Getting Started with CAS Workshop at OpenApereo 2016 New York City

1. Open Apereo 2016
100% Open for Education
Getting Started with CAS
Misagh Moayyed

2. Hello, World!
5 years @ Unicon, 7 years @ Apereo
IAM (TIER, CAS, Shibboleth, Grouper, etc)
CAS/Grouper PMC
@misagh84
@mmoayyed

3. Leading provider of IT consulting, services, and support
specializing in open source for education technology
Services and support for these fine Apereo projects:

4. Let’s
Introduction
Server Overview
Deployment, Configuration, Features, etc.
Clients Overview
Q/A

5. What is CAS?
http://apereo.github.io/cas/
Free/Open source
enterprise SSO
for all earthlings
Open well-
documented protocol
Server software;
with many clients

7. Protocol
Ticket [Cookie] based
Login ⇨ Ticket Received ⇨ Ticket Validated ⇨
Similar to OAuth2 / OpenID Connect
Slightly less insane (No payload encryption/signing)
Can be insane (N-tiered/Proxy AuthN)
Thou MUST trust SSL

8. Basically…

9. It’s NOT about the protocol.

10. Server Implementations
Apereo CAS (Java)
Shibboleth IdP v3.x (Java)
SimpleSAMLphp (PHP)
RubyCAS (Ruby)
CASino (Ruby)
txCAS (python)

11. Apereo Server
Java 8, Spring, Spring Boot, Thymeleaf, Servlet 3+
100+ modules
Deployed as a Maven/Gradle “overlay”

12. Demo

13. Build
https://git.io/vr2Ra (Maven)
https://git.io/vr2Rw (Gradle Overlay)
https://git.io/vr2R2 (Gradle Plugin)

14. Demo

15. Deployment
Standalone executable war
External servlet container
Tomcat 8, Jetty 9, Wildfly 10, etc

16. Demo

17. Externalized Configuration
https://git.io/vr2R6

18. “But, moooom…I have a cluster”
Monitor. Refresh. Notify.
POST to /bus/refresh
Every node is on the Cloud Bus (AMQP).
...and refreshes its context when notified.
What do you do? Nothing.

19. Auto-Configuration
Auto-configure the application context
Intention-driven development
You’re really making Pizza.

20. XML/Groovy Configuration
Extensions can be defined via:
XML
Groovy
Groovy beans are automatically loaded/monitored

21. Demo

22. Administration
Peek into the application runtime
Status, Health, Threads, Settings, Mappings, etc
Administrative runtime control
Shutdown, Restart, Refresh, etc

23. Demo

24. Application Registration
https://git.io/vr2R7
Service definitions can be managed via
JSON, LDAP, MongoDb, JPA, Couchbase
Use the “Services Management” interface

25. Demo

26. Multifactor Authentication
https://git.io/vr2Rb
CAS supports the following MFA providers
Duo Security, Google Authenticator, RADIUS, YubiKey
Triggers are:
Opt-in, per app, per attribute, per app/attribute, global
Failure modes:
NONE, CLOSED, OPENED, PHANTOM

27. CAS AuthN Event Tracking
Record authentication events
Includes supports for Geo Location
Persistence managed by MongoDb, JPA
Used to evaluate AuthN Request “risk score”

28. Delegated Authentication
CAS can delegate authentication to:
CAS
SAML2 IdP
Facebook, Twitter, Google+, etc
ADFS

30. CAS Groovy Shell
https://git.io/vr20k
Access CAS runtime via Groovy Console
Ensure connection is SECURE
Groovy Scriptlets are monitored/reloaded

31. CAS as SAML2 IdP
Produce SAML2 metadata
Consume RP metadata
Support for Metadata Aggregates (InCommon)
Support for MDQ protocol

32. CAS as OIDC OP
Built atop CAS OAuth2
Dynamic Discovery
AuthZ Code/Implicit workflow
Claims resolution/release

33. Others
Service Access Strategies/Properties
REST API to manage services
Basic & JWT AuthN
New ticket registry options:
Redis, Cassandra, Couchbase, Ignite
Google Analytics
Web Session Replication via
Hazelcast, Redis, Mongo

34. Apereo Clients
.NET: https://git.io/vr20X
Java: https://git.io/vr201
PHP: https://git.io/vr20D
Apache: https://git.io/vr20S
Unofficial clients:
https://goo.gl/csga6W

35. CAS Next
Administrator User Interfaces
Logging, Settings, Statistics
Risk-based Adaptive AuthN
Improve SAML2/OIDC protocol support
More declarative configuration

36. Resources
@misagh84
@mmoayyed
Mailing Lists:
https://git.io/vr20V
Gitter:
https://gitter.im/apereo/cas
Stackoverflow:
http://goo.gl/Y62JW3

37. Q/A