Hi Elendrys, It's a great question and of course a lot depends on your specific situation. Here's my personal take...
CAS has proven itself over the years to be a fantastic and flexible WebSSO platform, and with Misagh's leadership and help of the community it has taken another huge leap with CAS5.0. The combination of CAS and Shib has also been highly effective for many organizations, especially when Shib is delegating to CAS for authentication. CAS has for a long time had limited support for SAML and the 5.0 release take this to a new level. Likewise Shib recently introduced some level of support for CAS protocol. My personal take is that the protocol support is the least interesting part of the story, and that it's the features and quality of the system that make the difference. At Lafayette we are running the latest Shib IdP for InCommon Federation services and a few bilateral arrangements, and CAS for everything else. Shib delegates to CAS for authN, and CAS anchors the SSO session and the user experience. We will be upgrading to CAS 5.0 soon and will be piloting MFA (DUO) with CAS. After that we will likely start experimenting moving our bilateral SAML clients to CAS. It looks like we will also likely get ADFS (with an o365 deployment). The current plan is to have both Shib and ADFS delegate to CAS for authentication so the we have a consistent SSO experience, and can keep MFA and account/password policy/behavior mostly in one place. Hope this helps. Best, Bill On Tue, Dec 6, 2016 at 6:08 AM, Elendrys Yagami <[email protected]> wrote: > Hi there, > > We here use CAS to have a centralized login service for our applications. We > also have a Shibboleth Identity Provider that provides login services to > remote federated application onto our user database. > > We are currently upgrading both authentication systems and I'd like to have > some feedback about the best strategy (as people here may know about these > two softwares). > > First, it is not clear for me, after reading the documentation, if the SAML > implementation in CAS v5 may fully replace the Shibboleth IDP or if it is > tied to the introduced softwares in the documentation pages (google, etc..) > ? > > Then what's your opinion about making Shibboleth authentication through CAS > ? It seems to be non functional in the past, but things evolved a lot since. > For me it also makes Shibboleth apps dependent of CAS Service too. > > Any feedback appreciated. > > Thanks > > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/94bea960-2487-4c3a-b1f6-914c07ee8c3c%40apereo.org. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuFHz7av535jo9VLToyPS2wzQRzC2n%3DrOf86LT1BPoOTSw%40mail.gmail.com.
