Hi Tomi,
you may want to have a look at the
https://github.com/mvocu/cas-server-cuni/tree/cuni-6.x-devel/src/main/java/cz/cuni/cas/opensaml
I have implemented there some flow changes to use external WAYF service
for the CAS 6.5 version, but it may give you some guidance how to do it
in CAS 7. There are also modifications to use eIDAS, but they should be
easily identified and do not mix or depend on the WAYF code.
Regards,
Michal V.
On 4/10/25 13:27, Tomi Karlstedt wrote:
Hi,
We're replacing an old Spring/OpenSAML service provider microservice
with an existing CAS implementation as the SP. This means we need to
integrate our CAS 7.0 with a Shibboleth instance using SAML. The
authentication delegation works fine. CAS sends user to the Shibboleth
which then picks the first defined IDP in the metadata. However we're
having a hard time figuring out how to use the Shibboleth's remote
WAYF/Discovery Service so that the user can choose their IDP.
How would one go about integrating such a service with CAS? As far as
I can tell, the old SP microservice just saves the original return URL
(i.e. service in CAS terminology), redirects to the Discovery Service,
and has a registered return URL in the SP metadata describet below.
Returning to this predefined URL then starts the login process with
the received IDP.
<idpdisc:DiscoveryResponse
xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="<SPs return url>" index="1"/>
To me this looks like we need to do a custom server side redirect to
the Shibboleth WAYF from CAS and save the service url to session or
something similar. Then use the
*org.apereo.cas:cas-server-support-saml-idp-discovery* package to
handle the IDP redirect (wonder if it works with 7.0). Is this the
correct way or is there a ready-made solution for remote DS?
Tomi
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f6d08-9998-481d-9b97-5cafdd8d6c3en%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f6d08-9998-481d-9b97-5cafdd8d6c3en%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b9edbce1-3046-4201-af2b-b5b8deca5043%40gmail.com.
