[cas-user] CAS + Shibboleth Integration Best Practices
All, I currently have about 3 projects that may require us to implement some form of CAS+Shibboleth integration. Our Projects are RemedyForce (SalesForce Platform), Office 365, and Alma (Ex-Libris Voyager replacement). I've been reading the Shibboleth Wiki as well as the CAS+Shibboleth Integration documentation and I'm not sure which direction I should be going. The Shibboleth Wiki has something about Shibbolizing a CAS server whereas the JASIG CAS Wiki recommends the Unicon CAS+Shibboleth. I guess my question is, do both of these methods achieve the same goal? And for those of you who have implemented these services with some form of CAS+Shibboleth integration, which method did you use? Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.mailto:bbranch@uco.edu | www.uco.eduhttp://www.uco.edu/ I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know. - Socrates **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] CAS + Shibboleth Integration Best Practices
It really depends on which part of the CAS/Shibboleth duo you currently have in place. If you're already using CAS and need to add Shibboleth, Unicon's module (or using mod_auth_cas in Apache) is the way to go. On the other hand, if you're comfortable with Shib, use that as the main authentication and just use CAS where it is needed. I find CAS much easier to work with, so that's what we use as the main authentication point. Shibboleth is protected by mod_auth_cas and as long as there are no problems, users never see anything mentioning Shibboleth at all. The CAS login/logout pages are the only thing they ever interact with. -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- epie...@usf.edu From: Ben Branch bbra...@uco.edu Sent: Monday, May 05, 2014 9:33 AM To: cas-user@lists.jasig.org Subject: [cas-user] CAS + Shibboleth Integration Best Practices All, I currently have about 3 projects that may require us to implement some form of CAS+Shibboleth integration. Our Projects are RemedyForce (SalesForce Platform), Office 365, and Alma (Ex-Libris Voyager replacement). I've been reading the Shibboleth Wiki as well as the CAS+Shibboleth Integration documentation and I'm not sure which direction I should be going. The Shibboleth Wiki has something about Shibbolizing a CAS server whereas the JASIG CAS Wiki recommends the Unicon CAS+Shibboleth. I guess my question is, do both of these methods achieve the same goal? And for those of you who have implemented these services with some form of CAS+Shibboleth integration, which method did you use? Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.mailto:bbranch@uco.edu | www.uco.eduhttp://www.uco.edu/ I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know. - Socrates **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited. -- You are currently subscribed to cas-user@lists.jasig.org as: epie...@usf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] CAS + Shibboleth Integration Best Practices
Eric, The situation that we are in is that we have CAS and are needing to add Shibboleth. I've bookmarked one of your posts where you go into some detail about your Office 365 integration with your CAS/Shib integration and it's been very helpful. Are you currently on the latest release of CAS? We are currently on 3.4.10 and I'm looking at moving to 3.5.2. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.mailto:bbranch@uco.edu | www.uco.eduhttp://www.uco.edu/ I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know. - Socrates From: Pierce, Eric [mailto:epie...@usf.edu] Sent: Monday, May 05, 2014 8:50 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS + Shibboleth Integration Best Practices It really depends on which part of the CAS/Shibboleth duo you currently have in place. If you're already using CAS and need to add Shibboleth, Unicon's module (or using mod_auth_cas in Apache) is the way to go. On the other hand, if you're comfortable with Shib, use that as the main authentication and just use CAS where it is needed. I find CAS much easier to work with, so that's what we use as the main authentication point. Shibboleth is protected by mod_auth_cas and as long as there are no problems, users never see anything mentioning Shibboleth at all. The CAS login/logout pages are the only thing they ever interact with. -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- epie...@usf.edumailto:epie...@usf.edu From: Ben Branch bbra...@uco.edumailto:bbra...@uco.edu Sent: Monday, May 05, 2014 9:33 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] CAS + Shibboleth Integration Best Practices All, I currently have about 3 projects that may require us to implement some form of CAS+Shibboleth integration. Our Projects are RemedyForce (SalesForce Platform), Office 365, and Alma (Ex-Libris Voyager replacement). I've been reading the Shibboleth Wiki as well as the CAS+Shibboleth Integration documentation and I'm not sure which direction I should be going. The Shibboleth Wiki has something about Shibbolizing a CAS server whereas the JASIG CAS Wiki recommends the Unicon CAS+Shibboleth. I guess my question is, do both of these methods achieve the same goal? And for those of you who have implemented these services with some form of CAS+Shibboleth integration, which method did you use? Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.mailto:bbranch@uco.edu | www.uco.eduhttp://www.uco.edu/ I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know. - Socrates **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited. -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: epie...@usf.edumailto:epie...@usf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: bbra...@uco.edumailto:bbra...@uco.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS + Shibboleth Integration Best Practices
On May 5, 2014, at 8:12 AM, Ben Branch bbra...@uco.edu wrote: The situation that we are in is that we have CAS and are needing to add Shibboleth. I’ve bookmarked one of your posts where you go into some detail about your Office 365 integration with your CAS/Shib integration and it’s been very helpful. Are you currently on the latest release of CAS? We are currently on 3.4.10 and I’m looking at moving to 3.5.2. Ben, The “Shibbolizing a CAS server” option is basically going the other way around. Where: You currently have an Enterprise web SSO system based on Shibboleth (usually with username/password) and now someone has purchased an application that is deeply embedded with CAS as its SSO option. It’s basically a method of making the CAS server invisible to the end user without moving the actual user facing interaction to the CAS server. From your latest post sounds like you already have CAS in place for other apps so you’ll probably not want to reverse engineer things :-) thanks kevin.foote -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] CAS + Shibboleth Integration Best Practices
