Shibboleth IdP v3.X plugin for authentication via an external CAS Server

Michael A Grady mgrady at
Sat Jun 20 21:20:56 UTC 2020

I thought that someone had fixed the documentation to be clearer, but it doesn't appear that they have. You need to be be sure that in the IdPs' conf/authn/gneeral-authn.xml file that you add any and all needed principal names to the authn/External bean. E.g. (if you wanted the usual Password class and also wanted it to handle REFEDS MFA. You might need to add other password-type principals depending on what any services you are integrated with might be sending as a requested authn context. You will need whateve principals you had previously listed on the authn./Shibcas bean in that same file, if you were using an older version of this plugin.)

<bean id="authn/External" parent="shibboleth.AuthenticationFlow"
    <property name="supportedPrincipals">
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="" />
              <bean parent="shibboleth.SAML2AuthnContextClassRef"
                  c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

> On Jun 20, 2020, at 5:55 AM, Mathew, Sunil <smathew at> wrote:
> Hi,
> We have CAS as the external server and Shibboleth (3.1.1) used to authenticate with Remote User. Instead I am trying to use CAS plugin for Shibboleth (3.4.6) authentication: <>
> But I am getting the following error:
> 2020-06-20T10:47:25.099968500Z shib-idp;idp-process.log;dev;nothing;2020-06-20 10:47:25,099 - - WARN [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:219] - Profile Action PopulateAuthenticationContext: No authentication flows are active for this request
> 2020-06-20T10:47:25.100032900Z shib-idp;idp-warn.log;dev;nothing;2020-06-20 10:47:25,099 - - WARN [net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:219] - Profile Action PopulateAuthenticationContext: No authentication flows are active for this request
> 2020-06-20T10:47:25.199464800Z shib-idp;idp-process.log;dev;nothing;2020-06-20 10:47:25,197 - - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:313] - Profile Action SelectAuthenticationFlow: No potential flows left to choose from, authentication failed
> Has anyone been able to use the CAS plugin for Shibboleth authentication?
> Regards,
> Sunil
> This email has been scanned for spam and viruses by Proofpoint Essentials. Click here <> to report this email as spam.
> -- 
> For Consortium Member technical support, see <>
> To unsubscribe from this list send an email to users-unsubscribe at <mailto:users-unsubscribe at>
Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list