CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
-
Upload
percival-long -
Category
Documents
-
view
214 -
download
0
Transcript of CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
CAS Lightning TalkCAS Lightning TalkJasig-Sakai 2012Jasig-Sakai 2012
Tuesday June 12th 2012Tuesday June 12th 2012
Atlanta, GAAtlanta, GA
Andrew Petro - Unicon, Inc.Andrew Petro - Unicon, Inc.
What is CAS, anyway?What is CAS, anyway?
CAS isCAS is
open sourceopen source
single sign-onsingle sign-on
for the Webfor the Web
Modify applications to rely upon CAS to Modify applications to rely upon CAS to authenticate the userauthenticate the user
Good featuresGood features
Pluggable, flexible, and malleablePluggable, flexible, and malleable
a toolkit for building your institutional login a toolkit for building your institutional login experienceexperience
Simple CAS protocol and client librariesSimple CAS protocol and client libraries
n-tier delegated authenticationn-tier delegated authentication
password replay still possible if you really wantpassword replay still possible if you really want
You are here.
You are here.
You are here.
You are here.
CAS is simpleCAS is simple
Example: CAS doesn’t want to *be* your store of Example: CAS doesn’t want to *be* your store of credentials, your account management system, your credentials, your account management system, your attribute repository.attribute repository.
It wants to leverage your IdM infrastructure to broker It wants to leverage your IdM infrastructure to broker Web loginsWeb logins
Kinds of credentials CAS supports:Kinds of credentials CAS supports:
passwords (bind against LDAP, in a database, ...)passwords (bind against LDAP, in a database, ...)
x.509 certificatesx.509 certificates
OAuthOAuth
......
Spring Web FlowSpring Web Flow
Spring Web Flow useful Spring Web Flow useful for addingfor adding
Acceptable Use Policy acceptance promptAcceptable Use Policy acceptance prompt
stale / expired password warning / enforcementstale / expired password warning / enforcement
nuanced authentication error messaging / nuanced authentication error messaging / handlinghandling
coarse grained access controlcoarse grained access control
target-application-specific handlingtarget-application-specific handling
......
Lots of integration Lots of integration librarieslibraries
Java / Java Servlet Filter / Spring Security / Apache Shiro / TomcatJava / Java Servlet Filter / Spring Security / Apache Shiro / Tomcat
Apache moduleApache module
.NET.NET
PHPPHP
PerlPerl
RubyRuby
PAM modulePAM module
PythonPython
......
Lots of applications with Lots of applications with available CAS supportavailable CAS support
uPortaluPortal
SakaiSakai
DrupalDrupal
WordpressWordpress
LiferayLiferay
BlackboardBlackboard
......
Lots of adopting Lots of adopting institutionsinstitutions
Unclear how many?Unclear how many?
http://millionshort.com/search.php?http://millionshort.com/search.php?q=Jasig+CAS&remove=1000kq=Jasig+CAS&remove=1000k
Community (via Jasig)Community (via Jasig)
email listsemail lists
wiki and issue trackerwiki and issue tracker
source control (now on GitHub)source control (now on GitHub)
this conferencethis conference
......
Implement using Maven Implement using Maven overlayoverlay
Factor your CAS implementation as pom.xml Factor your CAS implementation as pom.xml dependency declaration, local configuration, dependency declaration, local configuration, and local customizationsand local customizations
CAS distribution + your dependencies + your CAS distribution + your dependencies + your changes + your configuration = your CAS changes + your configuration = your CAS implementationimplementation
CAS 3.5 - what’s newCAS 3.5 - what’s new
3.5 “minor” release3.5 “minor” release
Incur some upgrade pain on 3.4 to 3.5Incur some upgrade pain on 3.4 to 3.5
In exchange for new functionality and In exchange for new functionality and improvementsimprovements
ThemesThemes
Theme 1: extensions coming into CAS productTheme 1: extensions coming into CAS product
Theme 2: incremental honing and maturityTheme 2: incremental honing and maturity
Theme 1: Extensions Theme 1: Extensions coming into CAS productcoming into CAS product
LPPE - LDAP Password / Account status LPPE - LDAP Password / Account status reflectionreflection
ClearPass - optional password caching and ClearPass - optional password caching and selective, secure releaseselective, secure release
EhCache Ticket Registry - another option for EhCache Ticket Registry - another option for ticket state clusteringticket state clustering
OAuth2 producer and consumer support - more OAuth2 producer and consumer support - more ways to authenticate users to CAS and to ways to authenticate users to CAS and to integrate with CAS in relying applicationsintegrate with CAS in relying applications
LPPE - LDAP account LPPE - LDAP account status reflectionstatus reflection
Why is authentication against LDAP (Active Directory) Why is authentication against LDAP (Active Directory) failing?failing?
