Skip to end of metadata
Go to start of metadata
Table of Contents

New CAS documentation site

Icon

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

Icon

Since CAS 4.0.0, the SAML support is no longer available in the CAS server itself but through the cas-server-support-saml module : SAML Support in CAS 4 

CAS supports the standardized SAML 1.1 protocol primarily to support attribute release to clients and single sign-out.


Since SAML 1.1 is well-documented elsewhere, this document deals with CAS-specific concerns.

Requesting SAML

A SAML 1.1 ticket validation response is obtained by validating a ticket via POST at the /samlValidate URI. An example request/response follows for a successful ticket validation attempt.

Example Request
Example Response

Client Support

The SAML 1.1 protocol is supported in the following clients as of this writing:

  1. Jasig Java CAS Client 3.1.x, see Saml11TicketValidationFilter Example.
  2. phpCAS 1.1.0, see phpCAS examples#phpCASexamples-SAMLProtocolwithAttributeRelease.
  3. mod_auth_cas 1.0.9
  4. .Net Cas Client

Customizing the SAML artifact used

In different versions of CAS, we've swapped the artifact type created by the SamlCompliantUniqueTicketIdGenerator. Unfortunately, not often for the better! As of CAS 3.4, the generator can handle both.

When constructing an instance of the SamlCompliantUniqueTicketIdGenerator, you may set the "saml2compliant" property to "true" in order to generate SAML2 artifacts. Otherwise SAML1 compliant artifacts are generated.

The example Spring configuration would look like the following (overriding the WEB-INF/spring-configuration/uniqueIdGenerators.xml):

  • No labels