CAS Overview CAS Protocol CAS Codebase CAS API CAS Clients Shibboleth Overview Shibboleth Configuration CAS and Shibboleth CAS Addons CAS Resources Q & A
business since 1993, focused on open source technologies. Custom Application Development User Experience Identity and Access Management Portal and Portlet development Project Management Open Source Support Headquartered in Gilbert, AZ and staffed throughout the US
Support Sustainable Engineering Contribute back significantly to the core community projects Available for Sakai, uPortal, uPortal, uMobile, CAS, Shibboleth, Grouper and SSP
CAS? Free and open source Java server software Enterprise web single sign-on service An open and well-documented protocol A library of clients for Java, .Net, PHP, Perl, Apache, Python, etc Integrations with uPortal, Shibboleth, Blackboard, Liferay, Moodle, etc Extensive community of adopters
CAS 1: Originated at Yale University: 1-tier centralized SSO CAS 2: Released by Yale, n-tier proxiable SSO CAS 3: Jasig project, collaboration among Rutgers and Yale An ongoing Jasig Apereo project since ~2005 Current production release version is 3 . 5 . 2
Enterprise Single Sign-On for the Web LDAP Authentication & Password Policy Enforcement Delegated Authentication via Proxy Authentication High Availability Options using EhCache, MemCache, JDBC Support for JDBC, Jaas, OpenID, OAuth, Radius, Spnego and X509 Authentication Audits, Logs and Throttling Access via Inspektr Access to User Credentials via ClearPass Extensible Login Sequence via Spring Webflow Exposes a RESTful API for interacting with the server Web Interface for Service/Aplication Management & Registration Themes and Skins (Global & Per Application) via Spring Framework Marginal Support for SAML (Google Apps) Single Sign-Out via SAML Open Community Documentation Addons and Extensions Open Source Software: Freedom to do what you like!
Requirements JDK 6 (JDK 7 is unofficially supported) Apache Maven 3: Manage the build process Apache Tomcat 7: Host the CAS server web application (Optional) Apacht Ant: Automate housekeeping tasks Decent text editor (Sublime, TextMate, Eclipse, Intellij IDEA) HTTPS/Certificates Works with most modern servers (4GB memory, 3GHz CPU, etc) Source control system: SVN, Git, etc
CAS is an HTTP-based protocol, defines a common standard that establishes the communication contract b server and clients Exposes specific URI endpoints for its components CAS client libraries provide a layer abstraction to bridge the gap between applications and the CAS server Available at CAS v4 is expected to update the protocol with the following changes: Attribute delivery in the CAS response payload Support for multi-factor authentication General maintenance and upkeep ... http://www.jasig.org/cas/protocol
Entities S e r v i c e T i c k e t s ( S T ) : Ticket that is used by the client as a credential to obtain access to a service P r o x y G r a n t i n g T i c k e t ( P G T ) : Ticket used by a service to obtain proxy tickets for obtaining access t end service on behalf of a client. P r o x y G r a n t i n g T i c k e t I O U ( P G T - I O U ) : Ticket placed in the response provided by / s e r v i c e V a l and / p r o x y V a l i d a t e endpoints used to correlate a service ticket or proxy ticket validation with a particul granting ticket P r o x y T i c k e t ( P T ) : Ticket that a service uses as a credential to obtain access to a back-end service on b client L o g i n T i c k e t ( L T ) : Ticket passed to the / l o g i n endpoint of the CAS protocol. Its purpose is to preven replaying of credentials due to bugs in web browsers. T i c k e t G r a n t i n g C o o k i e ( T G C ) : HTTP cookie set by CAS upon the establishment of a single sign-on and maintains login state for the client
Endpoints / l o g i n : Acts as a credential acceptor / l o g o u t : Destroys a client's single sign-on CAS session / s e r v i c e V a l i d a t e : Checks the validity of a service ticket and returns an XML-fragment response / p r o x y V a l i d a t e : Performs the same validation tasks as / s e r v i c e V a l i d a t e and additionally validates tickets. / p r o x y : Provides proxy tickets to services that have acquired proxy-granting tickets and will be proxying authentication to back-end services.
Features The CAS protocol features a number of parameters for endpoints, most important of which are the following: r e n e w : Set for/ l o g i n : Single sign-on will be bypassed Set for/ s e r v i c e V a l i d a t e : Validation will only succeed if the ticket was issued from the presentation credentials g a t e w a y : Set for/ l o g i n : Do not ask for credentials, if the client has a pre-existing single sign-on session with CA sign-on session can be established through non-interactive means
Works Web application accessed by the web browser Web application redirects the browser to CAS indicating the requesting s e r v i c e CAS validates primary credentials CAS (optionally) sets the TGC (aka. Ticket Granting Ticket), redirects back to the application with an Web application asks CAS to validate the ST CAS responds with the validation result, announcing the principal
URIs Login request: h t t p s : / / s e r v e r / c a s / l o g i n ? s e r v i c e = h t t p % 3 A % 2 F % 2 F w w w . s e r v i c e . c o m & r e n e w = t r u e Ticket validation request: h t t p s : / / s e r v e r / c a s / s e r v i c e V a l i d a t e ? s e r v i c e = h t t p % 3 A % 2 F % 2 F w w w . s e r v i c e . c o m & t i c k e t = S T - 1 8 5 6 3 3 9 - a A 5 Y u v r x z p v 8 T a u 1 c Y Q 7
Response < c a s : s e r v i c e R e s p o n s e x m l n s : c a s = ' h t t p : / / w w w . y a l e . e d u / t p / c a s ' > < c a s : a u t h e n t i c a t i o n S u c c e s s > < c a s : u s e r > l u k e < / c a s : u s e r > < c a s : p r o x y G r a n t i n g T i c k e t > P G T I O U - 8 4 6 7 8 - 8 a 9 d . . . < / c a s : p r o x y G r a n t i n g T i c k e t > < / c a s : a u t h e n t i c a t i o n S u c c e s s > < / c a s : s e r v i c e R e s p o n s e >
vs. Application Session CAS is login brokering, not shared sessions or session management The "single" part of Single Sign On comes from CAS setting a secure cookie so that CAS can recognize the u soon-after login request This SSO session has nothing to do with application session Note: CAS exhibits a "Single Sign Out" feature using which it can instruct the client application to destroy it
CAS is a multi-module Spring web application, whose build is managed by Apache Maven Each module exists in its own sub directory with its own p o m . x m l file All modules are managed by the parent p o m . x m l file at the project root directory The entire codebase is hosted at The m a s t e r branch is always working towards the next release (Currently CAS 4.0.0) https://www.github.com/jasig/cas
Build from Source Execute: m v n c l e a n p a c k a g e Deploy the c a s - s e r v e r - w e b a p p / t a r g e t / c a s . w a r file into $ C A T A L I N A _ H O M E / w e b a p p s Access the CAS webapp at: h t t p : / / l o c a l h o s t : 8 0 8 0 / c a s
Maven Overlay Build Apache Maven Overlays are used to share common resources across multiple web applications A mechanism which allows an adopter to "overlay" local changes on top of the indicated downloaded artifac Maven repositories In other words: only keep what you actually plan to customize The Maven WAR overlay approach to building CAS is well documented on the Apereo wiki: https://wiki.jasig.org/display/CASUM/Best+Practice+- +Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method
Practices Use the Apache Maven WAR overlay approach Automate your build process; cut-down deployment time Execute all communication through TLS Externalize your configuration as much as possible Establish an account/attribute store Encrypt all sensitive data in the configuration When and if possible, use the latest version of all software dependencies Establish an upgrade schedule for all software dependencies Most importantly, ALWAYS checkin your local overlay artifacts into a source control repository Don't re-invent the wheel: h t t p s : / / g i t h u b . c o m / U n i c o n / u n i c o n - c a s - o v e r l a y
CAS exposes many extension points for custom plugins and configuration Extension points are available for authentication, principal resolution, attribute policy, service registration, Before writing your own, review CAS modules and its addons If you do write custom extensions, consider sharing your addons! Custom extensions are wired up and managed by the Spring framework Note:Tweaking CAS internal components will complicate your build process and subsequently, makes your upgrades more difficult!
