Post on 10-May-2015
transcript
Open Apereo - June 1-4 2014
The Latest about the Central Authentication Service
Misagh Moayyed mmoayyed@unicon.net
Introduction
CAS 3.4/3.5 Security Releases
CAS 4
CAS Addons
CAS Clients
CAS and Shibboleth
Questions and Discussion
Open Apereo - June 1-4 2014
This session will summarize the achievements in the latest available Central Authentication Service server product and client library releases and available plugins and enhancements in the community around CAS.
Open Apereo - June 1-4 2014
Sunday: ◦ CAS & Shibboleth for Enterprise WebSSO
Monday: ◦ Latest about the Central Authentication Service ◦ To CAS 3 and beyond: The story of a CAS upgrade
Tuesday: ◦ A tale of two factors: 2FA authentication with CAS ◦ How to CASify PeopleSoft; Integrating CAS and ADFS
Wednesday: ◦ Creating a Customizable Dynamic CAS Theme ◦ CAS implementation at Oakland University
Open Apereo - June 1-4 2014
CAS Committer and PMC member
3 years with Unicon; 5 years with JasigApereo
Technical lead for Unicon’s Open Source Support for CAS
Open Apereo - June 1-4 2014
https://twitter.com/misagh84
https://github.com/mmoayyed
mmoayyed@unicon.net
Support, services, training, managed services and custom projects on and around enterprise open source in and around higher education
Identity and Access Management team working with CAS, Shibboleth, Grouper, OpenRegistry, …
Open Source Support for CAS, Shibboleth, Grouper, Sakai, uPortal, uMobile, SSP, …
Open Apereo - June 1-4 2014
Free and open source enterprise single sign-on for the web
Open well-documented protocol
Java server software; plethora of client libraries
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Recommended method to deploy CAS
Local source control (Git? GitHub?) with only
your custom CAS recipe (in pom.xml) and
your customizations and configuration
Maven overlay builds this on top of specified
CAS server version
https://github.com/Unicon/unicon-cas-overlay
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
CAS Security Releases
Backward-compatible security releases: v3.5.2.1 and v3.4.12.1
Patch for SAML 2/Google Accounts integration components
You SHOULD upgrade immediately, if you have enabled Google Apps support for CAS
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
CAS4
Current stable major release
Improvements include: ◦ CAS protocol v3 release
◦ Build/Documentation improvements
◦ Greater modularity
◦ Redesigned authentication APIs
◦ Many more…
The release is NOT backward-compatible with 3.5.x!
Open Apereo - June 1-4 2014
First commit on Feb 26th 2013
4 RCs; GA release on May 7th 2014
165 resolved JIRA issues
181 closed pull requests
900 git commits
7 committers; 17 contributors
Open Apereo - June 1-4 2014
New:
◦ User attributes in ticket validation response
◦ Strengthen proxy callback failure response
◦ authenticationDate, memberOf, isFromNewLogin
attributes
Improved:
◦ Inclusion of Single Logout
◦ Inclusion of /samlValidate endpoint
◦ Compliant with common community practices
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Build and Deployment ◦ Using Travis CI for internal builds
◦ Auto-deployment of Javadocs and reports
◦ Maven WAR Overlay for deployments
Documentation ◦ GitHub Pages site: http://jasig.github.io/cas/
Demos on Heroku ◦ CAS WebApp: https://jasigcas.herokuapp.com
◦ Mgmt Webapp: https://jasigcasmgmt.herokuapp.com
Open Apereo - June 1-4 2014
New AuthN API to support MFA
New /p3/serviceValidate
endpoint for user attributes
New submodules for SAML,
Management, OAuth, …
Dependency upgrades
LDAP AuthN and Password
Policy improvements
User Attribute Filters
Front-channel Logout
Disallow Empty Service Registry
English as Default Locale
JS File in Themes
Language Bundle updates
Default Proxy AuthN set to Off
Many more…
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
“uid != password”
The default credentials are: casuser/Mellon
Open Apereo - June 1-4 2014
Pick a latest version (4.0.0)
Add your skin/brand
Add your configuration
◦ How do users authenticate?
◦ Where do user attributes come from?
◦ Which applications are allowed to use CAS?
Build, test, deploy
CAS v4.1: Discussion ongoing ◦ 20+ JIRAs already resolved!
◦ Join the @cas-dev mailing list
CAS AppSec Working Group: ◦ https://wiki.jasig.org/display/CAS/CAS+App
Sec+Working+Group
New Committer: Robert Oschwald
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
CAS Addons
Open Apereo - June 1-4 2014
Free, open source extensions for CAS
Latest stable release: v1.11.1
Include in Maven Overlays:
Available at:
https://github.com/Unicon/cas-addons
Open Apereo - June 1-4 2014
Compatible with CAS v3.5.2.1
HazelcastTicketRegistry
ReadWriteJsonServiceRegistryDao
v2.x in development; support for CAS4
See more at:
◦ https://github.com/Unicon/cas-addons/wiki
Open Apereo - June 1-4 2014
CAS Clients
Features include:
◦ URL exclusion patterns for the AuthN filter
◦ Support for default ports in service URLs
◦ Return AuthN instant from SAML response
◦ Disallow misconfiguration of forced AuthN
◦ Disallow empty proxy chains for ClearPass
v3.4.0 is in development
Open Apereo - June 1-4 2014
CAS client for Play 2.x framework:
◦ https://github.com/leleuj/play-pac4j
◦ Support for CAS, OAuth, OpenId, HTTP, SAML
CAS support for Ratpack toolkit:
◦ https://github.com/ratpack/ratpack/tree/master/r
atpack-pac4j
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
CAS and Shibboleth
CAS AuthN plugin for Shibboleth IdP
Custom CasLoginHandler
Externalized configuration file
Easier to deploy and configure
◦ No session sharing requirement!
Available at:
https://github.com/Unicon/shib-cas-authn2
Open Apereo - June 1-4 2014
Shibboleth IdP v2.4.0 Installer:
◦ Preconfigured with Shib-CAS AuthN v2
◦ Preconfigured with InCommon Metadata
◦ Preconfigured with TestShib’s SP Metadata
Available at:
https://github.com/Unicon/unicon-
shibboleth-idp-template
Open Apereo - June 1-4 2014
If you don’t have SSO:
◦ Implement CAS4; available today
If you have CAS:
◦ Upgrade your Maven overlays
If you have Shibboleth:
◦ Integrate using the shib-cas-authn2 module
If you need help:
◦ Unicon OSS program: http://www.unicon.net/support
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
https://twitter.com/misagh84
https://github.com/mmoayyed
mmoayyed@unicon.net