Date post: | 14-Apr-2017 |
Category: |
Technology |
Upload: | misagh-moayyed |
View: | 417 times |
Download: | 5 times |
Open Apereo 2016100% Open for Education
Getting Started with CASMisagh Moayyed
Hello, World!
5 years @ Unicon, 7 years @ Apereo
IAM (TIER, CAS, Shibboleth, Grouper, etc)
CAS/Grouper PMC
@misagh84 @mmoayyed
Leading provider of IT consulting, services, and support specializing in open source for education technology
Services and support for these fine Apereo projects:
Let’s
Introduction
Server Overview
Deployment, Configuration, Features, etc.
Clients Overview
Q/A
What is CAS?http://apereo.github.io/cas/
Free/Open source enterprise SSOfor all earthlings
Open well-documented protocol
Server software; with many clients
ProtocolTicket [Cookie] based
Login ⇨ Ticket Received ⇨ Ticket Validated ⇨
Similar to OAuth2 / OpenID Connect
Slightly less insane (No payload encryption/signing)
Can be insane (N-tiered/Proxy AuthN)
Thou MUST trust SSL
Basically…
It’s NOT about the protocol.
Server ImplementationsApereo CAS (Java)Shibboleth IdP v3.x (Java)SimpleSAMLphp (PHP)RubyCAS (Ruby)
CASino (Ruby)
txCAS (python)
Apereo Server Java 8, Spring, Spring Boot, Thymeleaf, Servlet 3+
100+ modules
Deployed as a Maven/Gradle “overlay”
Demo
Build
https://git.io/vr2Ra (Maven)
https://git.io/vr2Rw (Gradle Overlay)
https://git.io/vr2R2 (Gradle Plugin)
Demo
Deployment
Standalone executable war
External servlet container
Tomcat 8, Jetty 9, Wildfly 10, etc
Demo
“But, moooom…I have a cluster”
Monitor. Refresh. Notify.
POST to /bus/refresh
Every node is on the Cloud Bus (AMQP).
...and refreshes its context when notified.
What do you do? Nothing.
Auto-Configuration
Auto-configure the application context
Intention-driven development
You’re really making Pizza.
XML/Groovy Configuration
Extensions can be defined via:
XML
Groovy
Groovy beans are automatically loaded/monitored
Demo
Administration
Peek into the application runtime
Status, Health, Threads, Settings, Mappings, etc
Administrative runtime control
Shutdown, Restart, Refresh, etc
Demo
Application Registrationhttps://git.io/vr2R7
Service definitions can be managed via
JSON, LDAP, MongoDb, JPA, Couchbase
Use the “Services Management” interface
Demo
Multifactor Authenticationhttps://git.io/vr2Rb
CAS supports the following MFA providersDuo Security, Google Authenticator, RADIUS, YubiKey
Triggers are:Opt-in, per app, per attribute, per app/attribute, global
Failure modes:NONE, CLOSED, OPENED, PHANTOM
CAS AuthN Event TrackingRecord authentication events
Includes supports for Geo Location
Persistence managed by MongoDb, JPA
Used to evaluate AuthN Request “risk score”
Delegated AuthenticationCAS can delegate authentication to:
CAS
SAML2 IdP
Facebook, Twitter, Google+, etc
ADFS
CAS Groovy Shellhttps://git.io/vr20k
Access CAS runtime via Groovy Console
Ensure connection is SECUREGroovy Scriptlets are monitored/reloaded
CAS as SAML2 IdPProduce SAML2 metadata
Consume RP metadata
Support for Metadata Aggregates (InCommon)
Support for MDQ protocol
CAS as OIDC OPBuilt atop CAS OAuth2
Dynamic Discovery
AuthZ Code/Implicit workflow
Claims resolution/release
OthersService Access Strategies/PropertiesREST API to manage servicesBasic & JWT AuthNNew ticket registry options:
Redis, Cassandra, Couchbase, IgniteGoogle AnalyticsWeb Session Replication via
Hazelcast, Redis, Mongo
Apereo Clients .NET: https://git.io/vr20XJava: https://git.io/vr201PHP: https://git.io/vr20DApache: https://git.io/vr20S
Unofficial clients:https://goo.gl/csga6W
CAS NextAdministrator User Interfaces
Logging, Settings, Statistics
Risk-based Adaptive AuthN
Improve SAML2/OIDC protocol support
More declarative configuration
Resources
@misagh84 @mmoayyed
Mailing Lists: https://git.io/vr20V
Gitter: https://gitter.im/apereo/cas
Stackoverflow: http://goo.gl/Y62JW3
Q/A