n t r a l A u t h e n t i c a t i o n S e r v i c e Interface The API provides a implementation of that CAS protocol itself beginning with the C e n t r a l A u t h e n t i c a t i o n S e r v i c e interface Viewed as a set of serices to generate, validate and retrieve CAS tickets containing authentication informatio The only (and default) implementation currently is: C e n t r a l A u t h e n t i c a t i o n S e r v i c e I m p l Again, you most likely don't need to modify this component at all
n t r a l A u t h e n t i c a t i o n S e r v i c e Interface p u b l i c i n t e r f a c e C e n t r a l A u t h e n t i c a t i o n S e r v i c e { S t r i n g c r e a t e T i c k e t G r a n t i n g T i c k e t ( C r e d e n t i a l s c r e d e n t i a l s ) t h r o w s T i c k e t E x c e p t i o n ; S t r i n g g r a n t S e r v i c e T i c k e t ( S t r i n g t i c k e t G r a n t i n g T i c k e t I d , S e r v i c e s e r v i c e ) t h r o w s T i c k e t E x c e p t i o n ; S t r i n g g r a n t S e r v i c e T i c k e t ( f i n a l S t r i n g t i c k e t G r a n t i n g T i c k e t I d , f i n a l S e r v i c e s e r v i c e , f i n a l C r e d e n t i a l s c r e d e n t i a l s ) t h r o w s T i c k e t E x c e p t i o n ; A s s e r t i o n v a l i d a t e S e r v i c e T i c k e t ( f i n a l S t r i n g s e r v i c e T i c k e t I d , f i n a l S e r v i c e s e r v i c e ) t h r o w s T i c k e t E x c e p t i o n ; v o i d d e s t r o y T i c k e t G r a n t i n g T i c k e t ( f i n a l S t r i n g t i c k e t G r a n t i n g T i c k e t I d ) ; S t r i n g d e l e g a t e T i c k e t G r a n t i n g T i c k e t ( f i n a l S t r i n g s e r v i c e T i c k e t I d , f i n a l C r e d e n t i a l s c r e d e n t i a l s ) t h r o w s T i c k e t E x c e p t i o n ; }
Handling Authentication Once upon a time, there was an A u t h e n t i c a t i o n H a n d l e r interface ...whose sole concern was to validate provided credentials. CAS provides many different implementations OOTB F i l e A u t h e n t i c a t i o n H a n d l e r A c c e p t U s e r s A u t h e n t i c a t i o n H a n d l e r J a a s A u t h e n t i c a t i o n H a n d l e r R e j e c t U s e r s A u t h e n t i c a t i o n H a n d l e r B i n d L d a p A u t h e n t i c a t i o n H a n d l e r O A u t h A u t h e n t i c a t i o n H a n d l e r Q u e r y D a t a b a s e A u t h e n t i c a t i o n H a n d l e r F a s t B i n d L d a p A u t h e n t i c a t i o n H a n d l e r S i m p l e T e s t U s e r n a m e P a s s w o r d A u t h e n t i c a t i o n H a n d l e r ( D e f a u l t ) ...many many more! You can also extend A b s t r a c t U s e r n a m e P a s s w o r d A u t h e n t i c a t i o n H a n d l e r to write your own!
R e j e c t U s e r s A u t h e n t i c a t i o n H a n d l e r p u b l i c c l a s s R e j e c t U s e r s A u t h e n t i c a t i o n H a n d l e r e x t e n d s A b s t r a c t U s e r n a m e P a s s w o r d A u t h e n t i c a t i o n H a n d l e r { @ N o t N u l l p r i v a t e L i s t u s e r s ; p r o t e c t e d f i n a l b o o l e a n a u t h e n t i c a t e U s e r n a m e P a s s w o r d I n t e r n a l ( f i n a l U s e r n a m e P a s s w o r d C r e d e n t i a l s c r e d e n t i a l s ) t h r o w s A u t h e n t i c a t i o n E x c e p t i o n { f i n a l S t r i n g t r a n s f o r m e d U s e r n a m e = g e t P r i n c i p a l N a m e T r a n s f o r m e r ( ) . t r a n s f o r m ( c r e d e n t i a l s . g e t U s e r n a m e ( ) ) ; i f ( t h i s . u s e r s . c o n t a i n s ( t r a n s f o r m e d U s e r n a m e ) ) { t h r o w n e w B l o c k e d C r e d e n t i a l s A u t h e n t i c a t i o n E x c e p t i o n ( ) ; } r e t u r n t r u e ; } }
P r i n c i p a l R e s o l v e r s C r e d e n t i a l s T o P r i n c i p a l R e s o l v e r s extract information from the user C r e d e n t i a l s Credential information may be provided by the browser, certificate, etc C r e d e n t i a l s T o P r i n c i p a l R e s o l v e r s may obtain additional information/attributes about the user Most commonly used implementation is U s e r n a m e P a s s w o r d C r e d e n t i a l s T o P r i n c i p a l R e s o l v e r Apareo's P e r s o n D i r e c t o r y project.
Managing Authentication Authentication handlers are managed by an A u t h e n t i c a t i o n M a n a g e r An A u t h e n t i c a t i o n M a n a g e r consists of one or more A u t h e n t i c a t i o n H a n d l e r s An A u t h e n t i c a t i o n M a n a g e r loops through its A u t h e n t i c a t i o n H a n d l e r s , invoking each to validate credentials CAS provides 3 different implementations OOTB AuthenticationManagerImpl (Default) LinkedAuthenticationHandlerAndCredentials ToPrincipalResolverAuthenticationManager DirectMappingAuthenticationManagerImpl As always, you can write your own!
t h e n t i c a t i o n M a n a g e r I m p l Default implementation of the A u t h e n t i c a t i o n M a n a g e r interface Allows you to configure lists of A u t h e n t i c a t i o n H a n d l e r s , C r e d e n t i a l s T o P r i n c i p a l R e s o l v e r s A u t h e n t i c a t i o n M e t a D a t a A t t r i b u t e P o p u l a t o r s Requires no correlation between A u t h e n t i c a t i o n H a n d l e r s and C r e d e n t i a l s T o P r i n c i p a l R e s o l v
M e t a d a t a P o p u l a t o r s A u t h e n t i c a t i o n M e t a D a t a P o p u l a t o r s allow CAS to provide additional attributes related to the overal Authentication This may include authentication type or attributes that are specific to the Authentication request versus the P r i n c i p a l itself. Used specially by the CAS C l e a r P a s s extension to capture and cache user credentials.
ClearPass's C a c h e C r e d e n t i a l s M e t a D a t a P o p u l a t o r p u b l i c f i n a l c l a s s C a c h e C r e d e n t i a l s M e t a D a t a P o p u l a t o r i m p l e m e n t s A u t h e n t i c a t i o n M e t a D a t a P o p u l a t o r { @ N o t N u l l p r i v a t e M a p c r e d e n t i a l C a c h e ; p u b l i c C a c h e C r e d e n t i a l s M e t a D a t a P o p u l a t o r ( f i n a l M a p c r e d e n t i a l C a c h e ) { t h i s . c r e d e n t i a l C a c h e = c r e d e n t i a l C a c h e ; } p u b l i c A u t h e n t i c a t i o n p o p u l a t e A t t r i b u t e s ( f i n a l A u t h e n t i c a t i o n a u t h e n t i c a t i o n , f i n a l C r e d e n t i a l s c r e d e n t i a l s ) { i f ( c r e d e n t i a l s i n s t a n c e o f U s e r n a m e P a s s w o r d C r e d e n t i a l s ) { f i n a l U s e r n a m e P a s s w o r d C r e d e n t i a l s c = ( U s e r n a m e P a s s w o r d C r e d e n t i a l s ) c r e d e n t i a l s ; t h i s . c r e d e n t i a l C a c h e . p u t ( a u t h e n t i c a t i o n . g e t P r i n c i p a l ( ) . g e t I d ( ) , c . g e t P a s s w o r d ( ) ) ; } r e t u r n a u t h e n t i c a t i o n ; } }
S e r v i c e R e g i s t r y Applications that wish to use CAS must be registered in the Service Registry Each application in the registry gains a number of properties: name, id, description, skin name, s e r v i c e I e v a l u a t i o n O r d e r , etc CAS will match the requesting application url with a s e r v i c e I d in its registry. Application urls in the registry may be configured via Ant or RegEx patterns e v a l u a t i o n O r d e r defines the ascending order of precedence: more generic patterns => higher ord Service Registry may be configured with an open white-list configuration. See Andrew Petro's blog post for m http://www.unicon.net/blog/apetro/automatically_register_services_management_service
More on S e r v i c e R e g i s t r y Service Registry configuration will also allow services to: Be disabled Unable to use proxy authentication Configure an attribute release policy per service Designate a specific user attribute for authenticated userId Specify a skin name for the service Use a Web UI to manage services ... Note: By default, Service Registry uses an in-memory persistence implementation. Changes will be lost on c restarts! Don't worry though! There are plenty of other implementations (JDBC, JSON, MongoDb, etc)
D e f a u l t S e r v i c e R e g i s t r y C o n f i g u r a t i o n < b e a n i d = " s e r v i c e R e g i s t r y D a o " c l a s s = " o r g . j a s i g . c a s . s e r v i c e s . I n M e m o r y S e r v i c e R e g i s t r y D a o I m p l " > < p r o p e r t y n a m e = " r e g i s t e r e d S e r v i c e s " > < l i s t > < b e a n c l a s s = " o r g . j a s i g . c a s . s e r v i c e s . R e g e x R e g i s t e r e d S e r v i c e " > < p r o p e r t y n a m e = " i d " v a l u e = " 0 " / > < p r o p e r t y n a m e = " n a m e " v a l u e = " H T T P a n d I M A P " / > < p r o p e r t y n a m e = " d e s c r i p t i o n " v a l u e = " H T T P ( S ) a n d I M A P ( S ) " / > < p r o p e r t y n a m e = " s e r v i c e I d " v a l u e = " ^ ( h t t p s ? | i m a p s ? ) : / / . * " / > < p r o p e r t y n a m e = " e v a l u a t i o n O r d e r " v a l u e = " 1 0 0 0 0 0 0 1 " / > < / b e a n > < / l i s t > < / p r o p e r t y > < / b e a n >
A t t r i b u t e R e p o s i t o r y & R e t r i e v a l Attribute release policy needs to be configured per service in the Service Registry Attribute retrieval is executed by an implementation of P e r s o n D i r e c t o r y ' s I P e r s o n A t t r i b u t e D a o Attribute repository is employed by a P r i n c i p a l R e s o l v e r , retrieves all configured attributes C e n t r a l A u t h e n t i c a t i o n S e r v i c e I m p l will filter and polish those that are allowed for the requesting s Global pool of attributes retrieved, filtered per service There are plenty of other implementations available: S t u b P e r s o n A t t r i b u t e D a o ( D e f a u l t ) L d a p P e r s o n A t t r i b u t e D a o R e g e x G a t e w a y P e r s o n A t t r i b u t e D a o M e r g i n g P e r s o n A t t r i b u t e D a o I m p l C a c h i n g P e r s o n A t t r i b u t e D a o I m p l C a s c a d i n g P e r s o n A t t r i b u t e D a o . . .
