Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Yale CAS Discussion

Present: Howard Gilbert, Drew Mazurek, Andrew Petro

The main topic of this meeting was how to integrate Shibboleth into CAS. After some discussion, Howard convinced us that CAS will, in effect, become a WAYF (Where Are You From?). An application that chooses to accept credentials from Yale and other Shibboleth entities would convey this information to CAS upon the login redirect. CAS would then allow the user to somehow specify they are a remote user, and where they are from. This could be done either with a pulldown or with some namespace distinction such as "@harvard.edu" appended to the username. If the user is remote, they will be redirected to their own sign-on system to present credentials which will be forwarded through Shibboleth to the "Local Shib Authority." Remote users will not provide their password to Yale CAS directly. They provide their username only for the purpose of helping determine what Handle Server they ultimately end up at.

CAS and Shibboleth game
Yale application

Some application that accepts authentication of both Yale users and users that are not Yale users but are remote users – users who can authenticate to some other Shibboleth-hosting institution within the Federation.

(redirects to, specifying on redirect URL that remote users are acceptable)

Yale CAS

Provides local user login UI and provides some WAYF mechanism whereby non-Yale users can specify at which institution they can authenticate.

(redirects to Handle Server of institution user selects. Let's say the user is a Rutgers student(smile)

Rutgers Handle Server

Itself provides or is fronted by local authentication UI. In Rutgers' case, this is likely CAS. User authenticates to Handle Server (e.g., by authenticating to a local CAS instance and passing through the CAS Java Servlet Filter in accessing the Handle Server).

The "Local Shib Authority" will do three things: translate attributes from eduPerson to local (e.g. "phone" to "phoneNumber"); filter the attributes, passing through only those that we are willing to accept; and manage the federation – what other schools do we trust?

The discussion then turned to the specific attributes that will be passed on login and validation. Below is a transcription of the whiteboard:

Login:
    what authn is okay?
    gateway? renew? remote user? auth types (cert, kerb, etc.)?
    "service"

Validate: "opt into same"
    /samlValidate
        POST
    SAML Request:
        ticket
        what attributes are desired?
        [access control] rule
    SAML Response:
        netid, renew, "service",
        how, attribs, perms (boolean) [access control rule satisfied?],
        PGT

The discussion then turned to a local "strong" PKI database. For a PKI to be secure and useful, certificates must be issued by a trusted source that actually verifies recipients and does not hand out certificates carelessly.

  • No labels