On further investigation, it appears the SAML 2.0 SOAP/ECP profile almost works, except it requires reauthentication (slow) and only supports username/password (not X509).
I'm leaning towards creating a custom ECP implementation that consumes the REST provided TGT in the basic Authorization header, any thoughts. Downside is the ECPProfileHandlerController is not designed for extension, so i'll have to copy+paste and modify it. Thoughts? On Friday, July 26, 2019 at 1:19:38 AM UTC-4, Curtis Ruck wrote: > > So, is there a way to get a SAMLResponse (given a SAMLRequest) if the > user's session is established through the CAS v1 REST API? > > We have a legacy desktop application that has used the CAS v1 REST API for > years to authenticate users, but we have a new Service Provider that only > supports SAML 2.0 (vice our historical usage of CAS 2.0/SAML 1.1 protocols). > > Ideally, it looks like i'd need to turn the TGT into a properly signed TGC > so it could be shoved into a cookie, and follow the 302 redirects on some > requests to mimic the one of the Web Browser SSO Profiles, or a REST v1 > request to something like /cas/v1/tickets/TGT-123?SAMLRequest=....... > > Just trying to brainstorm what changes/extensions I'll need to make to > support this. I recognize the "right" answer long term is to replace the > legacy authentication that uses the REST API and switch to an embedded > browser, that goes through the standard browser authentication process, but > that would be a much larger undertaking. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/522ac8aa-e198-4c57-a727-d522c9ee37c8%40apereo.org.
