Tomi, Do you mean to say that you are using the cas server (IdP) as a service provider, or a cas client?
The shibboleth SP can be configured for WAYF and IdP discovery. Ray ________________________________ From: cas-user@apereo.org <cas-user@apereo.org> on behalf of Tomi Karlstedt <toka...@reaktor.fi> Sent: April 10, 2025 04:27 To: CAS Community <cas-user@apereo.org> Subject: [cas-user] Using remote discovery service with delegated SAML authentication (CAS 7) You don't often get email from toka...@reaktor.fi. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi, We're replacing an old Spring/OpenSAML service provider microservice with an existing CAS implementation as the SP. This means we need to integrate our CAS 7.0 with a Shibboleth instance using SAML. The authentication delegation works fine. CAS sends user to the Shibboleth which then picks the first defined IDP in the metadata. However we're having a hard time figuring out how to use the Shibboleth's remote WAYF/Discovery Service so that the user can choose their IDP. How would one go about integrating such a service with CAS? As far as I can tell, the old SP microservice just saves the original return URL (i.e. service in CAS terminology), redirects to the Discovery Service, and has a registered return URL in the SP metadata describet below. Returning to this predefined URL then starts the login process with the received IDP. <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="<SPs return url>" index="1"/> To me this looks like we need to do a custom server side redirect to the Shibboleth WAYF from CAS and save the service url to session or something similar. Then use the org.apereo.cas:cas-server-support-saml-idp-discovery package to handle the IDP redirect (wonder if it works with 7.0). Is this the correct way or is there a ready-made solution for remote DS? Tomi -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f6d08-9998-481d-9b97-5cafdd8d6c3en%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae8f6d08-9998-481d-9b97-5cafdd8d6c3en%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081FBE3D39E358B662A8F60CEB22%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
