Shibboleth IdP 4.0 and Shibcas Plugin

Cantor, Scott cantor.2 at osu.edu
Tue Sep 29 17:27:56 UTC 2020


On 9/29/20, 12:55 PM, "users on behalf of Matt Elson" <users-bounces at shibboleth.net on behalf of mailing_lists.shibboleth_users at melson.fastmail.net> wrote:

> (Doesn't  seem like the initial SP's entityID is even passed up to CAS.)

I believe that's a bug, could you file it please? We should be populating Scoping with the RequesterID, at least optionally, and I can't find any sign I included it right now. I have Scoping populated based on ProxyCount and constraining the proxied IdPs, but not that element.

If you want to override the IdP's own identity that's possible with a dynamic strategy injected into the relying party configuration to derive the responderId (which in this case is the requester ID, but that's the setting).

I'm not sure I buy the idea that it's appropriate to impersonate the SP, but insofar as it's a desirable feature it could be implemented. But the "right" place is Scoping and I think I just forgot to do it.

> While it's easy enough for me to setup authn/SAML to 
> pass releveant profile and even have CAS trigger Duo accordingly, CAS's 
> IDP doesn't return the proper AuthnContext (looking at CAS config 
> options, there doesn't seem to be a way to have it do so dynamically).

That doesn't leave much. If you have nothing to base the decision on, I'm not sure how you'd know when to do it or not...

>    I'm leaning towards handling this in Shibboleth directly, but it seems 
>    like another option could be to configure Shibboleth in some fashion so 
>    that it reads/parses the assertion returned from CAS and updates the 
>    AuthnContext when appropriate.

You can control the outbound AuthnContext but the default code is to support mappings between the two sets of AuthnContext classes using some simple maps. It's possible to do more with custom code, but I'm not sure how you can do it if there's nothing in the response to base it on.

I guess people like doing this with attributes, which is really not appropriate, but given that, it's possible to code up some additional wiring we could ship out of the box to do something like apply a SimpleAttributePredicate and map that to an outbound context...

-- Scott




More information about the users mailing list