2008/12/17 RL 'Bob' Morgan <rlmor...@washington.edu> > > ... > SAML is indeed a complete web signon protocol. The Shibboleth package > includes a full-featured identity provider component. Shib is also often > used to extend an existing web signon deployment such as CAS.
That's interesting. So you're saying that CAS is being used as an authentication service only that protects the shibboleth instance. Shibboleth is then used as an IdP to implement federated SSO protocols, e.g. SAML? I did a quick drawing on this and attached it to this post. In the drawing, the numbers mean: 1: A user selects an application URL 2: The "IdP filter" at the application URL redirects the user to the identity provider 3: As the IdP is protected by a CAS client filter, the filter redirects the user to CAS 4: CAS provides the authentication (login form, Kerberos, etc.) 5: The CAS redirects to the IdP, the CAS client filter now let the request pass to the IdP. The IdP now issues the requested artifact and redirects to the application 6: the IdP filter at the application validates the artifcact and lets the request pass to the application Correct? Regards, Bernd
<<attachment: cas_shibboleth_combination.png>>
_______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas