The shib-cas-authn extensions, developed as part of Unicon's Open Source Support program, is used to delegate the Shibboleth IdP's user authentication to a CAS Server. Whether the client application is a CAS client or a Shibboleth/SAML SP, the integration presents the user with a single SSO experience. Today, Unicon's IAM team released the next version of the shib-cas-authn extension.
shib-cas-authn version 3, affectionately known as the shib-cas-authn3, provides support for the recently release Shibboleth IdP version 3.0. Also new to this version, shib-cas-authn3 self registers the servlet with the Java Web Container of choice meaning that now custom edits to the web.xml file are needed to enable the functionality. It continues to support passing Shib forceAuth request as CAS's renew request and Shib passive request as CAS's gateway request. Besides adding support for IdP v3.0, shib-cas-authn3 fixes some issues by url encoding the entityId and service querystring parameters being passed to CAS.
Multifactor authentication (MFA) is going to become increasingly more important as attacks get more pervasive. Currently, MFA must be managed at the IdP and CAS Server individually. As it becomes more clear how IdP v3 presents an SP's request for high levels of assurance, it should be possible to pass that information to CAS Server so that the CAS-MFA solution can handle the request allowing MFA to be managed with CAS Server.
Take a look at the extension and test it out. You'll find the project at https://github.com/unicon/shib-cas-authn3. You can likely deploy it in less than 5 minutes. Should you run into an issue or have a question, please submit an issue and we'll do our best to work through it with you.
(Shibboleth IdP v2.4.3 deployers should continue to use shib-cas-authn2.)
John Gasper is a wonderful mix of Identity and Access Management (IAM) consultant and DevOps implementer. By day, he is implementing, configuring, or advising on one of the many open source IAM applications including CAS Server, Shibboleth, Grouper, SimpleSAMLphp, 389 Directory Server, and occasionally on a closed source applications like Microsoft Active Directory and Active Directory Federation Services. By night, John tries to automate the world of IT using tools, such as Docker, Jenkins, and Kubernetes. He has experience with cloud providers including Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure. Before joining Unicon in 2013, he worked in IT at Eastern Washington University covering multiple facets of IT including Banner development and administration, Active Directory administration, and pretty much everything in between. They even let him write code for Cisco IP Phone applications
