Latest CAS News 2014

Open Apereo - June 1-4 2014

The Latest about the Central Authentication Service

Misagh Moayyed [email protected]

Introduction

CAS 3.4/3.5 Security Releases

CAS 4

CAS Addons

CAS Clients

CAS and Shibboleth

Questions and Discussion


This session will summarize the achievements in the latest available Central Authentication Service server product and client library releases and available plugins and enhancements in the community around CAS.


Sunday: ◦ CAS & Shibboleth for Enterprise WebSSO

Monday: ◦ Latest about the Central Authentication Service ◦ To CAS 3 and beyond: The story of a CAS upgrade

Tuesday: ◦ A tale of two factors: 2FA authentication with CAS ◦ How to CASify PeopleSoft; Integrating CAS and ADFS

Wednesday: ◦ Creating a Customizable Dynamic CAS Theme ◦ CAS implementation at Oakland University


CAS Committer and PMC member

3 years with Unicon; 5 years with JasigApereo

Technical lead for Unicon’s Open Source Support for CAS


https://twitter.com/misagh84

https://github.com/mmoayyed

[email protected]

Support, services, training, managed services and custom projects on and around enterprise open source in and around higher education

Identity and Access Management team working with CAS, Shibboleth, Grouper, OpenRegistry, …

Open Source Support for CAS, Shibboleth, Grouper, Sakai, uPortal, uMobile, SSP, …


Free and open source enterprise single sign-on for the web

Open well-documented protocol

Java server software; plethora of client libraries



Recommended method to deploy CAS

Local source control (Git? GitHub?) with only

your custom CAS recipe (in pom.xml) and

your customizations and configuration

Maven overlay builds this on top of specified

CAS server version

https://github.com/Unicon/unicon-cas-overlay


CAS Security Releases

Backward-compatible security releases: v3.5.2.1 and v3.4.12.1

Patch for SAML 2/Google Accounts integration components

You SHOULD upgrade immediately, if you have enabled Google Apps support for CAS



CAS4

Current stable major release

Improvements include: ◦ CAS protocol v3 release

◦ Build/Documentation improvements

◦ Greater modularity

◦ Redesigned authentication APIs

◦ Many more…

The release is NOT backward-compatible with 3.5.x!


First commit on Feb 26th 2013

4 RCs; GA release on May 7th 2014

165 resolved JIRA issues

181 closed pull requests

900 git commits

7 committers; 17 contributors


New:

◦ User attributes in ticket validation response

◦ Strengthen proxy callback failure response

◦ authenticationDate, memberOf, isFromNewLogin

attributes

Improved:

◦ Inclusion of Single Logout

◦ Inclusion of /samlValidate endpoint

◦ Compliant with common community practices


Build and Deployment ◦ Using Travis CI for internal builds

◦ Auto-deployment of Javadocs and reports

◦ Maven WAR Overlay for deployments

Documentation ◦ GitHub Pages site: http://jasig.github.io/cas/

Demos on Heroku ◦ CAS WebApp: https://jasigcas.herokuapp.com

◦ Mgmt Webapp: https://jasigcasmgmt.herokuapp.com


New AuthN API to support MFA

New /p3/serviceValidate

endpoint for user attributes

New submodules for SAML,

Management, OAuth, …

Dependency upgrades

LDAP AuthN and Password

Policy improvements

User Attribute Filters

Front-channel Logout

Disallow Empty Service Registry

English as Default Locale

JS File in Themes

Language Bundle updates

Default Proxy AuthN set to Off

Many more…



“uid != password”

The default credentials are: casuser/Mellon


Pick a latest version (4.0.0)

Add your skin/brand

Add your configuration

◦ How do users authenticate?

◦ Where do user attributes come from?

◦ Which applications are allowed to use CAS?

Build, test, deploy

CAS v4.1: Discussion ongoing ◦ 20+ JIRAs already resolved!

◦ Join the @cas-dev mailing list

CAS AppSec Working Group: ◦ https://wiki.jasig.org/display/CAS/CAS+App

Sec+Working+Group

New Committer: Robert Oschwald



CAS Addons


Free, open source extensions for CAS

Latest stable release: v1.11.1

Include in Maven Overlays:

Available at:

https://github.com/Unicon/cas-addons


Compatible with CAS v3.5.2.1

HazelcastTicketRegistry

ReadWriteJsonServiceRegistryDao

v2.x in development; support for CAS4

See more at:

◦ https://github.com/Unicon/cas-addons/wiki


CAS Clients

Features include:

◦ URL exclusion patterns for the AuthN filter

◦ Support for default ports in service URLs

◦ Return AuthN instant from SAML response

◦ Disallow misconfiguration of forced AuthN

◦ Disallow empty proxy chains for ClearPass

v3.4.0 is in development


CAS client for Play 2.x framework:

◦ https://github.com/leleuj/play-pac4j

◦ Support for CAS, OAuth, OpenId, HTTP, SAML

CAS support for Ratpack toolkit:

◦ https://github.com/ratpack/ratpack/tree/master/r

atpack-pac4j



CAS and Shibboleth

CAS AuthN plugin for Shibboleth IdP

Custom CasLoginHandler

Externalized configuration file

Easier to deploy and configure

◦ No session sharing requirement!

Available at:

https://github.com/Unicon/shib-cas-authn2


Shibboleth IdP v2.4.0 Installer:

◦ Preconfigured with Shib-CAS AuthN v2

◦ Preconfigured with InCommon Metadata

◦ Preconfigured with TestShib’s SP Metadata

Available at:

https://github.com/Unicon/unicon-

shibboleth-idp-template


If you don’t have SSO:

◦ Implement CAS4; available today

If you have CAS:

◦ Upgrade your Maven overlays

If you have Shibboleth:

◦ Integrate using the shib-cas-authn2 module

If you need help:

◦ Unicon OSS program: http://www.unicon.net/support



https://twitter.com/misagh84

https://github.com/mmoayyed

[email protected]

Latest CAS News 2014

Software

Transcript of Latest CAS News 2014