June 28 2013 Unicon CAS and Shibboleth Update

Transcript

1. Unicon CAS and Shibboleth Update 28 June 2013 Mike Grady

   • Andrew Petro Friday, June 28, 13

2. Agenda 1. What is this briefing? 2. Highlights and observations

   3. Unicon activities since previous update 4. Intentions 5. Next steps Friday, June 28, 13

3. Welcome to this briefing • Unicon’s CAS and Shibboleth strategy

   • Sourcing support for open source software • Unicon’s Open Source Support • Thank you to our support subscribers Friday, June 28, 13

4. Introduction: Andrew Petro • Jasig CAS committer, involved in CAS

   since before CAS 3 • 7 years with Unicon, most of which in Cooperative Support • Unicon’s Cooperative Support for CAS technical lead Friday, June 28, 13

5. Introduction: Mike Grady • IAM, Shibboleth, CAS, Internet2 Scalable Privacy

   • 36 years at University of Illinois before Unicon • Unicon’s Open Source Support for Shibboleth technical lead Friday, June 28, 13

6. This session is being recorded. • Will post after: •

   Slides • Notes blog post with useful hyperlinks • Slidecast with audio Friday, June 28, 13

7. Observations and Highlights Friday, June 28, 13

8. About CAS Friday, June 28, 13

9. CAS Server 3.5 • Still the current stable release. •

   What you adopt or upgrade to today. • 3.5.2 is still latest patch release Friday, June 28, 13

10. CAS 4 • First release candidate forthcoming Friday, June 28,

    13

11. CAS 4: user attributes • v3 rev of the CAS

    protocol and the CAS server features to fulfill • attributes directly in CAS validation response, ala common local CAS mod Friday, June 28, 13

12. Friday, June 28, 13

13. CAS 4: Authentication API abstractions • Policies for which AuthenticationHandlers

    must have succeeded • Storing more metadata about successful authentications in the SSO session • platform for implementing multifactor / LOA use cases Friday, June 28, 13

14. CAS 4 : Modularity • SAML sub-module • Management web

    application separated from CAS itself Friday, June 28, 13

15. CAS 4: Little features • Custom filters for releasing attributes

    to services • Improved handling missing UI messages • JavaScript file selection power in themes • Richer markup for login form messages Friday, June 28, 13

16. CAS addons • Free and open source add-ons for CAS

    server • Trends towards newer, exploratory features • https://github.com/ Unicon/cas-addons Friday, June 28, 13

17. cas-java-clients-addons • Free and open source add-ons for Java CAS

    clients (Jasig Java CAS Client, Spring Security, Apache Shiro) • Trends towards newer, exploratory features • https://github.com/ Unicon/cas-java-clients- addons Friday, June 28, 13

18. Add to your Maven overlay, e.g. Friday, June 28, 13

19. About Shibboleth Friday, June 28, 13

20. Shibboleth IdP 2.4 • Released in April, may be last

    2.x version • Adds some basic logout support • Variety of bug fixes and added minor features • Metadata security fix • https://issues.shibboleth.net/jira/issues/? filter=10272 Friday, June 28, 13

21. Shibboleth IdP 2.4 Friday, June 28, 13

22. Shib SP 2.5.2 • Released in June 2013 • Security

    fix (fairly significant) • https://wiki.shibboleth.net/confluence/x/ W4FC • 2.5 series has added • Attribute Checking • more Extractors and Resolvers Friday, June 28, 13

23. Assurance, MFA for IdP RFP • Due to be awarded

    today, Friday, June 28 • This RFP specifies important progress for IdP for the benefit of all Friday, June 28, 13

24. Shibboleth Consortium • Effectively established • IdP v3 development in

    progress Friday, June 28, 13

25. Highlights from Open Apereo 2013 • seminar! • sessions! •

    tech demo! • much of this recorded Friday, June 28, 13

26. Slideware and recordings • http://lanyrd.com/2013/ apereo/on/cas/ • http://lanyrd.com/2013/ apereo/on/shibboleth/ Friday,

    June 28, 13

27. CAS-related content • CAS + Shib pre- conference seminar •

    What’s new in CAS • Multifactor in CAS and Shibboleth • Node.JS CAS Client • RESTful CAS • Federation across multiple CAS domains • Tracking and terminating SSO sessions in CAS and Shibboleth • Using CAS and Grouper Web Services in .NET (tech demo) • Load balancing CAS... Friday, June 28, 13

28. Shibboleth-related content • Multifactor in CAS and Shibboleth • Tracking

    and Terminating SSO sessions in CAS and Shibboleth • Scalable Privacy Project update Friday, June 28, 13

29. Unicon participation in CAS and Shibboleth since last Update Friday,

    June 28, 13

30. Open Source Support • Support for open source software as

    adopted by the community • Unicon collaborates to maintain the supported open source software making it more supportable and valuable to subscribers • “Act in the best interests of the subscribers, of the community, and of Unicon” Friday, June 28, 13

31. CAS-related progress Friday, June 28, 13

32. cas-mfa work • Progress on support for multi-factor authentication in

    CAS, built on CAS 3.5.2, in public • http://github.com/Unicon/cas-mfa Friday, June 28, 13

33. Contributions to forthcoming CAS 4 • Examples: Friday, June 28,

    13

34. Maintain Unicon- contributed features • recommended ClearPass configuration now encrypts

    passwords in cache • LPPE re-implementation using Ldaptive, support for non-AD directories Friday, June 28, 13

35. Support-experience- driven changes • Change the default demo authentication handler

    to authenticate a specific demo account • Check service validity sooner in login flow Friday, June 28, 13

36. attributes in CAS validation response Friday, June 28, 13

37. Collaborate • Support attribute filters specific to registered service Friday,

    June 28, 13

38. Maintenance tasks • Upgrade dependency versions throughout • Release engineering

    Friday, June 28, 13

39. You’ve either got or you haven’t got style CAS 4

    checkstyle supporting well-styled code Life is too short to manually review / enforce style Friday, June 28, 13

40. cas-addons • Edgier add-ons for CAS server • 1.3, 1.4,

    and 1.5 are new since previous Update webinar. • 1.5.4, released 2013-06-24, is latest Friday, June 28, 13

41. cas-addons • Custom namespace XML schema • Enhanced Stormpath support

    (draw basic attributes) • Yubikey authentication support • Fordham-style RBAC Friday, June 28, 13

42. Shibboleth-related progress Friday, June 28, 13

43. Contributions to Shibboleth IdP • Make NotBefore assertion condition optional

    • Responsive design default / example login page • Support for injecting Velocity or JSP markup into the SAML binding templates Friday, June 28, 13

44. Controlling NotBefore Condition • includeConditionsNotBefore="false" (default is "true" to match

    previous behavior) • Can control by Relying Party (e.g. SP) in relying-party.xml Friday, June 28, 13

45. Example Login page Laptop-size Friday, June 28, 13

46. Example Login page mobile-size Friday, June 28, 13

47. Add to SAML binding page • Web page containing user

    assertions for SP • Added support for including: • add-html-head-content.vm • add-html-body-content.vm • Still need to create a “src/main/webapp/WEB-INF/classes/ templates” directory in Shib install directory in which to place those files • Underlying idea for this from Carnegie Mellon University Friday, June 28, 13

48. Use Google Analytics to record Shib IdP usage stats add-html-head-content.vm

    ------- ## ## Velocity Template for sending information to Google Analytics ## <script type="text/javascript"> function htmlDecode(input){ var e = document.createElement('div'); e.innerHTML = input; return e.childNodes.length === 0 ? "" : e.childNodes[0].nodeValue; } var _gaq = _gaq || []; _gaq.push(['_setAccount', 'Your Google Analytics Account Id']); _gaq.push(['_trackPageview']); ## Cookie session timeout in milliseconds _gaq.push(['_setSessionCookieTimeout', 120000]); var decodedaction = htmlDecode('${action}'); ## Get the SAML Binding type _gaq.push(['_trackEvent', 'SSOpage', '${SAMLBinding}', decodedaction]); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> Friday, June 28, 13