Attibute Repository Configuration < b e a n i d = " a t t r i b u t e R e p o s i t o r y " c l a s s = " o r g . j a s i g . s e r v i c e s . p e r s o n d i r . s u p p o r t . S t u b P e r s o n A t t r i b u t e D a o " > < p r o p e r t y n a m e = " b a c k i n g M a p " > < m a p > < e n t r y k e y = " u i d " v a l u e = " u i d " / > < e n t r y k e y = " e d u P e r s o n A f f i l i a t i o n " v a l u e = " e d u P e r s o n A f f i l i a t i o n " / > < e n t r y k e y = " g r o u p M e m b e r s h i p " v a l u e = " g r o u p M e m b e r s h i p " / > < / m a p > < / p r o p e r t y > < / b e a n >
Attibutes Per Service < b e a n c l a s s = " o r g . j a s i g . c a s . s e r v i c e s . R e g i s t e r e d S e r v i c e I m p l " > < p r o p e r t y n a m e = " i d " v a l u e = " 0 " / > < p r o p e r t y n a m e = " n a m e " v a l u e = " H T T P S S e r v i c e s " / > < p r o p e r t y n a m e = " d e s c r i p t i o n " v a l u e = " Y O U R H T T P S e r v i c e " / > < p r o p e r t y n a m e = " s e r v i c e I d " v a l u e = " h t t p s : / / * * " / > < p r o p e r t y n a m e = " e v a l u a t i o n O r d e r " v a l u e = " 0 " / > < p r o p e r t y n a m e = " a l l o w e d A t t r i b u t e s " > < l i s t > < v a l u e > y o u r A t t r i b u t e N a m e < / v a l u e > < / l i s t > < / p r o p e r t y > < / b e a n >
T i c k e t R e g i s t r y Interface Authentication ticket storage abstraction layer. Responsible for retrieval and persistence of tickets, given their expiration policy For high availability configurations, ticket registry state must be replicated across all nodes CAS provides a number of implementations OOTB: D e f a u l t T i c k e t R e g i s t r y ( D e f a u l t ) J p a T i c k e t R e g i s t r y M e m C a c h e T i c k e t R e g i s t r y J B o s s C a c h e T i c k e t R e g i s t r y E h C a c h e T i c k e t R e g i s t r y
D e f a u l t T i c k e t R e g i s t r y C o n f i g u r a t i o n The default ticket registry uses an in-memory implementation Employs a D e f a u l t T i c k e t R e g i s t r y C l e a n e r , to periodically remove stale tickets from the store The act of cleaning/expiring tickets is closely related to CAS single sign-out functionality < b e a n i d = " t i c k e t R e g i s t r y " c l a s s = " o r g . j a s i g . c a s . t i c k e t . r e g i s t r y . D e f a u l t T i c k e t R e g i s t r y " / > < b e a n i d = " t i c k e t R e g i s t r y C l e a n e r " c l a s s = " o r g . j a s i g . c a s . t i c k e t . r e g i s t r y . s u p p o r t . D e f a u l t T i c k e t R e g i s t r y C l e a n e r " p : t i c k e t R e g i s t r y - r e f = " t i c k e t R e g i s t r y " / >
Ticket Expiration Policies The T i c k e t E x p i r a t i o n P o l i c y component defines the lifecycle policy for various types of tickets. Expiration policies are global and affect all regardless of service, user, role, ip, etc Expiration policies are defined for service tickets (ST) and ticket granting tickets (TGT) Available implementations OOTB are: T i c k e t G r a n t i n g T i c k e t E x p i r a t i o n P o l i c y ( T G T ) ( D e f a u l t ) H a r d T i m e o u t E x p i r a t i o n P o l i c y ( T G T ) T h r o t t l e d U s e A n d T i m e o u t E x p i r a t i o n P o l i c y ( T G T ) N e v e r E x p i r e s E x p i r a t i o n P o l i c y ( T G T ) R e m e m b e r M e D e l e g a t i n g E x p i r a t i o n P o l i c y ( T G T ) M u l t i T i m e U s e O r T i m e o u t E x p i r a t i o n P o l i c y ( S T ) ( D e f a u l t ) Y o u r o w n !
Default Expiration Policy Configuration < ! - - E x p i r a t i o n p o l i c i e s - - > < u t i l : c o n s t a n t i d = " S E C O N D S " s t a t i c - f i e l d = " j a v a . u t i l . c o n c u r r e n t . T i m e U n i t . S E C O N D S " / > < b e a n i d = " s e r v i c e T i c k e t E x p i r a t i o n P o l i c y " c l a s s = " o r g . j a s i g . c a s . t i c k e t . s u p p o r t . M u l t i T i m e U s e O r T i m e o u t E x p i r a t i o n P o l i c y " c : n u m b e r O f U s e s = " 1 " c : t i m e T o K i l l = " $ { s t . t i m e T o K i l l I n S e c o n d s : 1 0 } " c : t i m e U n i t - r e f = " S E C O N D S " / > < ! - - T i c k e t G r a n t i n g T i c k e t E x p i r a t i o n P o l i c y : D e f a u l t a s o f 3 . 5 - - > < ! - - P r o v i d e s b o t h i d l e a n d h a r d t i m e o u t s , f o r i n s t a n c e 2 h o u r s l i d i n g w i n d o w w i t h a n 8 h o u r m a x l i f e t i m e - - > < b e a n i d = " g r a n t i n g T i c k e t E x p i r a t i o n P o l i c y " c l a s s = " o r g . j a s i g . c a s . t i c k e t . s u p p o r t . T i c k e t G r a n t i n g T i c k e t E x p i r a t i o n P o l i c y " p : m a x T i m e T o L i v e I n S e c o n d s = " $ { t g t . m a x T i m e T o L i v e I n S e c o n d s : 2 8 8 0 0 } " p : t i m e T o K i l l I n S e c o n d s = " $ { t g t . t i m e T o K i l l I n S e c o n d s : 7 2 0 0 } " / >
Sign Out CAS notifies services that a user has singed out of CAS Services must implement CAS SSOut by "reacting" to CAS SSOut events Identifies a signed out user by a service ticket that was used to log in that user Single Sign-Out is enabled OOTB. Recommended to be disabled via s l o . c a l l b a c k s . d i s a b l e d = t r u e
Ticket Expiration Policy vs. Single Sign Out T i c k e t R e g i s t r y C l e a n e r periodically removes expired tickets from the registry Upon removal, a SAML-compliant single sign-out request is broadcasted to all authenticated applications Only available for the D e f a u l t T i c k e t R e g i s t r y implementations
Summary of CAS components: The CAS Server webapp module employs the following files to wire up all dependencies between component s r c \ m a i n \ w e b a p p \ W E B - I N F \ d e p l o y e r C o n f i g C o n t e x t . x m l : Centralizes the declarative config s r c \ m a i n \ w e b a p p \ W E B - I N F \ c a s . p r o p e r t i e s : Collection of CAS settings s r c \ m a i n \ w e b a p p \ W E B - I N F \ l o g i n - w e b f l o w . x m l : CAS login webflow configuration s r c \ m a i n \ w e b a p p \ W E B - I N F \ s p r i n g - c o n f i g u r a t i o n \ t i c k e t E x p i r a t i o n P o l i c i e s . x m l expiration policy configuration s r c \ m a i n \ w e b a p p \ W E B - I N F \ s p r i n g - c o n f i g u r a t i o n \ t i c k e t R e g i s t r y . x m l : Ticket registr s r c \ m a i n \ w e b a p p \ W E B - I N F \ c l a s s e s \ l o g 4 j . x m l : Logging configuration There also exists a s r c \ m a i n \ w e b a p p \ W E B - I N F \ u n u s e d - s p r i n g - c o n f i g u r a t i o n directory for opt components Overlay each file in your local configuration as needed (Obtain the appropriate version!)
