Latest about CAS (Apereo 2013)

Transcript

1. June 03, 2013 Latest about CAS 1 Monday, June 3,

   13

2. The Latest about the Central Authentication Service 03 June 2013

   Open Apereo 2013 Andrew Petro Monday, June 3, 13

3. Agenda 1. Introduction 2. CAS 3.5 3. cas-addons 4. CAS

   and Shibboleth 5. Adopting and upgrading 6. CAS 4 7. Questions and Discussion Monday, June 3, 13

4. This session This session will summarize the achievements in the

   latest available Central Authentication Service server product and client library releases and available plugins and enhancements in the community around CAS, reviewing good practices for upgrading or adopting CAS for the first time. The purpose of this session is to inform conference participants about the latest news and software in CAS. Attendees will take away an appreciation for the latest progress and how they might locally realize it and benefit by it. Monday, June 3, 13

5. Introduction: Andrew Petro • Apereo CAS committer, involved in CAS

   since before CAS 3 • 7 years with Unicon, much of which working with CAS • Unicon’s Open Source Support for CAS technical lead Monday, June 3, 13

6. I work for Unicon • Support, services, training, hosting, managed

   services, and custom projects on and around enterprise open source in and around higher ed • Bill Thompson’s Identity and Access Management team working with CAS, Shibboleth, Grouper, ... • Open Source Support for CAS, Shibboleth, Grouper, Sakai, uPortal, uMobile, and Student Success Plan. Monday, June 3, 13

7. This session is being recorded. And shared live? Monday, June

   3, 13

8. What is CAS, anyway? • Free and open source enterprise

   single sign- on for the web • Java server implementation, constellation of client libraries • Simple, supple, extensible, stable Monday, June 3, 13

9. Monday, June 3, 13

10. Features • Failed login attempt throttling • LDAP password and

    account metadata reflection • Extensible login web flow • Extensible, plug in points, wire via Spring Monday, June 3, 13

11. HA CAS • EhCache (or memcached or ...) for ticket

    registry replication Monday, June 3, 13

12. Within-institution SSO • For federation between institutions, use SAML /

    Shibboleth Monday, June 3, 13

13. CAS at Apereo 2013 • CAS and Shib pre-conference seminar

    (yesterday) • Latest about CAS (this) Monday, June 3, 13

14. Tomorrow (Tuesday) • Multifactor in CAS and Shib • Scalable

    Privacy Project update Monday, June 3, 13

15. Wednesday • node.js for CAS validation • RESTful CAS •

    Tracking and Terminating SSO sessions in CAS and Shibboleth Monday, June 3, 13

16. Wednesday tech demos • Using CAS and Grouper Web Services

    in .NET Monday, June 3, 13

17. Thursday • Load balancing CAS, uPortal, and CLE • Federation

    across multiple CAS Domains Monday, June 3, 13

18. CAS 3.5 Monday, June 3, 13

19. CAS 3.5 • Current stable release • Recommended for adoption

    or upgrades today Monday, June 3, 13

20. CAS Server 3.5.2 released February 22nd • Security fixes •

    require proxy chain for accessing /cas/clearPass • handle exception on bad execution ID (looked like a JavaScript injection vulnerability, but isn’t really) • Improvements: • OAuth, monitoring, logging Monday, June 3, 13

21. CAS 3.5 series added • OAuth protocol support, improved Openid

    support • ClearPass and EhCache ticket registry included • regular expressions in service matching (also available for latest 3.4 release) • per-service selection of attribute to use as username Monday, June 3, 13

22. Monday, June 3, 13

23. What this means for you • Tighten your ClearPass configuration

    • Switch to regular expressions rather than ant-style pattern matching in service registry • Upgrade to CAS 3.5.2 Monday, June 3, 13

24. 3.5 series • Incremental patch releases • Becoming more conservative

    as time goes on • New features and innovation goes towards CAS 4 and beyond • and/or in cas-addons... Monday, June 3, 13

25. CAS addons • Free and open source add-ons for CAS

    server • Trends towards newer, exploratory features • Can flow into cas-server, but no need to force it • https://github.com/ Unicon/cas-addons Monday, June 3, 13

26. cas-addons • JSON, MongoDb Service Registry • MongoDb Service Registry

    • JSON Person Attribute DAO • JSON CAS ticket validation response • Stormpath Authentication Handler • ... Monday, June 3, 13

27. Add to your Maven overlay, e.g. Monday, June 3, 13

28. cas-addons • cas-addons 1.1 • Events framework • Assertions convenience

    class • cas-addons 1.2 • Register per-service whether login initiates a single sign-on session Monday, June 3, 13

