Is it possible to pass authentication from an old CAS 3.5.3 Server to a recent Keycloak 15.0.2 with SSO?

Question

I have an existing JSF application that is secured by a CAS Server (version 3.5.3).

Due to customizations I am not able to update the CAS Server to a new version. So there are no OIDC, OAuth2 or other state-of-the-art protocols available. Only CAS and an early version of SAML I think.

I would like to establish SSO to an external Keycloak of a service provider. They want me to set up an internal Identity Provider that connects to their external IDP.

I have done this before with Keycloak, but in that old case my internal Keycloak has been the single point of authentication. This time it's CAS.

Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?

I have thought of implementing a Custom User Storage Provider SPI to connect to my existing user database. But then I would have to log in again to my Keycloak. Is this true?

Is this achievable by implementing the CAS protocol to my internal Keycloak using an CAS Extension? I think that this allows Keycloak to crate a client using CAS protocol, but not to SSO by an existing CAS server and the user has to login to my Keyloak. Please correct me, if I'm wrong.

Answer 1

Is there a way to pass the authentication from CAS 3.5.3 to my internal Keycloak without logging in again?

No, and if there is one, it will require LOTS and LOTS of coding and development. If you're not able to upgrade, you most likely will not be able to make such changes anyway.

There is an plugin for external SAML2 authentication here, which should allow CAS login requests to be redirected to an external SAML2 IDP:

https://github.com/UniconLabs/cas-saml-auth

If your keycloak supports SAML2, maybe this can work. Note that the plugin has not been touched since 2016, and there is no support for it from anyone. You will be 100% on your own, if you decide to go with it.