CAS Lightning TalkCAS Lightning TalkJasig-Sakai 2012Jasig-Sakai 2012

Tuesday June 12th 2012Tuesday June 12th 2012

Atlanta, GAAtlanta, GA

Andrew Petro - Unicon, Inc.Andrew Petro - Unicon, Inc.

What is CAS, anyway?What is CAS, anyway?

CAS isCAS is

open sourceopen source

single sign-onsingle sign-on

for the Webfor the Web

Modify applications to rely upon CAS to Modify applications to rely upon CAS to authenticate the userauthenticate the user

Good featuresGood features

Pluggable, flexible, and malleablePluggable, flexible, and malleable

a toolkit for building your institutional login a toolkit for building your institutional login experienceexperience

Simple CAS protocol and client librariesSimple CAS protocol and client libraries

n-tier delegated authenticationn-tier delegated authentication

password replay still possible if you really wantpassword replay still possible if you really want

You are here.

You are here.

You are here.

You are here.

CAS is simpleCAS is simple

Example: CAS doesn’t want to *be* your store of Example: CAS doesn’t want to *be* your store of credentials, your account management system, your credentials, your account management system, your attribute repository.attribute repository.

It wants to leverage your IdM infrastructure to broker It wants to leverage your IdM infrastructure to broker Web loginsWeb logins

Kinds of credentials CAS supports:Kinds of credentials CAS supports:

passwords (bind against LDAP, in a database, ...)passwords (bind against LDAP, in a database, ...)

x.509 certificatesx.509 certificates

OAuthOAuth

......

Spring Web FlowSpring Web Flow

Spring Web Flow useful Spring Web Flow useful for addingfor adding

Acceptable Use Policy acceptance promptAcceptable Use Policy acceptance prompt

stale / expired password warning / enforcementstale / expired password warning / enforcement

nuanced authentication error messaging / nuanced authentication error messaging / handlinghandling

coarse grained access controlcoarse grained access control

target-application-specific handlingtarget-application-specific handling

......

Lots of integration Lots of integration librarieslibraries

Java / Java Servlet Filter / Spring Security / Apache Shiro / TomcatJava / Java Servlet Filter / Spring Security / Apache Shiro / Tomcat

Apache moduleApache module

.NET.NET

PHPPHP

PerlPerl

RubyRuby

PAM modulePAM module

PythonPython

......

Lots of applications with Lots of applications with available CAS supportavailable CAS support

uPortaluPortal

SakaiSakai

DrupalDrupal

WordpressWordpress

LiferayLiferay

BlackboardBlackboard

......

Lots of adopting Lots of adopting institutionsinstitutions

Unclear how many?Unclear how many?

http://millionshort.com/search.php?http://millionshort.com/search.php?q=Jasig+CAS&remove=1000kq=Jasig+CAS&remove=1000k

Community (via Jasig)Community (via Jasig)

email listsemail lists

wiki and issue trackerwiki and issue tracker

source control (now on GitHub)source control (now on GitHub)

this conferencethis conference

......

Implement using Maven Implement using Maven overlayoverlay

Factor your CAS implementation as pom.xml Factor your CAS implementation as pom.xml dependency declaration, local configuration, dependency declaration, local configuration, and local customizationsand local customizations

CAS distribution + your dependencies + your CAS distribution + your dependencies + your changes + your configuration = your CAS changes + your configuration = your CAS implementationimplementation

CAS 3.5 - what’s newCAS 3.5 - what’s new

3.5 “minor” release3.5 “minor” release

Incur some upgrade pain on 3.4 to 3.5Incur some upgrade pain on 3.4 to 3.5

In exchange for new functionality and In exchange for new functionality and improvementsimprovements

ThemesThemes

Theme 1: extensions coming into CAS productTheme 1: extensions coming into CAS product

Theme 2: incremental honing and maturityTheme 2: incremental honing and maturity

Theme 1: Extensions Theme 1: Extensions coming into CAS productcoming into CAS product

LPPE - LDAP Password / Account status LPPE - LDAP Password / Account status reflectionreflection

ClearPass - optional password caching and ClearPass - optional password caching and selective, secure releaseselective, secure release

EhCache Ticket Registry - another option for EhCache Ticket Registry - another option for ticket state clusteringticket state clustering

OAuth2 producer and consumer support - more OAuth2 producer and consumer support - more ways to authenticate users to CAS and to ways to authenticate users to CAS and to integrate with CAS in relying applicationsintegrate with CAS in relying applications

LPPE - LDAP account LPPE - LDAP account status reflectionstatus reflection

Why is authentication against LDAP (Active Directory) Why is authentication against LDAP (Active Directory) failing?failing?

