Shib-CAS RemoteUser ticket validation
Martin, Keith
KMartin at Central.UH.edu
Sat Aug 29 11:46:00 EDT 2015
I'm trying to setup the Shib-CAS RemoteUser plugin with CAS serviceValidate.
Got it all working fine for a new user with no CAS ticket, auths via CAS, all good.
I'm trying to prototype a scenario where the user comes to the Shibb SP 2.5 with a valid CAS ticket up front; therefore, does not need to username/password auth at the CAS server via the Shib 2.x IdP, it should just service Validate the ticket via the RemoteUser Authn at the IdP. Is this possible to do? Can't figure out how to get the CAS ticket passed through the Shibb SP to the IdP to the Authn/Remote_User
I installed/deployed Shib-CAS Remote (essentially deployed CAS client in IdP war) and made appropriate configuration changes per instructions.
Calling Shib secured web resource https://sp.example.org/secure , redirects to https://idp.example.org/profile/SAML2/Redirect/SSO, per relying party info idp/Authn/RemoteUser gets called, no ticket and no assertion, cas client directs to CAS login page, user auths, returns to Shib-CAS client with ticket, Shib-CAS client validates ticket against the CAS server, ticket good, cas-user attribute value returned, Shib IdP happy, resolves attributes and filters, returns to Shibb SP, web resource presented. All works good.
Now, the scenario I can't get working. It's not the norm, it's more like a proxy scenario. The CAS server has already authenticated the user. So when the Shibb SP protected web resource is called https://sp.example.org/secure?ticket= ST-956-Lyg0BdLkgdrBO9W17bXS, a valid ticket is passed, I have control of this url string and query string, it can be anything to include the ticket. It was hopeful thinking that the ticket would just get magically passed through the flow. So it does not, and the IdP basically treats it as no ticket and no assertion; therefore, user please login/auth at the CAS server. However, if I make the url to https://idp.example.org/idp/Authn/RemoteUser?ticket= ST-956-Lyg0BdLkgdrBO9W17bX, the Shib-CAS client will construct the serviceValidate for the ticket like
https://my-cas-server.example.org:8443/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=https%3A%2F%2Fidp.example.org%2Fidp%2FAuthn%2FRemoteUser and I get an answer from the CAS server in proper xml format, of course, I can't use /idp/Authn/RemoteUser directly since the IdP won't know what to do with me.
So is it possible to pass a CAS valid ticket through Shibb SP to IdP to the Shibb-CAS RemoteUser? Any help / suggestions on how to do this if possible greatly appreciated.
Keith Martin
Enterprise Systems / UIT
University of Houston
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150829/850200c7/attachment.html>
More information about the users
mailing list