In our company, we have capitalized on a CAS server and its working very well.
Recently, we had to integrate a SaaS application into our SSO system, mainly for authentication.
Unfortunately, the kinematic flow imposed by CAS was not compatible with the kinematic flow expected by the SaaS application.
Actulally the SaaS application was not fully SAML compliant. Its was not able to deal correclty with the "SAMLArt" command generated by CAS.
After googling on the net, I found the plugin "shib-cas-authenticator" https://github.com/Unicon/shib-cas-authenticator .
It's modules ("idp-ca-invoker" and "cas-authentication-facade") are located between Shibboleth IDP and CAS.
It delegates authentication to the CAS server.
1/ Does the user fullfill his credentiels in the CAS login page ?
Does the validated SSO session by this plugin share the same CAS SSO session ?
2/ If CAS validates the credentials towards the users datastore, then the plugin will give back the "RemoteUser" to Shibboleth IDP.
As Shibboleth IDP is driving the authentication kinematic flow, then it will push the "RemoteUser" to SaaS application, instead of pushing a SAMLArt, like it was the case with CAS.
Is it right ?
3/ There is no Shibolleth-SP in the above solution, may a Shib-IDP release attributes to the SaaS application via the browser ?
Or is it mandatory that Shib-ID (Attribute Authority) releases attributes directly to Shib-SP (Attribute requester) ?