To CAS 3 and Beyond:The Story of a CAS Upgrade

Nubli Kasammohdkas@iu.edu

Misagh Moayyedmmoayyed@unicon.net

Open Apereo - June 1-4 2014

Agenda

Introduction

Environment Overview

Functional Requirements

Features Overview

Demo

Development Workflow

Discussion & Questions

Introduction: Nubli Kasa

Lead Systems Analyst

Programmer at Identity

Management Systems

With Indiana University for 6

years

Technical lead for the project;

Responsible for managing CAS

and Shibboleth deployments

Introduction: Misagh MoayyedIAM Consultant @ Unicon

3 years with Unicon; 5 years with

JasigApereoUnicon’s technical lead for the

project

Current Environment

Current CAS based on Yale CAS v2

Diverged from Apereo CAS in many ways

Utilizes large set of AppCodes

◦ Authentication request type, authorization, …

StepUp Authentication; Staff @ admin

permissions

Challenges to meet business need have led

to many large and small CAS changes.

Functional Requirements

Upgrade to CAS 3.5.2

Design and Implementation of AppCodes

◦ Dynamic UI Rendering

◦ AppCode Validation vs. StepUp AuthN

Primary AuthN via Jaas & KB

StepUp AuthN via RADIUS

Protocol extension; Support for IUCAS

Active-Active HA Deployment with EhCache

What is an AppCode?

Token to describe the requesting app

◦What theme to use?

◦What authentication methods to allow?

Analogous yet parallel to service registry

Grouped by 4 primary AppCodes

◦IU, GUEST, SAFEWORD, ANY

Recognize changes automatically

AppCodeRegistry

Dynamic Theme Selection

AppCode groups can specify

themes

AppCodeResourceViewResolver

Primary AuthN: Jaas & Krb

Jaas.conf:

Krb5.conf:

Problem: how do we tie realms to

KDCs?!

New JaasAuthenticationHandler

No Krb5.conf; System Props

instead:◦ java.security.krb5.realm

◦ java.security.krb5.kdc

Let CAS pick Realms and KDCs!

StepUp RADIUS AuthN Config

Additional properties for NAS

settings

StepUp AuthN via RADIUS

Primary based on @cas-mfa

codebase:

◦https://github.com/Unicon/cas-mfa

Initiated by SAFEWORD AppCode

CAS remembers a single AppCode;

knows its relationship to other

AppCodes

StepUp AuthN Rules

Depending on credentials, ANY can

both be IU or GUEST!

CAS Protocol ExtensionsIU CAS Protocol CAS Protocol

Equivalent

cassvc ${appcode:IU}

casurl service

casticket ticket

CAS Validation Response:

EhCacheTicketRegistry

Distributed cache across live nodes

Replication via Java RMI; Manual

discovery

Two separate caches for STs and TGTs

No need for ticket registry cleaners!

Simple setup; No external process

required

EhCache Replication

RMI replication & manual peer

discovery

Specify “other” nodes in the cluster

Discoverable Host Names

Single cas.properties file for all

nodes

Discover ${host.name}

automatically

Demo

Development Workflow

BitBucket Git

repository; Code + Docs

Real-time issue tracking

& collaboration

Automated deployment

via Jenkins CIbitbucket

Questions?

Open Apereo - June 1-4 2014

Nubli Kasammohdkas@iu.edu

Misagh Moayyedmmoayyed@unicon.net