Other Components CAS Argument Extractors CAS Internalization CAS Identifier Generators CAS Spring Login WebFlow RememberMe Authentication Throttling Login Attempts Monitoring CAS State CAS RESTful API
CAS provides many clients in a plethora of languages: Java,.NET,Python,PHP,Perl, etc CAS clients are also available for containers & frameworks: Spring Security, Shiro, Node.JS, etc Clients provide a communication layer, speak the CAS protocol The process of leveraging CAS authentication in an application is known as CASification Official, Unofficial, Incubating and Legacy clients The most commonly used clients are the Java CAS Client and .NET client
Java CAS client Implemented as a number of S e r v l e t F i l t e r s Filters are specified in the client Java web application's w e b . x m l file Filter parameters may be specified at the filter/context/JNDI level Retrieve the authentication userid via r e q u e s t . g e t R e m o t e U s e r ( ) Codebase is hosted on github at: Client integration may not always be a webapp! (Blackboard, Chalk&Wire, etc) https://github.com/Jasig/java-cas-client
Java CAS Client Configuration #1 < f i l t e r > < f i l t e r - n a m e > C A S A u t h e n t i c a t i o n F i l t e r < / f i l t e r - n a m e > < f i l t e r - c l a s s > o r g . j a s i g . c a s . c l i e n t . a u t h e n t i c a t i o n . A u t h e n t i c a t i o n F i l t e r < / f i l t e r - c l a s s > < i n i t - p a r a m > < p a r a m - n a m e > c a s S e r v e r L o g i n U r l < / p a r a m - n a m e > < p a r a m - v a l u e > h t t p s : / / b a t t a g s . a d . e s s . r u t g e r s . e d u : 8 4 4 3 / c a s / l o g i n < / p a r a m - v a l u e > < / i n i t - p a r a m > < i n i t - p a r a m > < p a r a m - n a m e > s e r v e r N a m e < / p a r a m - n a m e > < p a r a m - v a l u e > h t t p : / / w w w . a c m e - c l i e n t . c o m < / p a r a m - v a l u e > < / i n i t - p a r a m > < / f i l t e r >
Java CAS Client Configuration #2 < f i l t e r > < f i l t e r - n a m e > C A S V a l i d a t i o n F i l t e r < / f i l t e r - n a m e > < f i l t e r - c l a s s > o r g . j a s i g . c a s . c l i e n t . v a l i d a t i o n . C a s 2 0 P r o x y R e c e i v i n g T i c k e t V a l i d a t i o n F i l t e r < / f i l t e r - c l a s s > < i n i t - p a r a m > < p a r a m - n a m e > c a s S e r v e r U r l P r e f i x < / p a r a m - n a m e > < p a r a m - v a l u e > h t t p s : / / b a t t a g s . a d . e s s . r u t g e r s . e d u : 8 4 4 3 / c a s < / p a r a m - v a l u e > < / i n i t - p a r a m > < i n i t - p a r a m > < p a r a m - n a m e > s e r v e r N a m e < / p a r a m - n a m e > < p a r a m - v a l u e > h t t p : / / w w w . a c m e - c l i e n t . c o m < / p a r a m - v a l u e > < / i n i t - p a r a m > < / f i l t e r >
Java CAS Client Configuration #3 < f i l t e r > < f i l t e r - n a m e > C A S H t t p S e r v l e t R e q u e s t W r a p p e r F i l t e r < / f i l t e r - n a m e > < f i l t e r - c l a s s > o r g . j a s i g . c a s . c l i e n t . u t i l . H t t p S e r v l e t R e q u e s t W r a p p e r F i l t e r < / f i l t e r - c l a s s > < / f i l t e r >
.NET CAS client Implemented as an ASP.NET H t t p M o d u l e Client configuration are specified in the client web application's w e b . c o n f i g file Requires forms-based authentication, depends on cookies Mapped using the .NET's native authorization framework Codebase hosted on Github at Retrieve the authenricated principal via H t t p C o n t e x t . U s e r a s I C a s P r i n c i p a l https://github.com/Jasig/dotnet-cas-client
.NET CAS Client Configuration #1 < c a s C l i e n t C o n f i g c a s S e r v e r L o g i n U r l = " h t t p s : / / m m o a y y e d - 1 9 3 3 . u n i c o n . n e t : 9 4 4 3 / c a s / l o g i n " c a s S e r v e r U r l P r e f i x = " h t t p s : / / m m o a y y e d - 1 9 3 3 . u n i c o n . n e t : 9 4 4 3 / c a s / " s e r v e r N a m e = " m m o a y y e d - 1 9 3 3 . u n i c o n . n e t " n o t A u t h o r i z e d U r l = " ~ / N o t A u t h o r i z e d . a s p x " c o o k i e s R e q u i r e d U r l = " ~ / C o o k i e s R e q u i r e d . a s p x " r e d i r e c t A f t e r V a l i d a t i o n = " t r u e " g a t e w a y = " f a l s e " r e n e w = " f a l s e " s i n g l e S i g n O u t = " t r u e " t i c k e t T i m e T o l e r a n c e = " 5 0 0 0 " t i c k e t V a l i d a t o r N a m e = " C a s 2 0 " p r o x y T i c k e t M a n a g e r = " C a c h e P r o x y T i c k e t M a n a g e r " s e r v i c e T i c k e t M a n a g e r = " C a c h e S e r v i c e T i c k e t M a n a g e r " g a t e w a y S t a t u s C o o k i e N a m e = " C a s G a t e w a y S t a t u s " / > < s y s t e m . w e b S e r v e r > < m o d u l e s > < a d d n a m e = " D o t N e t C a s C l i e n t " t y p e = " D o t N e t C a s C l i e n t . C a s A u t h e n t i c a t i o n M o d u l e , D o t N e t C a s C l i e n t " / > < / m o d u l e s > < / s y s t e m . w e b S e r v e r >
.NET CAS Client Configuration #2 < a u t h e n t i c a t i o n m o d e = " F o r m s " > < f o r m s l o g i n U r l = " h t t p s : / / m m o a y y e d - 1 9 3 3 . u n i c o n . n e t : 9 4 4 3 / c a s / l o g i n " t i m e o u t = " 3 0 " d e f a u l t U r l = " ~ / D e f a u l t . a s p x " c o o k i e l e s s = " U s e C o o k i e s " s l i d i n g E x p i r a t i o n = " t r u e " p a t h = " / " / > < / a u t h e n t i c a t i o n > < a u t h o r i z a t i o n > < d e n y u s e r s = " ? " / > < / a u t h o r i z a t i o n >
CASification troubleshooting tips Provide/enable sufficient logging for the app/client Beware of the distinction between CAS SSO session vs. application session Verify H T T P S settings: most common cause of CAS integration issues! Java CAS Client: verify your filter mappings
is Shibboleth? Open-source project that provides federated Single Sign-On Primaryly, composed of an Identity Provider v2.4.0 (Java) and a Service Provider v2.5.1 (.NET, Apache) Authentication speech is carried through the SAML protocol shibboleth.net
does Shibboleth (IdP) work? Accept a SAML authentication request from the Service Provider a user wants to access Authenticate the user against your organization's existing authentication service Collect user data from your organization's existing data stores Apply policy to control what data is released to which Service Provider Securely transmit the collected information to the Service Provider
