Difference between Shibboleth and CAS?

Question

Please explain what the differences are between Shibboleth and CAS?

Answer 1

The first (Shibboleth) is a server and the second (CAS) a protocol. It makes more sense to compare Central Authentication Service (CAS) with Security Assertion Markup Language (SAML), which is the protocol used by Shibboleth. Both can be used to implement a centralized Single Sign-On (SSO).

Answer 2

Many people use CAS and Shibboleth in conjunction with each other. Look at CAS as an authentication (of the user usually stored in LDAP) and authorization (of the requesting web service) engine. Shibboleth, which is actually two components, the SP (Service Provider) which requests attributes and the IDP (Identity Provider) which broadcasts attributes, is a federating engine which makes the attributes (possibly also stored in the same LDAP) available once the user has been authenticated and the service authorized.

While both can be used to provide SSO, CAS is best at managing the session state (and possible persistence) while Shibboleth is best at parsing and presenting attributes requested by service providers. I've implemented both CAS and Shibboleth and found the documentation at both the Shibboleth and the Jasig(CAS) wikis to be of great use.

Answer 3

CAS is an authentication provider which is best used for Single-Sign-On to many services/applications with one logon. However, CAS has its limitation of releasing additional attributes to service. That's where Shib has its most advantage as it provides administrators the ability to configure a unique set of attributes to different services.

Mr.BMW, how did you integrate CAS and Shib? It looks like there are several ways of doing it. CAS is our primary authentication provider and we have heavy investments in there. We recently got Shib installed and wonder what is the best way to integrate both. Any insight would be appreciated.