CAS protocol questions

Marvin Addison marvin.addison at
Fri May 19 06:38:35 EDT 2017

On Thu, May 18, 2017 at 12:21 PM Martin Haase <Martin.Haase at> wrote:

> what is the state of the CAS server implementation in the current IdP?
> The Wiki page seems to be outdated wrt. logout, for example.

It's current with respect to the capabilities that have been implemented.
If we identify gaps I will fill them.

> Is CAS protocol 2 or 3 implemented? Mainly, will user attributes be
> released?

>From the top of the page:
Shibboleth IdP 3.0 supports most of the CAS protocol v2 specification
including attribute release and CAS proxy support.

While attribute release support is not formally defined in the protocol
specification, many clients and even the Jasig CAS server as far back as
3.0 supported a <cas:attributes> element that contains attributes. That is
what is meant by attribute release support in v2.

There are no plans to support CAS protocol v3, but I'm happy to consider it
if someone were to request it and justify the work.

> I understand logout for CAS services works via /idp/Logout, as with SAML
> SPs. But how can the CAS services's SLO URLs be configured? And is there
> something like SLO for proxy tickets?

There is no capability defined in any version of the CAS protocol for
registering protocol endpoint URIs like SAML. The IdP simply sends a CAS
logout message to the URL of the service that successfully validated a
ticket; it's up to the requesting party to have some means of processing
that message. The Java CAS client provides a servlet filter for this
purpose, for example.

As for proxy tickets, I would have to review code to say for certain, but
I'm fairly sure that whenever the proxying service successfully validates a
ticket, it is added to the scope of services that will receive logout
messages. The complicating factor is that the value of the CAS protocol
service parameter for proxy tickets is poorly defined, which is probably at
least part of the reason that proxied services tend to be considered
outside the scope of logout. However, there's nothing preventing you from
configuring your proxying and proxied services from using service
parameters that are resolvable URLs that can receive logout messages from
the IdP. In short, I bet you could get it to work.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list