Migrating CAS clients to shib idp v3 cas service
Cantor, Scott
cantor.2 at osu.edu
Mon Feb 29 21:06:17 EST 2016
On 2/29/16, 8:23 PM, "users on behalf of Paul B. Henson" <users-bounces at shibboleth.net on behalf of henson at cpp.edu> wrote:
>
>Any other suggestions on how to transparently accomplish this migration while maintaining single sign-on during the cutover?
I'm not sure I followed the internal-rewrite suggestion, but the session cookies issued by the IdP can be altered to a domain other than the literal server, so if your different URLs share a domain, that might work.
If I'm not mistaken, the CAS client config is basically two different URLs, right, the login URL and the validation URL? So you could leave CAS in place indefinitely until all the clients are migrated to point to the IdP, but the IdP would forward things along to CAS for authentication to itself until they were all moved, and then you'd drop the final CAS client on the IdP out of the mix and switch it to native authentication. I would guess that kind of conversation might take years though.
-- Scott
More information about the users
mailing list