CAS and external identity provider

[Krish Vr]

Hi,

We are transitioning to a external identity provider. Today and CAS and Shibboleth IDP in our organization.

Shibboleth IDP is used for federation where as CAS is used for other applications. We CAsified the shibboleth IDP so that all the logins are done using CAS. Our CAS is connected to AD for delegating auth requests.

Now since we want to transition to external identity provider. Until we move everything we want to use casshib and integrate to my external IDP. Basically the idea is we want users to go to one portal that is our external idp. So i am looking a flow where when auth requests are sent to CAS. CAS redirects them back to my external idp and once people authenticated with my external IDP they get redirected to cas and get the token. So that all the applications work as usual.

To make this work i downloaded the casshib plugin and deployed in my tomcat additional to cas application. Now i have two URL's https://localhost:8443/cas and https://localhost:8443/casshib.

I also installed apache server in the front end and protected with shibboleth SP. Also i protected the shibboleth SP to talk with the external identity provider. Now the real question is how can i protect the cas apps? Should we still have https://localhost:8443/cas or all the applications need to move to https://localhost:8443/casshib? How can i configure this? How can i generate the cas ticket in this model so that end applications does not need to change anything.

Thanks,

Krish.