IdPv3 CAS questions

Cantor, Scott cantor.2 at
Fri Aug 14 21:20:58 EDT 2015

On 8/14/15, 8:55 PM, "users on behalf of Baron Fujimoto" <users-bounces at on behalf of baron at> wrote:
>Is there anything that describes in detail Shib's implementation of the
>CAS protocol, at least in terms of its flow? Or is the Jasig CAS
>documentation considered the reference? I.e.,

I would think so if you mean the wire protocol.

>According to Shib's CAS Protocol Configuration page the IdP supports most
>of the CAS protocol v2 spec: /login, /proxy, /serviceValidate,
>/proxyValidate, and /samlValidate, with /logout potentially slated for
>v3.2.0. I assume this means that CAS protocol v1 URI /validate is not
>supported, and there are no plans to? Is there a roadmap where we can
>generally track these?

Jira for that kind of granularity. Don't know that answer specifically.

>We encountered a difference affecting older version of CAS that has been
>addressed in more recent versions where user authentication was occuring
>before verifying the CAS service URL against the service registry. Does
>the IdP implementation verify the service URL against the registry before
>proceding with the user authentication?

If I understand the issue, my read of the flow suggests it does, but if not, I would say it's a bug. The SAML flows have similar issues that I took some care to address, I tried to do as much work before login as possible so that errors would be detected earlier.

But the service registry bean is being injected early on as part of setting up the right relying party settings to use, and that's long before the login step. Marvin can verify that obviously.

-- Scott

More information about the users mailing list