Versions Compared

Old Version 14

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Other notable features include:

  1. The XML response delivered by the /serviceValidate URI includes the <cas:attributes> extension supported by most CAS clients.

  2. CAS proxy support with SSL/TLS trust configuration provided by Shibboleth IdP trust engine.

  3. Simple metadata facility to configure verified relying parties modeled on Jasig/Apereo CAS service registry.

  4. Advanced metadata support using SAML metadata via our CASMetadataProfile.

The CAS protocol requires a server-side StorageService implementation for the CAS protocol ticket store and the IdP session store if support for proxy granting tickets is a requirement. This is relaxed in part with V4.1, with support for initial PGTs but not nested/chained PGTs.

Standard tickets can be handled using a ticket store that encodes the necessary data into the ticket, at the cost of slightly reduced ticket security due to lack of one-time-use enforcement.

CAS Quickstart

  1. (V4.1+) Enable CAS module.

  2. Configure suitable storage service.

  3. Add CAS protocol profiles to the default relying party by editing conf/relying-party.xml.

  4. Add verified CAS relying parties by editing conf/cas-protocol.xml.

  5. Configure SSL/TLS trust (optional; only required for CAS proxy support).

Enabling Module (V4.1+)

For V4.1+, configuring and using this feature requires that you first enable the "idp.profile.CAS" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.

...

Relying parties that authenticate to the IdP via the CAS protocol are called "services." Two mechanisms are supported for registering services:

  1. SAML metadata

  2. Service registry

By default the IdP checks all SAML metadata sources first then proceeds to the service registry if and only if no match is found. You can adjust this configuration to include only one of these options or reverse the order if desired, per the commented section in conf/cas-protocol.xml.

Configure Proxy Trust (Optional)

When the service provides a pgtUrl protocol parameter at ticket validation time and the service is authorized to proxy, the IdP attempts an HTTPS connection to that URL. (The IdP will immediately reject a non-HTTPS proxy callback URL.) The proxy callback endpoint must present a certificate that is trusted by the IdP, which requires explicit configuration; in other words, the IdP does not use the default Java truststore for trust material since that would not provide adequate security. The IdP configuration machinery for proxy trust is designed to force deployers to consider what hosts they trust. While this approach requires more effort, it is justified on a few counts:

  1. Proxying is a substantial increase in authorization afforded to a service.

  2. The callback endpoint receives a credential, so authentication and trust are paramount.

  3. TLS authentication is the sole authentication mechanism used to authenticate proxy callback endpoints.

Since certificate trust underpins the last point, it requires adequate treatment to garner meaningful security. The IdP offers two approaches to proxy trust configuration in order of decreasing security:

  1. Registration of service-specific end-entity certificates via SAML metadata

  2. PKIX validation of end-entity certificates based on a set of CA trust anchors, via cas-protocol.xml

The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates via metadata is the recommended approach.

...