cas proxy auth - SAML equivalent?

[Cantor, Scott]

> * is anything available for SAML delegated/proxy authentication yet that
> provides similar functionality as CAS proxy auth, and if so, would it also
> requires server-side storage?

Similar functionality, yes, but it requires complex client code to use, and you wouldn't have any of it in the applications you need to support. We formally deprecated it in V4, but haven't officially decided whether to remove it yet. No, it does not require server state.

CAS proxy tickets are just weak bearer credentials doing impersonation, as is 90% of OAuth usage.  We implemented actual delegation with SAML tokens that have to be attached to new requests and signed by the proxying service's key and turned back into the IdP using an ECP-like flow. OAuth has similar capabilities, but not that are used in common practice.

There's very outdated Java code for doing the client half of it, but I don't think any other language support exists, much as there are very few ECP clients in general.

I am interested in trying to fix the dependency on server-side storage for CAS proxying. I don't see any reason it needs to be there. The tickets should ideally be able to carry the information needed, and recursion shouldn't change that.
 
-- Scott