'Re: CAS Shib plugin, how to have shib release CAS released attributes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: CAS Shib plugin, how to have shib release CAS released attributes
From:       Pablo Vidaurri via users <users () shibboleth ! net>
Date:       2023-05-31 4:13:39
Message-ID: CAOe-DO9G3gG7N==WVEgYj6cxj3QHTi3h_O8g72-MvseygwsxcA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks for the feedback. We were running an old version of CAS and upgraded
within the last 18 months. We also had intentions on consolidating
platforms and use CAS with its out of the box Shibboleth. The problem was
getting Saml2 applications to migrate to the new idp for cas and having to
publish new idp metadata. I recall we even had issues with doing redirects
as a workaround from old shib url to new shib url.

I will add a consolidation task to my back log.

Thanks.
-psv

On Tue, May 30, 2023 at 7:35 PM Michael Grady <mgrady@unicon.net> wrote:

>
> > On May 30, 2023, at 7:10 PM, Cantor, Scott via users <
> users@shibboleth.net> wrote:
> >
> >> Sorry, to clarify, CAS is releasing attributes. I see them when using a
> CAS client.
> >> In Shib I can resolve attributes from db, ldap, webservice, etc and
> setup filters to
> >> send back to the application. I'm trying to figure out how to resolve
> the
> >> attributes that sent back from CAS after a successful login via the
> Shib/CAS
> >> plugin.
> >
> > Don't know what the plugin does. I know what it's meant to be doing if
> it's using the API properly, which would be to surface them so they're
> added into the Java Subject, and we have a connector and definition for
> accessing the Subject.
> >
> > -- Scott
> >
>
> As the README for that plugin states:  "Also, please do note that the
> Shibboleth IdP v3x+ has support for the CAS protocol and Apereo CAS server
> v5+ also has support for the SAML2 protocol. Unless justified otherwise, a
> better approach long-term would be to consolidate down to one platform
> removing the need to deploy and configure this plugin."
>
> If you, for whatever reasons, want to continue to run both, you can
> delegate authentication to the CAS Server using the SAMLv2 protocol, there
> is no advantage to still doing it with the CAS protocol. And if the CAS
> Server is "old enough" that it doesn't support the SAMLv2 protocol, then
> that is a CAS Server version that you really don't want to still be running.
>
> Because both products support both protocols (for quite some time now),
> and because one can still delegate to a CAS Server but use the SAMLv2
> protocol instead, Unicon has not extended the Shib-CAS-Authn plugin to
> support pulling attributes out of the CAS response and making them
> available to the Shib IdP. It is not work that seemed to make sense to do.
>
> --
> Michael A. Grady
> IAM Architect, Unicon, Inc.
>
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe@shibboleth.net
>

[Attachment #5 (text/html)]

<div dir="ltr">Thanks for the feedback. We were running  an old version of CAS and \
upgraded within the last 18 months. We also had intentions on consolidating platforms \
and use CAS with its out of the box Shibboleth. The problem was getting Saml2 \
applications to migrate to the new idp for cas and having to publish new idp \
metadata. I recall we even had issues with doing redirects as a workaround from old \
shib url to new shib url.  <div><br></div><div>I will add a consolidation  task to my \
back log.</div><div><br></div><div>Thanks.</div><div>-psv</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 30, 2023 at \
7:35 PM Michael Grady &lt;<a \
href="mailto:mgrady@unicon.net">mgrady@unicon.net</a>&gt; wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><br> &gt; On May 30, 2023, at 7:10 PM, Cantor, \
Scott via users &lt;<a href="mailto:users@shibboleth.net" \
target="_blank">users@shibboleth.net</a>&gt; wrote:<br> &gt; <br>
&gt;&gt; Sorry, to clarify, CAS is releasing attributes. I see them when using a CAS \
client.<br> &gt;&gt; In Shib I can resolve attributes from db, ldap, webservice, etc \
and setup filters to<br> &gt;&gt; send back to the application. I&#39;m trying to \
figure out how to resolve the<br> &gt;&gt; attributes that sent back from CAS after a \
successful login via the Shib/CAS<br> &gt;&gt; plugin.<br>
&gt; <br>
&gt; Don&#39;t know what the plugin does. I know what it&#39;s meant to be doing if \
it&#39;s using the API properly, which would be to surface them so they&#39;re added \
into the Java Subject, and we have a connector and definition for accessing the \
Subject.<br> &gt; <br>
&gt; -- Scott<br>
&gt; <br>
<br>
As the README for that plugin states:   &quot;Also, please do note that the \
Shibboleth IdP v3x+ has support for the CAS protocol and Apereo CAS server v5+ also \
has support for the SAML2 protocol. Unless justified otherwise, a better approach \
long-term would be to consolidate down to one platform removing the need to deploy \
and configure this plugin.&quot;<br> <br>
If you, for whatever reasons, want to continue to run both, you can delegate \
authentication to the CAS Server using the SAMLv2 protocol, there is no advantage to \
still doing it with the CAS protocol. And if the CAS Server is &quot;old enough&quot; \
that it doesn&#39;t support the SAMLv2 protocol, then that is a CAS Server version \
that you really don&#39;t want to still be running.<br> <br>
Because both products support both protocols (for quite some time now), and because \
one can still delegate to a CAS Server but use the SAMLv2 protocol instead, Unicon \
has not extended the Shib-CAS-Authn plugin to support pulling attributes out of the \
CAS response and making them available to the Shib IdP. It is not work that seemed to \
make sense to do.<br> <br>
--<br>
Michael A. Grady<br>
IAM Architect, Unicon, Inc.<br>
<br>
<br>
<br>
-- <br>
For Consortium Member technical support, see <a \
href="https://shibboleth.atlassian.net/wiki/x/ZYEpPw" rel="noreferrer" \
target="_blank">https://shibboleth.atlassian.net/wiki/x/ZYEpPw</a><br> To unsubscribe \
from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" \
target="_blank">users-unsubscribe@shibboleth.net</a><br> </blockquote></div>



-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic