Janemarie,
Re proxy tickets. The user would not interact with service 2, just with service
1. Service 1 can make make calls to service 2 for data, etc.; or service 1
could screen scrape service 2, or some other mechanism, to make it look like
the user is accessing service 2. But the user only
Ray,
Thank you for your response.
Yes, your understanding is correct. For the one SAML service - there will
be more - Shib hands off authn to CAS but Shibboleth controls the SSO
session.
A barrier to Shib handling authn rather than CAS is that CAS logins are
protected by 2FA. We don't have a
Janemarie,
Proxy tickets are for backend service communication. The user does not interact
with the other service. It is not the same thing as proxied/delegated
authentication.
If I understand correctly, shibboleth is handling the username/password and
therefore the SSO session.
Does the one
We are running CAS v6.6.3 and Spring Boot v2.7.3 with two production nodes
behind an LB. Hazelcast is used for managing tickets. CAS ticket timeouts
are the default.
We are using shib-cas-authenticator v4.0.0 for external auth from our
Shibboleth IdP (v4.1.6). Most, but not all, SAML services on