Yale CAS Discussion
Present: Howard Gilbert, Drew Mazurek, Andrew Petro
The main topic of this meeting was how to integrate Shibboleth into CAS. After some discussion, Howard convinced us that CAS will, in effect, become a WAYF (Where Are You From?). An application that chooses to accept credentials from Yale and other Shibboleth entities would convey this information to CAS upon the login redirect. CAS would then allow the user to somehow specify they are a remote user, and where they are from. This could be done either with a pulldown or with some namespace distinction such as "@harvard.edu" appended to the username. If the user is remote, they will be redirected to their own sign-on system to present credentials which will be forwarded through Shibboleth to the "Local Shib Authority." Remote users will not provide their password to Yale CAS directly. They provide their username only for the purpose of helping determine what Handle Server they ultimately end up at.
Some application that accepts authentication of both Yale users and users that are not Yale users but are remote users – users who can authenticate to some other Shibboleth-hosting institution within the Federation.
(redirects to, specifying on redirect URL that remote users are acceptable)
Provides local user login UI and provides some WAYF mechanism whereby non-Yale users can specify at which institution they can authenticate.
(redirects to Handle Server of institution user selects. Let's say the user is a Rutgers student
Itself provides or is fronted by local authentication UI. In Rutgers' case, this is likely CAS. User authenticates to Handle Server (e.g., by authenticating to a local CAS instance and passing through the CAS Java Servlet Filter in accessing the Handle Server).
The "Local Shib Authority" will do three things: translate attributes from eduPerson to local (e.g. "phone" to "phoneNumber"); filter the attributes, passing through only those that we are willing to accept; and manage the federation – what other schools do we trust?
The discussion then turned to the specific attributes that will be passed on login and validation. Below is a transcription of the whiteboard:
Login: what authn is okay? gateway? renew? remote user? auth types (cert, kerb, etc.)? "service" Validate: "opt into same" /samlValidate POST SAML Request: ticket what attributes are desired? [access control] rule SAML Response: netid, renew, "service", how, attribs, perms (boolean) [access control rule satisfied?], PGT
The discussion then turned to a local "strong" PKI database. For a PKI to be secure and useful, certificates must be issued by a trusted source that actually verifies recipients and does not hand out certificates carelessly.