18

I understand that CAS and SAML are different protocols used for Single-sign on purposes but, what confuses me is articles that say "CAS has an SAML implementation".

Aren't CAS and SAML different ways of how Single Sign-on can be implemented ?

Lets say, the client's enterprise has a SAML Server but, a 3rd party website says they support CAS based SSO. In this case, the end-user would have initially logged into the enterprise system. When accessing the 3rd party website will it connect to the Enterprise SAML Server looking for a SAML assertion ?

  1. What exactly is the relation between CAS and SAML ?

  2. Where exactly would CAS come in the above said set-up ?
BryKKan
  • 438
  • 3
  • 16
yathirigan
  • 5,619
  • 22
  • 66
  • 104

2 Answers2

22

There is CAS, the protocol. Then there is CAS, the software implementing that protocol and many many others.

The software is located here: https://github.com/apereo/cas

Note the README: "CAS is an open and well-documented authentication protocol. The primary implementation of the protocol is an open-source Java server component by the same name, hosted here."

Many software products, like the Apereo CAS server, support more than one protocol at the same time. So the Apereo CAS software can support CAS, SAML2 and OAuth, etc protocols at the same time. The Shibboleth IdP for instance can support SAML2, SAML1 and CAS at the same time.

So your question of:

Aren't CAS and SAML different ways of how Single Sign-on can be implemented ?

Yes, they are different protocols in many ways providing or achieving the same thing.

Where exactly would CAS come in the above said set-up ?

The SAML server needs to also support the CAS protocol for that 3rd party website, or you need a separate CAS deployment that delegates authentication to the SAML server...or it's not happening.

BryKKan
  • 438
  • 3
  • 16
Misagh Moayyed
  • 4,154
  • 2
  • 15
  • 25
  • 1
    >>CAS software can support CAS, SAML2 and OAuth<< So,if the 3rd party website has a CAS Server implementation that could support SAML, then my client enterprise wouldn't need any additional set-up (other than existing SAML set-up). Is that understanding correct ? – yathirigan Apr 29 '17 at 07:49
  • Correct. If the CAS server does SAML, you might as well use that too. It's "one ring to rule them all" sort of thing. – Misagh Moayyed May 01 '17 at 15:43
5

While the accepted answer is accurate, it is incomplete. The CAS 3.0 (protocol) specification incorporates SAML 1.1 messages directly. They are used for interacting with the /SAMLvalidate endpoint as described here: https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html#42-samlvalidate-cas-30

BryKKan
  • 438
  • 3
  • 16