Newbie CASShib Question

63 views
Skip to first unread message

Mike Wiseman

unread,
Nov 29, 2011, 4:10:50 PM11/29/11
to casshib
Hello,

I'm trying to understand how CASShib works and wanted to get
confirmation (or correction) on the following:

-From the aspect of the Shibboleth Identity Provider (IdP), the
CASShib server looks like a Shibboleth server provider. eg. both
communicate via SAML assertions, both have metadata usable in some
sort of federation context.

-The CASShib server can be configured with one or more CAS-protected
applications. Those services are accessible by end users using a URL
that has a host component that points to the CASShib server. The CAS-
protected applications are listed in the CASShib configuration - users
browsers get re-directed to the application site on completion of
authentication/authorization.

-the same attribute names are always released by the IdP to the
CASShib server regardless of the CAS-protected application being
accessed.

Thanks for the help.

Mike Wiseman
University of Toronto

Chris J

unread,
Nov 29, 2011, 4:22:03 PM11/29/11
to cas...@googlegroups.com
Hello Mike,

  Just out of curiosity, where did you find this E-mail address?  I've been doing a lot of work on Shibboleth with Liferay but I was sure I was operating under my work E-mail...  Is it still on my blog somewhere?

Anyway, I'll try to help out if I can.  What you've written there looks good to me for the most part, but in item 2 when you say " Those services are accessible by end users using a URL that has a host component that points to the CASShib server." do you mean something integral to the URL?  With Shibboleth, the service listens on a specific port for specific URL addresses and will intercept requests made to those requests without needing any kind of special format for the request URL.  

What I say about CASShib should be taken with a grain of salt.  Over the summer I was tasked with configuring a Liferay Portal to authenticate using CASShib, because the IdP we use here at JHU is a Shibboleth IdP, but Liferay doesn't come with Shibboleth authentication out of the box but it does have CAS.  Well, long story short, I never did get it to work, but I did wind up creating an extension to Liferay that allowed it to use Shibboleth as easily as CAS.

If you haven't seen it, here's the process:  blog

That may be helpful to you since most of the CASShib configuration is basically the same as Shibboleth anyway.  

C

--
You received this message because you are subscribed to the Google Groups "casshib" group.
To post to this group, send email to cas...@googlegroups.com.
To unsubscribe from this group, send email to casshib+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/casshib?hl=en.


Brian Koehmstedt

unread,
Nov 29, 2011, 5:05:01 PM11/29/11
to cas...@googlegroups.com
On Tue, Nov 29, 2011 at 1:10 PM, Mike Wiseman <mikejw...@gmail.com> wrote:
> Hello,
>
> I'm trying to understand how CASShib works and wanted to get
> confirmation (or correction) on the following:
>
> -From the aspect of the Shibboleth Identity Provider (IdP), the
> CASShib server looks like a Shibboleth server provider. eg. both
> communicate via SAML assertions, both have metadata usable in some
> sort of federation context.

Yes. The CASShib server is "shibbolized" with a Shibboleth Service
Provider but the idea is you don't have to shibbolize any of your
other apps...those apps will interact with CAS instead for
authentication assertions.

CASShib is meant to simplify things for your apps. The idea is it's
easier for your application developers to CASify their apps with the
CAS client than it is to Shibbolize it with separate installations of
the Shibboleth SP. It's meant for organizations that may want to
federate a lot of their applications.

> -The CASShib server can be configured with one or more CAS-protected
> applications. Those services are accessible by end users using a URL
> that has a host component that points to the CASShib server. The CAS-
> protected applications are listed in the CASShib configuration - users
> browsers  get re-directed to the application site on completion of
> authentication/authorization.

Yes, that sounds right.

> -the same attribute names are  always released by the IdP to the
> CASShib server regardless of the CAS-protected application being
> accessed.

No, the idea is each application is configured as its own service
provider in the Shibboleth metadata in which case you can configure
the identity providers to release different sets of attributes for
each application.

As an example, there is 'app1' and 'app2' in
http://code.google.com/p/casshib/wiki/Sample_casshib_demo_metadata_xml.

Reply all
Reply to author
Forward
0 new messages