Password wrong?Password wrong?

Account is locked?Account is locked?

Other error code?Other error code?

Now error codes reflected in UI.Now error codes reflected in UI.

Initially integrates with Active Directory, with potential Initially integrates with Active Directory, with potential for more error mappingsfor more error mappings

ClearPassClearPass

optional password caching and selective, optional password caching and selective, secure password release to relying applicationssecure password release to relying applications

This was a separate CAS extension, now drawn This was a separate CAS extension, now drawn into the core CAS productinto the core CAS product

off by default. several steps required to turn off by default. several steps required to turn on this feature.on this feature.

Why do I need Why do I need ClearPass??ClearPass??

Why else do I need Why else do I need ClearPass?ClearPass?

Outlook Web Application CASification?Outlook Web Application CASification?

WebAdvisor CASification?WebAdvisor CASification?

It’s a tool. You may need it. You may be able It’s a tool. You may need it. You may be able to avoid it. Try to avoid.to avoid it. Try to avoid.

Do I have to cache and Do I have to cache and release passwords?release passwords?

Absolutely not.Absolutely not.

Off by default. Very.Off by default. Very.

But now easier to turn on, with less messing But now easier to turn on, with less messing around with Maven and dependencies conflict around with Maven and dependencies conflict resolution.resolution.

EhCache Ticket RegistryEhCache Ticket Registry

Another option for clustering ticket registry state Another option for clustering ticket registry state among clustered CAS server nodesamong clustered CAS server nodes

Bridges from CAS TicketRegistry API to EhCacheBridges from CAS TicketRegistry API to EhCache

Options within EhCache for implementing and Options within EhCache for implementing and replicating that cachereplicating that cache

RMIRMI

TerracottaTerracotta

OAuth Producer and OAuth Producer and Consumer supportConsumer support

and improved OpenID supportand improved OpenID support

Choose to login via Choose to login via OAuthOAuth

Login at e.g. GitHubLogin at e.g. GitHub

Validating the ticketValidating the ticket

Theme 2: Incremental Theme 2: Incremental honing and maturityhoning and maturity

Regular expressions in service registration matching *Regular expressions in service registration matching *

Better SSO session expiration policy *Better SSO session expiration policy *

Improved properties handlingImproved properties handling

Improved health monitoringImproved health monitoring

Upgrades to dependencies, Spring framework Upgrades to dependencies, Spring framework version, etc.version, etc.

* = also in later / latest CAS 3.4.x release* = also in later / latest CAS 3.4.x release

SSO session expiration SSO session expiration policypolicy

(“TicketGrantingTicket” expiration policy)(“TicketGrantingTicket” expiration policy)

Set both a hard timeoutSet both a hard timeout

And a sliding window idle timeoutAnd a sliding window idle timeout

Improved properties Improved properties handlinghandling

More in cas.propertiesMore in cas.properties

Sensible defaults optionally overridden by Sensible defaults optionally overridden by cas.properties (set what you change)cas.properties (set what you change)

Easier to put cas.properties outside of the .warEasier to put cas.properties outside of the .war

Logging configuration file location set in Logging configuration file location set in cas.propertiescas.properties

(Those were all old, (Those were all old, actually)actually)

The incremental feature in CAS 3.5 is additional The incremental feature in CAS 3.5 is additional monitoring, suitable for targeting with an monitoring, suitable for targeting with an automated probe.automated probe.

Contact informationContact information

Andrew PetroAndrew Petro

apetro@unicon.netapetro@unicon.net

http://www.unicon.net/blog/apetrohttp://www.unicon.net/blog/apetro

http://www.unicon.net/contacthttp://www.unicon.net/contact