Yes, we've been running 3.5.2 (with a bunch of USF-specific changes) since January. -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- epie...@usf.edu From: Ben Branch bbra...@uco.edu Sent: Monday, May 05, 2014 11:12 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS + Shibboleth Integration Best Practices Eric, The situation that we are in is that we have CAS and are needing to add Shibboleth. I’ve bookmarked one of your posts where you go into some detail about your Office 365 integration with your CAS/Shib integration and it’s been very helpful. Are you currently on the latest release of CAS? We are currently on 3.4.10 and I’m looking at moving to 3.5.2. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.mailto:bbranch@uco.edu | www.uco.eduhttp://www.uco.edu/ “I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.” - Socrates From: Pierce, Eric [mailto:epie...@usf.edu] Sent: Monday, May 05, 2014 8:50 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS + Shibboleth Integration Best Practices It really depends on which part of the CAS/Shibboleth duo you currently have in place. If you're already using CAS and need to add Shibboleth, Unicon's module (or using mod_auth_cas in Apache) is the way to go. On the other hand, if you're comfortable with Shib, use that as the main authentication and just use CAS where it is needed. I find CAS much easier to work with, so that's what we use as the main authentication point. Shibboleth is protected by mod_auth_cas and as long as there are no problems, users never see anything mentioning Shibboleth at all. The CAS login/logout pages are the only thing they ever interact with. -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- epie...@usf.edumailto:epie...@usf.edu From: Ben Branch bbra...@uco.edumailto:bbra...@uco.edu Sent: Monday, May 05, 2014 9:33 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] CAS + Shibboleth Integration Best Practices All, I currently have about 3 projects that may require us to implement some form of CAS+Shibboleth integration. Our Projects are RemedyForce (SalesForce Platform), Office 365, and Alma (Ex-Libris Voyager replacement). I’ve been reading the Shibboleth Wiki as well as the CAS+Shibboleth Integration documentation and I’m not sure which direction I should be going. The Shibboleth Wiki has something about “Shibbolizing” a CAS server whereas the JASIG CAS Wiki recommends the Unicon CAS+Shibboleth. I guess my question is, do both of these methods achieve the same goal? And for those of you who have implemented these services with some form of CAS+Shibboleth integration, which method did you use? Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.mailto:bbranch@uco.edu | www.uco.eduhttp://www.uco.edu/ “I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.” - Socrates **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited. -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: epie...@usf.edumailto:epie...@usf.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: bbra...@uco.edumailto:bbra...@uco.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential
RE: [cas-user] CAS + Shibboleth Integration Best Practices
Kevin, From your latest post sounds like you already have CAS in place for other apps so you'll probably not want to reverse engineer things :-) Yeah, I definitely don't feel like doing that! Thank you for the clarification on how the 2 integration solutions differ. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbra...@uco.edu | www.uco.edu I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know. - Socrates -Original Message- From: Kevin Foote [mailto:kpfo...@uoregon.edu] Sent: Monday, May 05, 2014 10:48 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS + Shibboleth Integration Best Practices On May 5, 2014, at 8:12 AM, Ben Branch bbra...@uco.edu wrote: The situation that we are in is that we have CAS and are needing to add Shibboleth. I've bookmarked one of your posts where you go into some detail about your Office 365 integration with your CAS/Shib integration and it's been very helpful. Are you currently on the latest release of CAS? We are currently on 3.4.10 and I'm looking at moving to 3.5.2. Ben, The Shibbolizing a CAS server option is basically going the other way around. Where: You currently have an Enterprise web SSO system based on Shibboleth (usually with username/password) and now someone has purchased an application that is deeply embedded with CAS as its SSO option. It's basically a method of making the CAS server invisible to the end user without moving the actual user facing interaction to the CAS server. From your latest post sounds like you already have CAS in place for other apps so you'll probably not want to reverse engineer things :-) thanks kevin.foote -- You are currently subscribed to cas-user@lists.jasig.org as: bbra...@uco.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user **Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary! **CONFIDENTIALITY** This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS + Shibboleth Integration Best Practices
On Mon, May 05, 2014 at 06:33:32AM -0700, Ben Branch wrote: I currently have about 3 projects that may require us to implement some form of CAS+Shibboleth integration. We've been running shibboleth for years, and recently deployed CAS. Our management decided they want to use CAS as the authoritative authentication system on campus, so we configured our existing shibboleth deployment to delegate authentication to CAS. Out of all the various options, at least for our purposes, the Shibboleth IdP External Authentication via CAS plugin framework from Unicon seemed to be the best: https://github.com/Unicon/shib-cas-authn2 This is an updated version of a previous implementation, it hasn't been out very long, but we're currently running it in production (the current 2.0 release has a couple minor bugs, so we're actually running 2.0.1-SNAPSHOT at commit 3e0fa2aebfe6ca9da430687caee0125636118bdf). So far we haven't had any issues with it. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user