Features Works with all other known SAML implementations InCommon Federation Levels of Assurance LDAP, Kerberos, web server and servlet container-based authentication support Securely transmit the collected information to the Service Provider
Provider Build Download the Idp: IdP installer is based on Apache Ant JDK6 (JDK7 is unofficially supported), Tomcat6 Use i n s t a l l . [ b a t | s h ] Specify the location of the I D P _ H O M E Specify the server FQDN Obtain resulting WAR file from I D P _ H O M E \ w a r http://shibboleth.net/products/download.html
Provider WAR Deployment Deploy I D P _ H O M E \ w a r to the container WAR explosions? Possible caching issues? Or... (Recommended) Use a context fragment < C o n t e x t d o c B a s e = " $ I D P _ H O M E $ / w a r / i d p . w a r " p r i v i l e g e d = " t r u e " a n t i R e s o u r c e L o c k i n g = " f a l s e " a n t i J A R L o c k i n g = " f a l s e " u n p a c k W A R = " f a l s e " s w a l l o w O u t p u t = " t r u e " / >
Identity Provider Template Available on GitHub, by Unicon: Automate the Identity Provider install and configuration Current build is based on v 2.3.8 https://github.com/Unicon/unicon-shibboleth-idp-template
Status and Configuration Inquire health and configuration information: Can be configured to filter per relying party Access can be restricted to trusted locations in $ I D P _ H O M E / c o n f / w e b . x m l http://idp.example.org/idp/status < ! - - S e r v l e t f o r d i s p l a y i n g I d P s t a t u s . - - > < s e r v l e t > < s e r v l e t - n a m e > S t a t u s < / s e r v l e t - n a m e > < s e r v l e t - c l a s s > e d u . i n t e r n e t 2 . m i d d l e w a r e . s h i b b o l e t h . i d p . S t a t u s S e r v l e t < / s e r v l e t - c l a s s > < ! - - S p a c e s e p a r a t e d l i s t o f C I D R b l o c k s a l l o w e d t o a c c e s s t h e s t a t u s p a g e - - > < i n i t - p a r a m > < p a r a m - n a m e > A l l o w e d I P s < / p a r a m - n a m e > < p a r a m - v a l u e > 1 2 7 . 0 . 0 . 1 / 3 2 : : 1 / 1 2 8 1 9 2 . 1 6 8 . 0 . 0 / 1 6 < / p a r a m - v a l u e > < / i n i t - p a r a m > < l o a d - o n - s t a r t u p > 2 < / l o a d - o n - s t a r t u p > < / s e r v l e t >
Configuration $ I D P _ H O M E / l o g s : Server log files (i d p - p r o c e s s . l o g ) $ I D P _ H O M E / m e t a d a t a : Service provider metadata and configuration $ I D P _ H O M E / c o n f : A u t h e n t i c a t i o n , l o g g i n g , r e l y i n g p a r t i e s , e t c $ I D P _ H O M E / l i b : B i n a r y c o m p o n e n t s a n d J A R s r e q u i r e d b y t h e I d P
Logging $ I D P _ H O M E / c o n f / l o g g i n g . x m l : contols output messages that are sent to the log Default logging level is set to I N F O . Switch to D E B U G during development and testing < ! - - L o g s I d P , b u t n o t O p e n S A M L , m e s s a g e s - - > < l o g g e r n a m e = " e d u . i n t e r n e t 2 . m i d d l e w a r e . s h i b b o l e t h " l e v e l = " D E B U G " / >
Authentication $ I D P _ H O M E / c o n f / h a n d l e r . x m l : P r o f i l e H a n d l e r s , E r r o r H a n d l e r s , L o g i n H a n d l e r s Mapping "special" URLs to the underlying SAML aspect Configuration of various login handlers for authentication Remote User External Authentication Username / Password Previous Session ... < p h : P r o f i l e H a n d l e r x s i : t y p e = " p h : S A M L M e t a d a t a " m e t a d a t a F i l e = " c : \ m i s a g h \ i d p / m e t a d a t a / i d p - m e t a d a t a . x m l " > < p h : R e q u e s t P a t h > / M e t a d a t a / S A M L < / p h : R e q u e s t P a t h > < / p h : P r o f i l e H a n d l e r > < p h : L o g i n H a n d l e r x s i : t y p e = " p h : R e m o t e U s e r " > < p h : A u t h e n t i c a t i o n M e t h o d > u r n : o a s i s : n a m e s : t c : S A M L : 2 . 0 : a c : c l a s s e s : u n s p e c i f i e d < / p h : A u t h e n t i c a t i o n M e t h o d > < / p h : L o g i n H a n d l e r >
Attribute Resolution $ I D P _ H O M E / c o n f / a t t r i b u t e - r e s o l v e r . x m l : Retrieve or build attributes Attribute definitions may be simple, scoped, patterns, static scripts, principal, mapped, VTL, etc Powerful querying capabilities to external data sources (LDAP, SQL, etc) Construction of custom attributes through scripts More: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttribute < r e s o l v e r : A t t r i b u t e D e f i n i t i o n x s i : t y p e = " a d : S i m p l e " i d = " u i d " s o u r c e A t t r i b u t e I D = " u i d " > < r e s o l v e r : D e p e n d e n c y r e f = " m y L D A P " / > < r e s o l v e r : A t t r i b u t e E n c o d e r x s i : t y p e = " e n c : S A M L 1 S t r i n g " n a m e = " u r n : m a c e : d i r : a t t r i b u t e - d e f : u i d " / > < r e s o l v e r : A t t r i b u t e E n c o d e r x s i : t y p e = " e n c : S A M L 2 S t r i n g " n a m e = " u r n : o i d : 0 . 9 . 2 3 4 2 . 1 9 2 0 0 3 0 0 . 1 0 0 . 1 . 1 " f r i e n d l y N a m e = " u i d " / > < / r e s o l v e r : A t t r i b u t e D e f i n i t i o n > < r e s o l v e r : D a t a C o n n e c t o r i d = " m y L D A P " x s i : t y p e = " d c : L D A P D i r e c t o r y " l d a p U R L = " l d a p : / / l d a p . e x a m p l e . o r g " b a s e D N = " o u = p e o p l e , d c = e x a m p l e , d c = o r g " p r i n c i p a l = " u i d = m y s e r v i c e , o u = s y s t e m " p r i n c i p a l C r e d e n t i a l = " m y S e r v i c e P a s s w o r d " > < d c : F i l t e r T e m p l a t e > < ! [ C D A T A [ ( u i d = $ r e q u e s t C o n t e x t . p r i n c i p a l N a m e ) ] ] > < / d c : F i l t e r T e m p l a t e > < / r e s o l v e r : D a t a C o n n e c t o r >