Password wrong?Password wrong?
Account is locked?Account is locked?
Other error code?Other error code?
Now error codes reflected in UI.Now error codes reflected in UI.
Initially integrates with Active Directory, with potential Initially integrates with Active Directory, with potential for more error mappingsfor more error mappings
ClearPassClearPass
optional password caching and selective, optional password caching and selective, secure password release to relying applicationssecure password release to relying applications
This was a separate CAS extension, now drawn This was a separate CAS extension, now drawn into the core CAS productinto the core CAS product
off by default. several steps required to turn off by default. several steps required to turn on this feature.on this feature.
Why do I need Why do I need ClearPass??ClearPass??
Why else do I need Why else do I need ClearPass?ClearPass?
Outlook Web Application CASification?Outlook Web Application CASification?
WebAdvisor CASification?WebAdvisor CASification?
It’s a tool. You may need it. You may be able It’s a tool. You may need it. You may be able to avoid it. Try to avoid.to avoid it. Try to avoid.
Do I have to cache and Do I have to cache and release passwords?release passwords?
Absolutely not.Absolutely not.
Off by default. Very.Off by default. Very.
But now easier to turn on, with less messing But now easier to turn on, with less messing around with Maven and dependencies conflict around with Maven and dependencies conflict resolution.resolution.
EhCache Ticket RegistryEhCache Ticket Registry
Another option for clustering ticket registry state Another option for clustering ticket registry state among clustered CAS server nodesamong clustered CAS server nodes
Bridges from CAS TicketRegistry API to EhCacheBridges from CAS TicketRegistry API to EhCache
Options within EhCache for implementing and Options within EhCache for implementing and replicating that cachereplicating that cache
RMIRMI
TerracottaTerracotta
OAuth Producer and OAuth Producer and Consumer supportConsumer support
and improved OpenID supportand improved OpenID support
Choose to login via Choose to login via OAuthOAuth
Login at e.g. GitHubLogin at e.g. GitHub
Validating the ticketValidating the ticket
Theme 2: Incremental Theme 2: Incremental honing and maturityhoning and maturity
Regular expressions in service registration matching *Regular expressions in service registration matching *
Better SSO session expiration policy *Better SSO session expiration policy *
Improved properties handlingImproved properties handling
Improved health monitoringImproved health monitoring
Upgrades to dependencies, Spring framework Upgrades to dependencies, Spring framework version, etc.version, etc.
* = also in later / latest CAS 3.4.x release* = also in later / latest CAS 3.4.x release
SSO session expiration SSO session expiration policypolicy
(“TicketGrantingTicket” expiration policy)(“TicketGrantingTicket” expiration policy)
Set both a hard timeoutSet both a hard timeout
And a sliding window idle timeoutAnd a sliding window idle timeout
Improved properties Improved properties handlinghandling
More in cas.propertiesMore in cas.properties
Sensible defaults optionally overridden by Sensible defaults optionally overridden by cas.properties (set what you change)cas.properties (set what you change)
Easier to put cas.properties outside of the .warEasier to put cas.properties outside of the .war
Logging configuration file location set in Logging configuration file location set in cas.propertiescas.properties
(Those were all old, (Those were all old, actually)actually)
The incremental feature in CAS 3.5 is additional The incremental feature in CAS 3.5 is additional monitoring, suitable for targeting with an monitoring, suitable for targeting with an automated probe.automated probe.
Contact informationContact information
Andrew PetroAndrew Petro
[email protected]@unicon.net
http://www.unicon.net/blog/apetrohttp://www.unicon.net/blog/apetro
http://www.unicon.net/contacthttp://www.unicon.net/contact