Shibboleth IdP 4.0.1 and CAS

Andrew Jason Morgan morgan at
Thu Jan 21 18:58:12 UTC 2021

A long time ago, we had /cas as our endpoint when we used Apereo CAS.  When we migrated to Shibboleth, we used these Apache rewrite rules:

        # Rewrite cas URLs to Shibboleth
        RewriteRule ^/cas/+serviceValidate$ /idp/profile/cas/serviceValidate [PT]
        RewriteRule ^/cas/+proxyValidate$ /idp/profile/cas/proxyValidate [PT]
        RewriteRule ^/cas/+samlValidate$ /idp/profile/cas/samlValidate [PT]
        RewriteRule ^/cas/+validate$ /idp/profile/cas/validate [PT]
        RewriteRule ^/cas/+(.+)$ /idp/profile/cas/$1 [R,NE,L]

We still have these in place today, working fine.


From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Thursday, January 21, 2021 9:31 AM
To: Shib Users <users at>
Subject: Re: Shibboleth IdP 4.0.1 and CAS

[This email originated from outside of OSU. Use caution with links and attachments.]

On 1/21/21, 11:54 AM, "users on behalf of Max via users" <users-bounces at on behalf of users at> wrote:

>    It seems that the /cas and /sCAS Context Roots are no longer present.

Neither have ever existed. CAS flows live under /idp/profile/cas and are automatically registered and logged at startup. Trying to run them at other locations is something that theoretically can be done but has never been tested to my knowledge.

>    In the file %{idp.home}/conf/services.xml the CASServiceRegistryResources is
>    enabled:

That has nothing to do with the processing of requests in the path handling sense, a 404 is a fundamentally broken container or webapp not starting up to begin with.

>    These are the entries we have in the idp-process.log file related to CAS
>    during startup:

It logs all the flow definitions and their locations at startup before that ever happens, but the literal notion of anything but /idp as a context root (or I guess anything else, doesn't literally have to be /idp), that doesn't exist. There's one context root and it usually lives at /idp

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list