MCB CAS Shibboleth from Unicon

Michael A Grady mgrady at
Sat May 9 22:10:27 EDT 2015

On May 9, 2015, at 2:35 PM, Rhian Resnick <rresnick at> wrote:

> Has anyone investigated porting the Unicon CAS plugin to the MCB?
> Rhian

Assuming you mean the Shib-CAS-Authenticator2, that leverages the External Authn handler in Shib IdPv2. We briefly discussed the possibility in the past, but there hadn't really been a call for that by anyone to date. For those who used the RemoteUser recipe for having CAS behind the IdP, the MCB would already support that.

Of course, if you just defer all authentication to CAS, you could just incorporate MFA into CAS, and not try to go to CAS for the username/password, but then come back to Shib to do any additional factors. The biggest missing piece if you defer all authn factors to CAS is that the Shib-CAS-Authn2 does not yet provide a way to return which authn context actually happened, If the SP is a typical one that doesn't actually ask for anything special, that's ok, but otherwise wouldn't do what you need.

Right now we are focused on flexible incorporation of MCB-type functionality in Shib IdPv3.

Michael A. Grady
IAM Architect, Unicon, Inc.

More information about the users mailing list