Adding Shibboleth to CAS

Joel Goguen joel.goguen at
Wed Feb 27 10:42:32 EST 2013

We have CAS for our primary authentication source. Using directions found on the CAS wiki at we configured Shibboleth to delegate authentication to CAS. Works great for the services we interface with that require Shibboleth or SAML2, everything in Shibboleth for attribute release is configured exactly as standard Shibboleth documentation dictates but CAS is trusted to handle the authentication.

Joel Goguen
Developer / System Administrator
Enterprise Solutions
Information Technology Services
University of New Brunswick
E-mail: joel.goguen at
Phone: (506) 453-4872
Fax: (506) 453-3590

From: Mike Flynn <shibbolethlynda at<mailto:shibbolethlynda at>>
Reply-To: Shibboleth Users <users at<mailto:users at>>
Date: Wednesday, 27 February 2013 11:33 AM
To: Shibboleth Users <users at<mailto:users at>>
Subject: Re: Adding Shibboleth to CAS

FWIW, I have an academic IdP that runs CAS and connects to my Shib SP via SAML.  Works fine.

From: "Cantor, Scott" <cantor.2 at<mailto:cantor.2 at>>
To: Shib Users <users at<mailto:users at>>
Sent: Tuesday, February 26, 2013 4:22 PM
Subject: Re: Adding Shibboleth to CAS

On 2/26/13 3:59 PM, "Stein, Eric" <steine at<mailto:steine at>> wrote:

>  My organization is currently using CAS as our SSO application, based
>off of authentication information in a database. We'd like to support a
>client who has their own SSO solution and wants to connect to our
>CAS-protected applications using SAML 2.0. We are not interested in
>moving away from CAS or our database authentication store.

Shibboleth is not one product, and it isn't really that clear which part
you're evaluating. At the end of the day, you can bridge the systems in
either direction, with some significant impact on what's involved.

Shibboleth isn't necessarily the best option for bridging but there are
various options like:

- protect a CAS login server with a Shibboleth SP, and point your customer
at that SP as the integration point

- protect the application with a Shibboleth SP, and then protect a
Shibboleth IdP with CAS as Mike described or in other ways

- possibly look at the new SP feature for plugging in external
authentication so that you can deploy the SP and support CAS at the same
time at the application end

> Is this
>something that Shibboleth can support? I know there's a plug-in for CAS.
>I just want to make sure we can leverage Shibboleth without making us
>migrate our user/password info from the database to Shibboleth.

Neither Shibboleth nor CAS store user data inside themselves, that part is
outside both.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list