Attribute Resolution < r e s o l v e r : A t t r i b u t e D e f i n i t i o n i d = " u s e r I d W i t h D o m a i n " x s i : t y p e = " a d : S c r i p t " > < r e s o l v e r : D e p e n d e n c y r e f = " s A M A c c o u n t N a m e " / > < r e s o l v e r : D e p e n d e n c y r e f = " d i s t i n g u i s h e d N a m e " / > < r e s o l v e r : A t t r i b u t e E n c o d e r x s i : t y p e = " e n c : S A M L 1 S t r i n g " n a m e = " u r n : m a c e : d i r : a t t r i b u t e - d e f : u s e r I d W i t h D o m a i n " / > < r e s o l v e r : A t t r i b u t e E n c o d e r x s i : t y p e = " e n c : S A M L 2 S t r i n g " n a m e = " u r n : o i d : 1 . 3 . 6 . 1 . 4 . 1 . 5 9 2 3 . 1 . 1 . 1 . 1 9 " f r i e n d l y N a m e = " u s e r I d W i t h D o m a i n " / > < a d : S c r i p t > < ! [ C D A T A [ i m p o r t P a c k a g e ( P a c k a g e s . e d u . i n t e r n e t 2 . m i d d l e w a r e . s h i b b o l e t h . c o m m o n . a t t r i b u t e . p r o v i d e r ) ; i m p o r t P a c k a g e ( P a c k a g e s . o r g . s l f 4 j ) ; l o g g e r = L o g g e r F a c t o r y . g e t L o g g e r ( " e d u . i n t e r n e t 2 . m i d d l e w a r e . s h i b b o l e t h . r e s o l v e r . S c r i p t . u s e r I d W i t h D o m a i n " ) ; l o g g e r . d e b u g ( " S t a r t i n g t o p r e p a r e u s e r I d a t t r i b u t e w i t h t h e p r o p e r d o m a i n n a m e . . . " ) ; a c c o u n t N a m e = s A M A c c o u n t N a m e . g e t V a l u e s ( ) . g e t ( 0 ) ; i f ( u s e r I d W i t h D o m a i n = = n u l l ) { u s e r I d W i t h D o m a i n = n e w B a s i c A t t r i b u t e ( " u s e r I d W i t h D o m a i n " ) ; l o g g e r . d e b u g ( " C o n s t r u c t e d t h e [ u s e r I d W i t h D o m a i n ] b a s i c a t t r i b u t e o b j e c t f o r [ s A M A c c o u n t N a m e ] = " + a c c o u n t N a m e ) ; } i f ( d i s t i n g u i s h e d N a m e ! = n u l l ) { d n = d i s t i n g u i s h e d N a m e . g e t V a l u e s ( ) . t o S t r i n g ( ) ; l o g g e r . d e b u g ( " F o u n d t h e d i s t i n g u i s h e d N a m e a t t r i b u t e v a l u e " + d n ) ; i f ( d n . c o n t a i n s ( " D C = l a b " ) ) { l o g g e r . d e b u g ( " U s e r [ " + a c c o u n t N a m e + " ] i s p a r t o f t h e l a b d o m a i n . " ) ; u s e r I d W i t h D o m a i n . g e t V a l u e s ( ) . a d d ( " L A B . S C H O O L . E D U \ \ " + a c c o u n t N a m e ) ; } e l s e { l o g g e r . d e b u g ( " U s e r [ " + a c c o u n t N a m e + " ] i s p a r t o f t h e r o o t d o m a i n . " ) ; u s e r I d W i t h D o m a i n . g e t V a l u e s ( ) . a d d ( " S C H O O L . E D U \ \ " + a c c o u n t N a m e ) ; } } e l s e { l o g g e r . w a r n ( " d i s t i n g u i s h e d N a m e i s n u l l o r n o t c o n f i g u r e d " ) ; } l o g g e r . d e b u g ( " V a l u e s f o r a t t r i b u t e [ u s e r I d W i t h D o m a i n ] w e r e : " + u s e r I d W i t h D o m a i n . g e t V a l u e s ( ) ) ; ] ] > < / a d : S c r i p t > < / r e s o l v e r : A t t r i b u t e D e f i n i t i o n >
Attribute Release $ I D P _ H O M E / c o n f / a t t r i b u t e - f i l t e r . x m l : Flexible rules engine Release (or block) attributes to service providers Matching rules may be A N Y , A N D , O R , A t t r i b u t e R e q u e s t e r S t r i n g , P r i n c i p a l N a m e R e g e x , A u t h e n t i c a t i o n M e t h o d R e g e x , e t c More: < a f p : A t t r i b u t e F i l t e r P o l i c y i d = " r e l e a s e T r a n s i e n t I d T o A n y o n e " > < a f p : P o l i c y R e q u i r e m e n t R u l e x s i : t y p e = " b a s i c : A N Y " / > < a f p : A t t r i b u t e R u l e a t t r i b u t e I D = " t r a n s i e n t I d " > < a f p : P e r m i t V a l u e R u l e x s i : t y p e = " b a s i c : A N Y " / > < / a f p : A t t r i b u t e R u l e > < / a f p : A t t r i b u t e F i l t e r P o l i c y > https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilter
Relying Parties $ I D P _ H O M E / c o n f / r e l y i n g - p a r t y . x m l : sources of SAML metadata Define IdP SAML characteristics, security credentials of internal/external metadata encryption Settings can be configured per service providers, or by a D e f a u l t R e l y i n g P a r t y setting < m e t a d a t a : M e t a d a t a P r o v i d e r i d = " S h i b b o l e t h M e t a d a t a " x s i : t y p e = " m e t a d a t a : C h a i n i n g M e t a d a t a P r o v i d e r " > < m e t a d a t a : M e t a d a t a P r o v i d e r i d = " I d P M D " x s i : t y p e = " m e t a d a t a : F i l e s y s t e m M e t a d a t a P r o v i d e r " m e t a d a t a F i l e = " c : \ m i s a g h \ i d p / m e t a d a t a / i d p - m e t a d a t a . x m l " m a x R e f r e s h D e l a y = " P 1 D " / > < m e t a d a t a : M e t a d a t a P r o v i d e r i d = " U R L M D " x s i : t y p e = " m e t a d a t a : F i l e B a c k e d H T T P M e t a d a t a P r o v i d e r " m e t a d a t a U R L = " h t t p : / / t e s t s h i b . o r g / m e t a d a t a . x m l " b a c k i n g F i l e = " / m i s a g h / i d p / m e t a d a t a / t e s t s h i b - m e t a d a t a . x m l " > < ! - - < m e t a d a t a : M e t a d a t a F i l t e r x s i : t y p e = " m e t a d a t a : C h a i n i n g F i l t e r " > < m e t a d a t a : M e t a d a t a F i l t e r x s i : t y p e = " m e t a d a t a : R e q u i r e d V a l i d U n t i l " m a x V a l i d i t y I n t e r v a l = " P 7 D " / > < m e t a d a t a : M e t a d a t a F i l t e r x s i : t y p e = " m e t a d a t a : S i g n a t u r e V a l i d a t i o n " t r u s t E n g i n e R e f = " s h i b b o l e t h . M e t a d a t a T r u s t E n g i n e " r e q u i r e S i g n e d M e t a d a t a = " t r u e " / > < m e t a d a t a : M e t a d a t a F i l t e r x s i : t y p e = " m e t a d a t a : E n t i t y R o l e W h i t e L i s t " > < m e t a d a t a : R e t a i n e d R o l e > s a m l m d : S P S S O D e s c r i p t o r < / m e t a d a t a : R e t a i n e d R o l e > < / m e t a d a t a : M e t a d a t a F i l t e r > < / m e t a d a t a : M e t a d a t a F i l t e r > - - > < / m e t a d a t a : M e t a d a t a P r o v i d e r > < / m e t a d a t a : M e t a d a t a P r o v i d e r >
WebApp Descriptor $ I D P _ H O M E / c o n f / w e b . x m l : Idp webapp descriptor Defines mappings to urls, webapp application context, IdP servlets, etc Does not exist by default. Copy from installer for easier trasition between upgrades Installer detects existing $ I D P _ H O M E and uses files as an overlay
How can we CASify the Shibboleth IdP server? Designate CAS as the authentication provider for the IdP in two ways R E M O T E _ U S E R SAML features i s P a s s i v e and f o r c e A u t h NOT supported Comprehensive documentation available at Shibboleth's E x t e r n a l A u t h API c a s _ s h i b _ a u t h e n i c a t o r : Bridge Authentication pattern i s P a s s i v e = = g a t e w a y , f o r c e A u t h = = r e n e w Comprehensive documentation available at https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration https://github.com/Unicon/shib-cas-authenticator
Shibboleth Shib/CAS Authenticator Architecture IdP's external authentication plugin: Delegates the authentication to CAS CAS protected web resource: Acting as an authentication facade CAS Invoker Servlet: Acting as a bridge between CAS and IdP IdP SSO Session management is turned off User experience is only limited to CAS and the application!
