CasProtocolConfiguration

File(s): conf/idp.properties, conf/relying-party.xml, conf/cas-protocol.xml
Format: Native Spring

Overview

Shibboleth supports most of the CAS protocol v2 specification including attribute release and CAS proxy support.

Other notable features include:

The XML response delivered by the /serviceValidate URI includes the <cas:attributes> extension supported by most CAS clients.
CAS proxy support with SSL/TLS trust configuration provided by Shibboleth IdP trust engine.
Simple metadata facility to configure verified relying parties modeled on Jasig/Apereo CAS service registry.
Advanced metadata support using SAML metadata via our CASMetadataProfile.

The CAS protocol requires a server-side StorageService implementation for the CAS protocol ticket store and the IdP session store if support for proxy granting tickets is a requirement. This is relaxed in part with V4.1, with support for initial PGTs but not nested/chained PGTs.

Standard tickets can be handled using a ticket store that encodes the necessary data into the ticket, at the cost of slightly reduced ticket security due to lack of one-time-use enforcement.

CAS Quickstart

(V4.1+) Enable CAS module.
Configure suitable storage service.
Add CAS protocol profiles to the default relying party by editing conf/relying-party.xml.
Add verified CAS relying parties by editing conf/cas-protocol.xml.
Configure SSL/TLS trust (optional; only required for CAS proxy support).

Enabling Module (V4.1+)

For V4.1+, configuring and using this feature requires that you first enable the "idp.profile.CAS" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.

(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.profile.CAS || bin\module.bat -e idp.profile.CAS
 
(Other)
$ bin/module.sh -t idp.profile.CAS || bin/module.sh -e idp.profile.CAS

Configure Storage Service

The following properties define the storage service used for IdP sessions and CAS tickets, respectively:

idp.session.StorageService
idp.cas.StorageService

The former is global to all session use, and the latter is used for proxy-granting ticket management and/or if the SimpleTicketService component is used (it is not the default).

Modify conf/idp.properties accordingly to define suitable storage service beans for each subsystem.

Sample idp.properties excerpt for CAS

idp.session.StorageService=shibboleth.StorageService
idp.cas.StorageService=shibboleth.StorageService

Enable CAS Protocol

The CAS protocol support is represented with a set of profile configuration beans, one for each of the primary CAS protocol URIs:

Profile Bean Name	URI Path

Profile Bean Name	URI Path
CAS.LoginConfiguration	/login
CAS.ProxyConfiguration	/proxy
CAS.ValidateConfiguration	/serviceValidate, /proxyValidate, /samlValidate

Each deals with configuration concerns around the related URI. The profiles are enabled as a function of relying party or relying party group as described in Profiles and Per-RelyingParty Behavior. While each profile may be enabled individually, the only configuration that provides meaningful behavior is one that includes at least CAS.LoginConfiguration and CAS.ValidateConfiguration. The CAS.ProxyConfiguration profile bean is truly optional since omitting it disables proxy support for the relying party, which is a meaningful configuration capability. The following configuration example demonstrates how to enable all CAS protocols for the default relying party.

CAS enabled for default relying party

<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
    <property name="profileConfigurations">
        <list>
            <ref bean="Shibboleth.SSO" />
            <ref bean="SAML1.AttributeQuery" />
            <ref bean="SAML1.ArtifactResolution" />
            <ref bean="SAML2.SSO" />
            <ref bean="SAML2.ECP" />
            <ref bean="SAML2.Logout" />
            <ref bean="SAML2.AttributeQuery" />
            <ref bean="SAML2.ArtifactResolution" />
            <ref bean="CAS.LoginConfiguration" />
            <ref bean="CAS.ProxyConfiguration" />
            <ref bean="CAS.ValidateConfiguration" />
        </list>
    </property>
</bean>

Define Relying Party Metadata

Relying parties that authenticate to the IdP via the CAS protocol are called "services." Two mechanisms are supported for registering services:

By default the IdP checks all SAML metadata sources first then proceeds to the service registry if and only if no match is found. You can adjust this configuration to include only one of these options or reverse the order if desired, per the commented section in conf/cas-protocol.xml.