49. CMU Sample GA stats Friday, June 28, 13

50. What this means for you: Shib • Consider Google Analytics

    for IdP usage stats • Know that omitting NotBefore is now an option for dealing with clumsy SPs • Consider implementing Responsive login UI, with new default as example Friday, June 28, 13

51. What this means for you: CAS • Upgrade cas-addons to

    pick up coarse grained RBAC • Interested in multifactor / stronger authentication in CAS? Consider closer involvement • in CAS 4 QA (new Authentication APIs) • in cas-mfa (immediate-term tactical incremental featureset) Friday, June 28, 13

52. Intentions for near-term development and participation Friday, June 28, 13

53. What we do • Collaborate to maintain current stable recommended

    releases • Work towards next releases • Explore extensions and opportunities • Responsive to inputs from subscriber experiences • Explicit requests • Learn from providing support • Empathize with your needs and projects Friday, June 28, 13

54. CAS-related intentions Friday, June 28, 13

55. CAS 4 release engineering and QA • release engineering and

    QA of CAS 4.0 RC1 and subsequent Friday, June 28, 13

56. followup on cas-mfa • maintenance and followup on cas-mfa as

    it emerges from development, supporting its “birth” as a promising CAS extension Friday, June 28, 13

57. CAS 3.5 maintenance • Continued maintenance on CAS 3.5 to

    the extent that opportunities arise Friday, June 28, 13

58. Shibboleth-related intentions Friday, June 28, 13

59. Assurance and MFA RFP • This is a big deal

    • Unicon engagement on this one way or another Friday, June 28, 13

60. Shib IdP Tomcat 7 support? • Looking into Tomcat “shim”

    to allow Shib 2.x IdP to process client certs at Shib tier rather than in container tier on SOAP calls • It gets old apologizing for the lack of full Tomcat 7 support • Would this work resonate with you, our audience? Friday, June 28, 13

61. Next Steps Friday, June 28, 13

62. This session is being recorded. • Will post after: •

    Slides • Notes blog post with useful hyperlinks • Slidecast with audio Friday, June 28, 13

63. Let’s do this again. • Next Unicon CAS and Shibboleth

    Update: • Thursday October 3rd 2013 • 8:30 am Pacific == 11:30 am Eastern Friday, June 28, 13

64. Feedback welcome. • By all means, please do get in

    touch. Friday, June 28, 13

65. Reminder to support subscribers: • You’re welcome encouraged to get

    in touch directly if you’d like any of this information contextualized to your specific situation. E.g., Is my particular Shibboleth SP usage affected by the security fix in Shibboleth SP 2.5.2? • Feedback especially welcome. Friday, June 28, 13

66. Call to action • Consider reviewing Open Apereo 2013 recordings

    and slideware Friday, June 28, 13

67. Questions / Discussion via Adobe Connect chat? • Mike Grady,

    Support for Shibboleth Technical Lead [email protected] • Andrew Petro, Support for CAS Technical Lead [email protected] Friday, June 28, 13

68. (License) This work is licensed under the Creative Commons Attribution-NonCommercial

    3.0 United States License. To view a copy of this license, visit http://creativecommons.org/ licenses/by-nc/3.0/us/. Friday, June 28, 13

69. Photo credits • Personal photos of Mike and Andrew: all

    rights reserved. • Microphone: http://www.flickr.com/photos/deanhp/3711222265/ http://creativecommons.org/licenses/by/2.0/deed.en • San Diego: http://www.flickr.com/photos/nchill4x4/3430830083/ http://creativecommons.org/licenses/by-nc-nd/2.0/ • Pumpkin: http://www.flickr.com/photos/43208833@N05/7979224998 http://creativecommons.org/licenses/by/2.0/deed.en Friday, June 28, 13