Shibboleth Bridge Integration Pattern Avoid manipulation and wrangling of applications Stand up a Translator/Adapter: speak one language, translate to another Leverage mechanism for other unsupported protocols and cloud Ask not what CAS can do for you. Ask what you can do with CAS! Andrew Petro, Unicon
Shibboleth What does this really mean?! CAS has marginal SAML support, primarily invented for Google Apps integration CAS itself no longer has to provide SAML support! Any application that speaks SAML can now be CASified Examples may include Office365, Jenzabar's JICS portal, etc Note: CAS's attribute retrieval/release is irrelevant to the IdP
What is CAS Addons? Open source collection of CAS extensions Publicly available for the CAS Server and Java CAS client Developed and maintained by Unicon Released via Maven Central, intended to be used in your overlay CAS Server addons: Java CAS client addons: Current version: 1 . 5 . 2 https://github.com/Unicon/cas-addons https://github.com/Unicon/cas-java-clients-addons
What is in CAS Addons? JSON Service Registry MongoDb Service Registry JSON Person Directory Attributes JSON Validation Response S h i r o H a s h S e r v i c e P a s s w o r d E n c o d e r Active SSO Sessions Report Stormpath Authentication Handler Spring Security CAS ClearPass Extension (Client) Restricting ClearPass to Proxy Authentication (Client) Ability to capture CAS Server events Yubikey Authentication Support ...
JSON Service Registry Configuration #1 { " s e r v i c e s " : [ { " i d " : 1 , " s e r v i c e I d " : " h t t p s : / / w w w . g o o g l e . c o m / * * " , " n a m e " : " G O O G L E " , " d e s c r i p t i o n " : " G o o g l e S e r v i c e " , " t h e m e " : " m y _ e x a m p l e _ t h e m e " , " a l l o w e d T o P r o x y " : t r u e , " e n a b l e d " : t r u e , " s s o E n a b l e d " : t r u e , " a n o n y m o u s A c c e s s " : f a l s e , " e v a l u a t i o n O r d e r " : 1 } ] }
JSON Service Registry Configuration #2 < c o n t e x t : c o m p o n e n t - s c a n b a s e - p a c k a g e = " n e t . u n i c o n . c a s . a d d o n s . s e r v i c e r e g i s t r y " > < c o n t e x t : e x c l u d e - f i l t e r t y p e = " a n n o t a t i o n " e x p r e s s i o n = " o r g . s p r i n g f r a m e w o r k . s t e r e o t y p e . R e p o s i t o r y " / > < / c o n t e x t : c o m p o n e n t - s c a n > < b e a n i d = " r e l o a d a d a b l e S e r v i c e s M a n a g e r S u p r e s s i o n A s p e c t " c l a s s = " n e t . u n i c o n . c a s . a d d o n s . s e r v i c e r e g i s t r y . R e l o a d a b l e S e r v i c e s M a n a g e r S u p p r e s s i o n A s p e c t " f a c t o r y - m e t h o d = " a s p e c t O f " / > < b e a n i d = " r e g i s t e r e d S e r v i c e s C h a n g e D e t e c t i n g E v e n t N o t i f i e r " c l a s s = " n e t . u n i c o n . c a s . a d d o n s . s u p p o r t . R e s o u r c e C h a n g e D e t e c t i n g E v e n t N o t i f i e r " c : w a t c h e d R e s o u r c e = " f i l e : / e t c / c a s / s e r v i c e s R e g i s t r y . c o n f " / > < t a s k : s c h e d u l e r i d = " s p r i n g S c h e d u l e r " p o o l - s i z e = " 3 " / > < t a s k : s c h e d u l e d - t a s k s s c h e d u l e r = " s p r i n g S c h e d u l e r " > < t a s k : s c h e d u l e d r e f = " r e g i s t e r e d S e r v i c e s C h a n g e D e t e c t i n g E v e n t N o t i f i e r " m e t h o d = " n o t i f y O f T h e R e s o u r c e C h a n g e E v e n t I f N e c e s s a r y " f i x e d - d e l a y = " 2 0 0 0 " / > < / t a s k : s c h e d u l e d - t a s k s >
S h i r o H a s h S e r v i c e P a s s w o r d E n c o d e r Configuration < b e a n i d = " p a s s w o r d E n c o d e r " c l a s s = " n e t . u n i c o n . c a s . a d d o n s . a u t h e n t i c a t i o n . h a n d l e r . S h i r o H a s h S e r v i c e P a s s w o r d E n c o d e r " i n i t - m e t h o d = " i n i t " p : d i g e s t A l g o r i t h m N a m e = " S H A - 1 " p : s a l t = " F e 7 ( C N ) 1 8 " p : h a s h I t e r a t i o n s = " 1 0 0 " / >
Spring Security ClearPass Configuration < a u t h e n t i c a t i o n - m a n a g e r a l i a s = " a u t h M a n a g e r " e r a s e - c r e d e n t i a l s = " f a l s e " > < a u t h e n t i c a t i o n - p r o v i d e r r e f = " c a s A u t h P r o v i d e r " / > < / a u t h e n t i c a t i o n - m a n a g e r > < b : b e a n i d = " c a s A u t h P r o v i d e r " c l a s s = " n e t . u n i c o n . c a s c l i e n t s . a d d o n s . s p r i n g s e c u r i t y . C l e a r p a s s R e t r i e v i n g C a s A u t h e n t i c a t i o n P r o v i d e r " p : c l e a r P a s s E n d p o i n t U r l = " $ { c l e a r p a s s . e n d p o i n t . u r l } " >
CAS Manual Shibboleth Manual Shib/CAS Authenticator CAS Addons Unicon IAM Labs Mailing lists c a s - u s e r c a s - d e v s h i b b o l e t h - u s e r s h i b b o l e t h - d e v Unicon Open Source Support Professional services Implementation Planning Sessions (IPS) Skinning, training, etc https://wiki.jasig.org/display/CASUM40/Home https://wiki.shibboleth.net/confluence/display/SHIB2/Home https://github.com/Unicon/shib-cas-authenticator https://github.com/Unicon/cas-addons https://github.com/Unicon/iam-labs
The Latest about the Central Authentication Service Monday 10:00am to 10:45am Factoring the Authentication Equation: Integrating Multi-factor Authentication into CAS/Shi Tuesday, 11:00am to 11:45am The Thrill of The Hunt - Tracking and Terminating Single Sign-On Sessions in CAS and Shibb Wednesday, 2:45pm
baseballyama
oracle4engineer
cybozuinsideout
inductor
aeonpeople
daitak
coconala_engineer
.JPG){kind=avatar}
koh_naga
rainerhahnekamp
konifar
toru_kubota
taishin
bkeepers
zenorocha
colly
geeforr
maggiecrowley
bryan
shpigford
quramy
kastner
dougneiner
brianwarren
62gerente