29. cas-addons • cas-addons 1.3 • Namespaces and syntactic sugar for

    configuration • cas-addons 1.4 • Stormpath integration Monday, June 3, 13

30. cas-addons • cas-addons 1.5 • coarse grained access control •

    including role-based access control Monday, June 3, 13

31. cas-java-clients-addons • Free and open source add-ons for Java CAS

    clients (Jasig Java CAS Client, Spring Security, Apache Shiro) • Trends towards newer, exploratory features • https://github.com/ Unicon/cas-java-clients- addons Monday, June 3, 13

32. CAS and Shibboleth: ever more perfect together Monday, June 3,

    13

33. unicon-shibboleth-idp- template • Template Shibboleth IdP • Demonstrates deferring to

    CAS for login experience, credentials validation Monday, June 3, 13

34. Adopting and Upgrading Monday, June 3, 13

35. Maven Overlay • Local source control (Git? GitHub?) with only

    your custom CAS recipe (in pom.xml) and your customizations and configuration • Maven overlay builds this over top of specified CAS server version • https://github.com/Unicon/unicon-cas- overlay Monday, June 3, 13

36. Monday, June 3, 13

37. To adopt • Pick a latest version (3.5.2) • Add

    your skin/brand • Add your configuration • How do users authenticate • Where to draw user attributes from • Build, test, deploy, rejoice Monday, June 3, 13

38. Incrementally add applications • More and more of your applications

    participate in enterprise single sign-on • System becomes more and more valuable through network effect Monday, June 3, 13

39. To upgrade • bump the version number in your pom.xml

    • Review changes against your customizes files and configuration • build, test, deploy, rejoice Monday, June 3, 13

40. CAS 4 Monday, June 3, 13

41. CAS 4 is not released yet • Development is in-flight

    • Continues to be subject to doneness / schedule / feature release tradeoffs • Intentions to get to a release candidate post- conference (which will freeze features; pickup with whatever doesn’t make it in 4.1, etc.) Monday, June 3, 13

42. User attributes • v3 rev of CAS Protocol • features

    to fulfill • adds user attributes in ticket validation response ala common customization Monday, June 3, 13

43. Monday, June 3, 13

44. Front-channel single logout • CAS has provided back-channel single sign-

    out features for a while • CAS 4 may add front-channel logout features Monday, June 3, 13

45. Dependency upgrades • Move to Ldaptive from Spring LDAP •

    Bump the dependency versions on a slew of stuff (Spring, EhCache, etc.) Monday, June 3, 13

46. Greater modularity • SAML sub-module • management web application separated

    from cas itself • API improvements, some in flight Monday, June 3, 13

47. Little features • support custom filters for releasing attributes to

    a service • improved message bundle handling (prefer an English message over failure) • JavaScript file selection power in themes • richer markup for Login form messages Monday, June 3, 13

48. You’ve either got or you haven’t got style CAS 4

    checkstyle supports well- styled code Monday, June 3, 13

49. Authentication API abstractions • Policies for what AuthenticationHandlers must have

    succeeded • Storing more metadata about successful Authentications off the TGT • Platform for implementing multifactor / LOA use cases Monday, June 3, 13

50. Evergreen cas-mfa project • Developing multifactor support extensions for CAS

    3.5, out loud and in public, per successful response to Evergreen State RFP • Will cherry pick in backports of CAS 4 code as appropriate, of course • https://github.com/unicon/cas-mfa Monday, June 3, 13

51. Takeaways Monday, June 3, 13

52. If you don’t have SSO • Implement CAS! • Join

    the club! The water’s fine, jump right in! • 3.5.2 as current GA release available today Monday, June 3, 13

53. If you have non-CAS SSO (Shib?) • Maybe CAS would

    add value fronting your existing SSO solution • extensible login web flow • failed login attempt throttling • reflect password change requirements, account locking, etc. Monday, June 3, 13

54. If you have an old version of CAS • Upgrade!

    • Use Maven Overlay practices • your local source control contains only your local configuration and changes Monday, June 3, 13

55. If you’ve got SSO nailed • Congratulations! • There’s a

    whole lot to IAM, may I suggest proceeding to • Grouper • Person Registry (Open, CPR) • Enterprise Directory, ... • cf CIFER Monday, June 3, 13

56. Discussion and Questions Monday, June 3, 13

57. Contact Andrew Petro [email protected] www.unicon.net/blog/apetro Monday, June 3, 13

58. (License) This work is licensed to you under the Creative

    Commons Attribution- NonCommercial 3.0 United States License. To view a copy of this license, visit http:// creativecommons.org/licenses/by-nc/3.0/us/. Monday, June 3, 13

59. Photo credits • Personal photo of Andrew: all rights reserved.

    • Microphone: http://www.flickr.com/photos/deanhp/ 3711222265/ cc-by • Robin 7 hoods: from http:// www.trigandpolished.com/style/ • Takeout: http://www.flickr.com/photos/ 64419960@N00/4062102754 cc-by-nc-sa Monday, June 3, 13