2. Hello, World!
5 years @ Unicon, 7 years @ Apereo
IAM (TIER, CAS, Shibboleth, Grouper, etc)
CAS/Grouper PMC
@misagh84
@mmoayyed
3. Leading provider of IT consulting, services, and support
specializing in open source for education technology
Services and support for these fine Apereo projects:
7. Protocol
Ticket [Cookie] based
Login ⇨ Ticket Received ⇨ Ticket Validated ⇨
Similar to OAuth2 / OpenID Connect
Slightly less insane (No payload encryption/signing)
Can be insane (N-tiered/Proxy AuthN)
Thou MUST trust SSL
18. “But, moooom…I have a cluster”
Monitor. Refresh. Notify.
POST to /bus/refresh
Every node is on the Cloud Bus (AMQP).
...and refreshes its context when notified.
What do you do? Nothing.
26. Multifactor Authentication
https://git.io/vr2Rb
CAS supports the following MFA providers
Duo Security, Google Authenticator, RADIUS, YubiKey
Triggers are:
Opt-in, per app, per attribute, per app/attribute, global
Failure modes:
NONE, CLOSED, OPENED, PHANTOM
27. CAS AuthN Event Tracking
Record authentication events
Includes supports for Geo Location
Persistence managed by MongoDb, JPA
Used to evaluate AuthN Request “risk score”
31. CAS as SAML2 IdP
Produce SAML2 metadata
Consume RP metadata
Support for Metadata Aggregates (InCommon)
Support for MDQ protocol
32. CAS as OIDC OP
Built atop CAS OAuth2
Dynamic Discovery
AuthZ Code/Implicit workflow
Claims resolution/release
33. Others
Service Access Strategies/Properties
REST API to manage services
Basic & JWT AuthN
New ticket registry options:
Redis, Cassandra, Couchbase, Ignite
Google Analytics
Web Session Replication via
Hazelcast, Redis, Mongo
35. CAS Next
Administrator User Interfaces
Logging, Settings, Statistics
Risk-based Adaptive AuthN
Improve SAML2/OIDC protocol support
More declarative configuration