Configure Proxy Trust (Optional)

When the service provides a pgtUrl protocol parameter at ticket validation time and the service is authorized to proxy, the IdP attempts an HTTPS connection to that URL. (The IdP will immediately reject a non-HTTPS proxy callback URL.) The proxy callback endpoint must present a certificate that is trusted by the IdP, which requires explicit configuration; in other words, the IdP does not use the default Java truststore for trust material since that would not provide adequate security. The IdP configuration machinery for proxy trust is designed to force deployers to consider what hosts they trust. While this approach requires more effort, it is justified on a few counts:

Proxying is a substantial increase in authorization afforded to a service.
The callback endpoint receives a credential, so authentication and trust are paramount.
TLS authentication is the sole authentication mechanism used to authenticate proxy callback endpoints.

Since certificate trust underpins the last point, it requires adequate treatment to garner meaningful security. The IdP offers two approaches to proxy trust configuration in order of decreasing security:

Registration of service-specific end-entity certificates via SAML metadata
PKIX validation of end-entity certificates based on a set of CA trust anchors, via cas-protocol.xml

The second approach only provides meaningful security when you have a small number of certificate authorities that issue Web server certificates with a high degree of identity vetting. If that requirement is not met, configuring end-entity certificates via metadata is the recommended approach.

Alternate cas:user in the validation response (Optional)

CAS validation responses include the user's username. This is generally the normalized username the user logged in with. It is possible to substitute the username in the response with a value from another IdP attribute using the p:userAttribute attribute of CAS.ValidateConfiguration profile in a Relying Party Override.

In this example, 3 services will get the value of the studentId attribute instead of the standard username. Note that these services are identified by Regex strings instead of standard literal strings.

<util:list id="shibboleth.RelyingPartyOverrides">
		<bean id="shibboleth.regexRelyingParty" parent="RelyingParty" >
			<property name="activationCondition" >
				<bean class="net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate" >
					<constructor-arg name="pred" >
						<bean class="com.google.common.base.Predicates" factory-method="or" >
							<constructor-arg>
								<util:list>
									<bean class="com.google.common.base.Predicates" factory-method="containsPattern"
										c:_0="https://example1\.org\/service1\/.*" />
									<bean class="com.google.common.base.Predicates" factory-method="containsPattern"
										c:_0="https://example2\.org\/service2\/.*" />
									<bean class="com.google.common.base.Predicates" factory-method="containsPattern"
										c:_0="https://example3\.org\/service3\/.*" />
								</util:list>
							</constructor-arg>
						</bean>
					</constructor-arg>
				</bean>
			</property>
			<property name="profileConfigurations">
				<list>
					<ref bean="CAS.LoginConfiguration" />
					<ref bean="CAS.ProxyConfiguration" />
					<bean parent="CAS.ValidateConfiguration" p:userAttribute="studentId" />
				</list>
    		</property>	
	    </bean>
	</util:list>

External client configuration

As CAS is configured as a new profile for the default relying party, CAS clients should be configured with these values

Property	Value

Property	Value
$cas_host	idp.example.org
$cas_context	/idp/profile/cas

This example is based on PHP CAS Client from Jasig.

Ticket Service

A stateless ticket service component, EncodingTicketService, is the default ticket producer and consumer. This component stores ticket metadata in the random part of the ticket identifier using a DataSealer component. This component has a couple advantages:

No dependency on a StorageService component
Back-channel limitations are removed such that there is no requirement for shared storage between IdP nodes

This component should be used where possible. Note that deployers that need CAS proxy support still require stateful ticket storage, so the advantages of EncodingTicketService are diminished in that case and the original component SimpleTicketService is recommended.

It should be noted that some CAS clients cannot accommodate the long identifiers produced by EncodingTicketService; phpCAS and mod_auth_cas are notable clients that can't support the identifiers as of this writing.

The choice of ticket service is controlled by configuration in conf/cas-protocol.xml. Simply comment/uncomment the appropriate configuration for the ticket service you want to use. The default configuration is shown below:

Ticket Service Configuration in cas-protocol.xml

<!--
   | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
   | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
   | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
   | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
   | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
   | component is that the one-time use feature of service and proxy tickets is not available due to the lack
   | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
   | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
   | configuration from the default 15000ms.
   -->
<alias name="encodingTicketService" alias="shibboleth.CASTicketService" />

<!--
   | Uncomment the following element and comment out the above to enable the previous default ticket service
   | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
   | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
   -->
<!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->