CAS and Shibboleth BoF

Before the BoF started:

Joke: Marvin will start company with open source hardware loadbalancer since it seems there's good demand in the loadbalancer market.

BoF started

We sort of went around the room, introducing ourselves and our initial interest in the subject:

Mark Steddom, NAU

  • CAS in front of Shib doing federations, library services
  • Using Google Apps integration
  • Pretty happy

Jim Vales, Unicon

Bob Lewis , TAMU

  • Both CAS + Shib
  • Question: Shib service provider in front of N services
    • Eric Dalquist speaks up: Wisconsin is virtual hosting portal instances
      • One portal instance, one SP, multiple domains, multiple IdPs.
    • ???? Toronto: multiple web services behind one SP. SP is treated by IdP as one service, one attribute release policy, etc.

Konstantin Makarov, Saint Cloud State University

  • Before conference was set on CAS, now considering Shibb
  • U Chicago is doing cool stuff with Shibb

Marvin Addison, VTech,

  • CAS and Shib
  • documentation

Pat Masson, U Mass

  • 5 uMass campuses, +10
  • online learning, libraries
  • interestd in providing central services, maybe CAS per-campus with centralized Shib for federation?

Ames, AegisUSA

  • (ACAMP)

Bryan Wooten, U Utah

  • Shibboleth installed.
  • Employee recruiting application SaaS consumes SAML need to get this working.
  • Canvas (Blackboard product) uses CAS.
  • Central IT not making software pruchase decisions but has to make them integrate.

David Lipari, Unicon

Eric Christenson, North Dakota State U

  • CAS installed

Jeremy, Clemson,

  • (ACAMP)

Olson, Clemson,

  • Simplify authentication, authorization

Dalquist, Madison

  • New Shib install, transitioning from PubCookie to Shib
  • Main gripe: SP is in C and is a pain to compile and deploy on Solaris
  • Dreams of a Java CAS Client that operates as a Shibboleth SP

Mike Wiseman, U Toronto

  • Looking to transition PubCookie --> Shib for internal SSO
  • Currently uses Shib for federated SSO
  • "CAS seems to be the premier legacy SSO product."

Andrew Petro, Unicon

  • cas-steer

Bill Thompson, Unicon

  • Prev Princeton, Rutgers

Peishu Li (MetLife Bank)

===============================================

How does CAS fit with Shib:
Marvin: CAS for internal SSO, Shib for federation

CAS as lighter weight than Shib (or SiteMinder)

  • SP learning curve steep. CAS clients felt to be easier.
  • Registration of service as barrier

CAS Services Registry is still optional

Shib getting easier

  • Drupal, WordPress SAML authentication modules avail

Ignorance of Shibboleth on part of CAS deployers, ignorance of CAS on part of Shibboleth deployers...

n-tier authentication (proxy tickets) nice in CAS, does this exist in Shib

  • Yes, Enhanced Client Profile and delegated SAML assertions

Why concern about quantity SPs?

Attribute mapping as important, useful Shibboleth feature.

Madison:

  • Centrally running IdPs for some of the campuses
  • Other campuses have taken their IdPs in house

Single sign out?

  • Log out of how much?

Single sign on domains?

Tension between browser-based configuration, storing services registry e.g. into RDBMS, vs file-based configuration, versionable.

Shib and CAS so happy together

  • What integration points need to be there?
  • What would lead to increased happiness?

User demand for universal SSO?

  • Fronting Shib with CAS does accomplish transparent SSO.

"I would never want to see our university abandon CAS"

"If you guys put SAML support into CAS, we're not going to use it." if you want SAML, use Shibboleth.

ClearPass