Shibboleth IdP v3.X plugin for authentication via an external CAS Server

Mathew, Sunil smathew at
Tue Jun 23 08:07:34 UTC 2020

Hi Michael,

We were using RemoteUser authentication using MOD_AUTH_CAS client. Instead I am trying to use the CAS plugin.

Here are my changes:


idp.authn.flows = External

# CAS Client properties (usage loosely matches that of the Java CAS Client)

## CAS Server Properties

shibcas.casServerUrlPrefix =

shibcas.casServerLoginUrl = ${shibcas.casServerUrlPrefix}/login

## Shibboleth Server Properties

shibcas.serverName =

# By default you always get the AuthenticatedNameTranslator, add additional code to cover your custom needs.

# Takes a comma separated list of fully qualified class names

# shibcas.casToShibTranslators = com.your.institution.MyCustomNamedTranslatorClass

# shibcas.parameterBuilders = com.your.institution.MyParameterBuilderClass

# Specify CAS validator to use - either 'cas10', 'cas20' or 'cas30' (default)

 shibcas.ticketValidatorName = cas20

Here is the general-authn.xml file:
        <!-- <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
            p:nonBrowserSupported="false" /> -->

        <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
            <property name="supportedPrincipals">
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

Here is the edit-webapp/WEB-INF/web.xml change:
    <!-- Servlet for receiving a callback from an external CAS Server and continues the IdP login flow -->
        <servlet-name>ShibCas Auth Servlet</servlet-name>
        <servlet-name>ShibCas Auth Servlet</servlet-name>

I added no-conversation-state.jsp file to edit-webapp folder. I also added cas-client-core-3.6.0.jar and shib-cas-authenticator-3.3.0.jar files to edit-webapp/WEB-INF/lib folder.

I confirmed that the changes are reflected inside the docker container.


From: users <users-bounces at> on behalf of Michael A Grady <mgrady at>
Reply-To: Shib Users <users at>
Date: Monday, June 22, 2020 at 10:19 AM
To: Shib Users <users at>
Subject: Re: Shibboleth IdP v3.X plugin for authentication via an external CAS Server

On Jun 21, 2020, at 6:00 AM, Mathew, Sunil <smathew at<mailto:smathew at>> wrote:

Thanks, I am not using MFA (only CAS). I should have mentioned that I am using Shibboleth docker image

As Peter indicated, how you are deploying the IdP does not matter. And whether you are using MFA does not matter. You sitll need to update the IdP to tell it what types of authentication the authn/External flow is intended to support. So just list the Password context if you aren't also using MFA,

Have you used the Shib-CAS-Authn3 plugin in the past, back when it required you to add a new flow, the authn/Shibcas one?

And what flow(s) do you have listed in your as being active?

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list