxime BOSSARD wrote:

> In fact we developped a plugin for CAS to integrate a SAML SP in it to be
> able to plug it in a SAML federation.
> The plugin allow the CAS server to be seen like a simple SP and grant
> access to all services protected by the CAS server.
> We implemented it with OpenSaml 2.
> The plugin is able to deal with SAML 2.0 Authn and SLO protocols with
> Redirect and POST binding.
> We are able to retrieve SAML attributes in AuthnResponses to propagate the
> authentication on the CAS server.
>
> The plugin is available here
> https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2
> with
> few documentations.

Interesting..

On step 3 is the "local" CAS-Server then just a choice on the WAYF service
page / option list? And follow up to that, the user is always
presented with the WAYF page.. correct?

I like the fact that there is always more than one way to get something
done with these products .. :-) We simply let the Shib-SP do the SAML
thing..


------
thanks
kevin.foote

[Maxime BOSSARD]

2013/10/22 Kevin P. Foote <kpf...@iup.edu>

On Tue, 22 Oct 2013, Maxime BOSSARD wrote:

In fact we developped a plugin for CAS to integrate a SAML SP in it to be
able to plug it in a SAML federation.
The plugin allow the CAS server to be seen like a simple SP and grant
access to all services protected by the CAS server.
We implemented it with OpenSaml 2.
The plugin is able to deal with SAML 2.0 Authn and SLO protocols with
Redirect and POST binding.
We are able to retrieve SAML attributes in AuthnResponses to propagate the
authentication on the CAS server.

The plugin is available here
https://github.com/GIP-RECIA/cas/tree/feature-saml2/cas-server-support-saml2
with
few documentations.

Interesting..

On step 3 is the "local" CAS-Server then just a choice on the WAYF service
page / option list? And follow up to that, the user is always
presented with the WAYF page.. correct?

The WAYF page is a jsp presented first before login page in CAS login webflow. 

The CAS login is always presented as an option in the WAYF like another IdP. The user can choose to authenticate "localy" on the CAS or "remotely" on another IdP.

 

I like the fact that there is always more than one way to get something
done with these products .. :-) We simply let the Shib-SP do the SAML
thing..


------
thanks
 kevin.foote

--
You are currently subscribed to cas-...@lists.jasig.org as: mxbo...@gmail.com

To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

--
Regards, Maxime BOSSARD.

[Jaroslav Kačer]

Hello Maxime!

I am currently trying to integrate your plugin into CAS 3.4.12.1 but I'm experiencing some issues. Could you please help?

I have merged the provided sample XML configuration files with those of CAS, also the two properies files, JSPs and web.xml. Now I am getting errors from the plugin complaining about SP metadata. Obviously it expects some SAML2 endpoints with various bindings that are not in my SP metadata.

Could you please provide a list of all expected endpoints with their bindings and URLs that should be enumerated in the SP metadata file?

Or, an example SP metadata file would be even better :-)

I would also like to ask about the IdP side. I assume you used the plugin against Shibboleth. Have you tested it against other IdP servers? I'd like to use MS ADFS.

It would be great if the documentation for the plugin could be more elaborated, mainly the section "Plugin Configuration". I've already spent 2 days putting CAS and the plugin together :-)

Thank you in advance for your answer!

Best regards,

   Jarda

Dne úterý, 22. října 2013 20:38:55 UTC+2 Maxime BOSSARD napsal(a):