CAS state of the project: Open Apereo 2015
-
Upload
misagh-moayyed -
Category
Software
-
view
197 -
download
0
Transcript of CAS state of the project: Open Apereo 2015
Open Apereo - June 1-4 2015
The latest about theCentral Authentication Service
Misagh [email protected]
This session will summarize the achievements in the latest available Central Authentication Service server product, client library releases, available plugins and enhancements in the community around CAS.
Also see Open Apereo 2014 presentation:http://lanyrd.com/2014/apereo/sczzxx/
This Session
Open Apereo - June 1-4 2015
Introduction
CAS Releases
CAS 4.1.x
CAS Clients
CAS and Shibboleth
Questions and Discussion
Agenda
Open Apereo - June 1-4 2015
Monday:◦ 10:30am - ESUP CAS Packaging
Tuesday◦ 10:30am – The latest news about CAS
Wednesday:◦ 11:45am - A tale of two factors: 2FA AuthN with CAS
CAS at Apereo 2015
Open Apereo - June 1-4 2015
CAS Committer; PMC member
Software Engineer/IAM Consultant
4 years with Unicon; 6 years with Apereo
Introduction: Misagh Moayyed
https://twitter.com/misagh84
https://github.com/mmoayyed
Open Apereo - June 1-4 2015
Open Apereo - June 1-4 2015
Free and open source enterprise single sign-on for the web
Open well-documented protocol
Java server software; plethora of client libraries
What is CAS?
Open Apereo - June 1-4 2015
CAS Maven WAR Overlay
Recommended method to deploy CAS
Local source control with only your custom
CAS recipe (in pom.xml) and your
customizations and configuration
Maven overlay builds this on top of specified
CAS server version https://github.com/UniconLabs/simple-cas4-overlay-
template
Open Apereo - June 1-4 2015
Releases
Open Apereo - June 1-4 2015
Available
◦ 3.5.x release: CAS 3.5.3
◦ 4.x release: CAS 4.0.1
Upcoming
◦ CAS 3.6.0 OAuth/OpenId security improvements LDAP authN bug fix Proxy authN configuration bug fix
◦ CAS 4.0.2 UI and Internationalization bug fixes OAuth/OpenId security improvements
Releases
Open Apereo - June 1-4 2015
CAS 4.1.x
Open Apereo - June 1-4 2015
CAS 4.1.x: History Development since May 2014
130+ issues/pull requests resolved
4.1.0-SNAPSHOT releases to Maven central/overlays
Docs will be available at:http://jasig.github.io/cas/4.1.0/
Open Apereo - June 1-4 2015
CAS 4.1.x: Features CAS management webapp Client-side session management CAS security filter v2.0.2 Fetch CRLs from Ldap Require service for authN Config state report Metrics/Stats reports OpenId Connect / Pac4j v1.7 “Public workstation”
Open Apereo - June 1-4 2015
CAS 4.1.x: Features Acceptable usage policy flow SSO sessions report CAS cookie encryption+signing OpenSAML v3.1.1 Password/PGT as user attributes Role-based service authz JSON service registry SAML 1.1 “TARGET” validation OAuth bypass approval prompt
Open Apereo - June 1-4 2015
CAS 4.1.x: Features Deprecated JBoss, Uber-Webapp, Restlet Hostname auto-gen for HA deployment CAS local keystore config Principal attribute caching Dynamic salt for JDBC authN SLO/Logo/Logout url per service TGT/PGT encryption in logs SPNEGO client selection strategies 3rd party libraries update Many others…
Open Apereo - June 1-4 2015
Demo
Open Apereo - June 1-4 2015
CAS Clients
Open Apereo - June 1-4 2015
Features include:
◦ OpenSAML dependency now optional
◦ Support for CAS /p3/serviceValidate
◦ Configuration strategy from system, web, context
and external
◦ Other bug fixes
Java CAS Client: v3.4.0
Open Apereo - June 1-4 2015
Externalized Configuration
Specify in an external properties resource
Build once, deploy everywhere
<context-param> <param-name>configurationStrategy</param-name> <param-value>PROPERTY_FILE</param-value></context-param>
<context-param> <param-name>configFileLocation</param-name> <param-value>/etc/java-cas-client.properties</param-value></context-param>
Open Apereo - June 1-4 2015
CAS and Shibboleth
Open Apereo - June 1-4 2015
CAS protocol v2 built into IdP v3
AuthN via IdP; client exchange via CAS
Enabled per relying party config
Service registry analogue to SAML metadata
More at: http://bit.ly/1QOshTM
CAS support in Shibboleth IdP v3
Open Apereo - June 1-4 2015
Compatible with Shibboleth IdP v3.x
Delegate Shib IdP authN to CAS server
CAS authN webflow
Configuration in idp.properties
Available at: https://github.com/Unicon/shib-
cas-authn3
Shib-CAS Authenticator v3
Open Apereo - June 1-4 2015
Evaluate features, use cases and
requirements before adoption
Leverage CAS support in IdP v3 for existing
CAS client applications
Delegate IdP authN to a CAS server via
shib-cas-authn3
Shib+CAS Integration Patterns
Open Apereo - June 1-4 2015
CAS Extensions
Open Apereo - June 1-4 2015
CAS acting as a SAML SPhttps://github.com/UniconLabs/cas-saml-auth
Java CAS client auto configurationhttps://github.com/Unicon/cas-client-autoconfig-support
CAS [micro] add-onshttps://github.com/unicon-cas-addons
CAS Extensions
Open Apereo - June 1-4 2015
CAS NextGen
Open Apereo - June 1-4 2015
Roadmap under development◦ SAML SP support◦ MFA support◦ ADFS support◦ SSO management redesign◦ OAuth redesign◦ Front-channel logout◦ Java 8◦ …
Join the @cas-dev mailing list CAS AppSec Working Group:
◦ https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group
CAS NextGen
Open Apereo - June 1-4 2015
Questions?
https://twitter.com/misagh84
https://github.com/mmoayyed