Open Apereo 2016100% Open for Education

Getting Started with CASMisagh Moayyed

Hello, World!

5 years @ Unicon, 7 years @ Apereo

IAM (TIER, CAS, Shibboleth, Grouper, etc)

CAS/Grouper PMC

@misagh84 @mmoayyed

Leading provider of IT consulting, services, and support specializing in open source for education technology

Services and support for these fine Apereo projects:

Let’s

Introduction

Server Overview

Deployment, Configuration, Features, etc.

Clients Overview

Q/A

What is CAS?http://apereo.github.io/cas/

Free/Open source enterprise SSOfor all earthlings

Open well-documented protocol

Server software; with many clients

ProtocolTicket [Cookie] based

Login ⇨ Ticket Received ⇨ Ticket Validated ⇨

Similar to OAuth2 / OpenID Connect

Slightly less insane (No payload encryption/signing)

Can be insane (N-tiered/Proxy AuthN)

Thou MUST trust SSL

Basically…

It’s NOT about the protocol.

Server ImplementationsApereo CAS (Java)Shibboleth IdP v3.x (Java)SimpleSAMLphp (PHP)RubyCAS (Ruby)

CASino (Ruby)

txCAS (python)

Apereo Server Java 8, Spring, Spring Boot, Thymeleaf, Servlet 3+

100+ modules

Deployed as a Maven/Gradle “overlay”

Demo

Build

https://git.io/vr2Ra (Maven)

https://git.io/vr2Rw (Gradle Overlay)

https://git.io/vr2R2 (Gradle Plugin)

Demo

Deployment

Standalone executable war

External servlet container

Tomcat 8, Jetty 9, Wildfly 10, etc

Demo

Externalized Configurationhttps://git.io/vr2R6

“But, moooom…I have a cluster”

Monitor. Refresh. Notify.

POST to /bus/refresh

Every node is on the Cloud Bus (AMQP).

...and refreshes its context when notified.

What do you do? Nothing.

Auto-Configuration

Auto-configure the application context

Intention-driven development

You’re really making Pizza.

XML/Groovy Configuration

Extensions can be defined via:

XML

Groovy

Groovy beans are automatically loaded/monitored

Demo

Administration

Peek into the application runtime

Status, Health, Threads, Settings, Mappings, etc

Administrative runtime control

Shutdown, Restart, Refresh, etc

Demo

Application Registrationhttps://git.io/vr2R7

Service definitions can be managed via

JSON, LDAP, MongoDb, JPA, Couchbase

Use the “Services Management” interface

Demo

Multifactor Authenticationhttps://git.io/vr2Rb

CAS supports the following MFA providersDuo Security, Google Authenticator, RADIUS, YubiKey

Triggers are:Opt-in, per app, per attribute, per app/attribute, global

Failure modes:NONE, CLOSED, OPENED, PHANTOM

CAS AuthN Event TrackingRecord authentication events

Includes supports for Geo Location

Persistence managed by MongoDb, JPA

Used to evaluate AuthN Request “risk score”

Delegated AuthenticationCAS can delegate authentication to:

CAS

SAML2 IdP

Facebook, Twitter, Google+, etc

ADFS

CAS Groovy Shellhttps://git.io/vr20k

Access CAS runtime via Groovy Console

Ensure connection is SECUREGroovy Scriptlets are monitored/reloaded

CAS as SAML2 IdPProduce SAML2 metadata

Consume RP metadata

Support for Metadata Aggregates (InCommon)

Support for MDQ protocol

CAS as OIDC OPBuilt atop CAS OAuth2

Dynamic Discovery

AuthZ Code/Implicit workflow

Claims resolution/release

OthersService Access Strategies/PropertiesREST API to manage servicesBasic & JWT AuthNNew ticket registry options:

Redis, Cassandra, Couchbase, IgniteGoogle AnalyticsWeb Session Replication via

Hazelcast, Redis, Mongo

Apereo Clients .NET: https://git.io/vr20XJava: https://git.io/vr201PHP: https://git.io/vr20DApache: https://git.io/vr20S

Unofficial clients:https://goo.gl/csga6W

CAS NextAdministrator User Interfaces

Logging, Settings, Statistics

Risk-based Adaptive AuthN

Improve SAML2/OIDC protocol support

More declarative configuration

Resources

@misagh84 @mmoayyed

Mailing Lists: https://git.io/vr20V

Gitter: https://gitter.im/apereo/cas

Stackoverflow: http://goo.gl/Y62JW3

Q/A