Adding Shibboleth to CAS

Michael A Grady mgrady at
Wed Feb 27 11:32:14 EST 2013

On Feb 27, 2013, at 9:42 AM, Joel Goguen wrote:

> We have CAS for our primary authentication source. Using directions found on the CAS wiki at we configured Shibboleth to delegate authentication to CAS. Works great for the services we interface with that require Shibboleth or SAML2, everything in Shibboleth for attribute release is configured exactly as standard Shibboleth documentation dictates but CAS is trusted to handle the authentication.

There is one key exception to following "standard Shib documentation" recommendations (well, more an exception to the default settings) that it is worth highlighting. And that is giving strong consideration to *not* using the PreviousSession handler in the Shib IdP, so that session management goes back to the CAS Server, and you don't need to log the user out of both the IdP and the CAS server to disable neew SSO sessions being created without a new authentication event. 

One, of course, wants to give careful thought to session management times no matter what, but one complicates the picture a bit more when you have one WebSSO system "underneath" another. Minimizing the use of sessions in the Shib IdP, and leaving that to CAS on the actual "SSO part", can make it easier to understand and manage what is happening vis-a-vis SSO sessions.

Michael A. Grady
Senior IAM Consultant, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list