CAS protocol questions
Paul B. Henson
henson at cpp.edu
Thu Feb 18 22:29:21 EST 2016
I finished getting the basic SAML functionality going on my dev idpv3 instance and am starting to look at the CAS set up, and had a few questions I hope someone might be able to answer.
The first one is pretty simple, I think I saw the answer somewhere, but it's not on the CAS wiki page. As far as the URL you configure into a CAS client, it's just "https://idp.cpp.edu/idp/profile/cas/login" etc, right?
Second, I'm not clear as to the state of the CAS /logout functionality. The wiki page talks about IdP-initiated SLO in 3.2, but I'm not sure if that means to use that instead of CAS logout functionality, or if CAS logout functionality would be layered on top of it. I see there is a new CAS parameter
singleLogoutParticipant in the config. If a CAS client wants a CAS logout URL, should you point them at /idp/profile/Logout? I'm not really looking for a full-fledged log out of every application you've accessed, I really only want the basic functionality the CAS logout itself used to provide, destroying the CAS/idp login session itself and preventing any future application logins, not impacting any existing application level sessions that already had been created. I don't really want to show a user a screen listing their established application sessions and giving them the option to try and destroy them, I just want to show them a "Logout successful" type of screen like you get when you go to /cas/logout on an actual CAS server. Is there any way to do that?
Third, step four of the quickstart says to "Configure SSL/TLS trust (optional; only required for CAS proxy support)" but then it's never mentioned again in the rest of the document 8-/. Our application group runs uportal against our current CAS servers, it uses proxy support. Exactly what trust needs to be configured where? Am I configuring the clients to trust the idp? Or the IDP to trust the clients? Other than using commercially signed certificates whose root CA's were in the default Java keystore, I don't recall having to do anything special on our CAS servers for proxy support.
Fourth, if a CAS client is configured in cas-protocol.xml but has no attribute release policy matching it, does it get the username when it authenticates? Or do you always need a release policy even if it only needs the authenticated user name?
Finally, the section at the bottom of the cas-protocol.xml file labeled "Advanced CAS configuration", is that referring to writing your own actual Java code to replace the code that comes with the idp?
Thanks much...
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list