Jasig CAS 3.5 includes new features such as LDAP password policy integration, OAuth support, and additional monitoring capabilities. It also continues to refine existing functionality like service registration matching and SSO session expiration policies. The release remains in testing, but GA is expected soon. Users are encouraged to test the upgrade process outside of production before deploying CAS 3.5.
1. Jasig CAS 3.5 -
What’s new?
Jasig-Sakai 2012
Monday June 11th 2012
Atlanta, GA
Andrew Petro - Unicon, Inc.
2. Who am I?
CAS committer
Previously, CAS steering committee member
3. I work for
Trusted Partner since 1993
Expertise in Open Source Software for Education
Professional Services for CAS, Shibboleth, uPortal,
Sakai, Grouper, Student Success Plan, ...
Innovative Cooperative Support program
4. CAS-related at this
conference - today
Jasig CAS 3.5 - What’s
new? (this)
Fordham Goes ABAC for
CAS - Extending CAS
with Attribute-Based
Access Control
5. CAS-related at this
conference - tomorrow
Columbia Goes Goo- High Availability in
Google for CAS - Hurricane Alley - Multi-
Extending CAS with site Multi-node CAS
WIND Protocol Support Deep in the Heart of
and Service Registry Texas
11. CAS is
open source Modify applications to
rely upon CAS to
single sign-on
authenticate the user
for the Web
12. Good features
Pluggable, flexible, and malleable
a toolkit for building your institutional login experience
Simple CAS protocol and client libraries
n-tier delegated authentication
password replay still possible if you really want
17. CAS is simple
Example: CAS doesn’t Kinds of credentials CAS
want to *be* your store supports:
of credentials, your
passwords (bind
account management
against LDAP, in a
system, your attribute
database, ...)
repository.
x.509 certificates
It wants to leverage your
IdM infrastructure to OAuth
broker Web logins
...
21. Lots of applications with
available CAS support
uPortal ...
Sakai
Drupal
Wordpress
Liferay
Blackboard
22. Lots of adopting institutions
Unclear how many?
http://millionshort.com/
search.php?q=Jasig
+CAS&remove=1000k
23. Community (via Jasig)
email lists
wiki and issue tracker
source control (now on
GitHub)
this conference
...
24. Implement using Maven
overlay
Factor your CAS CAS distribution + your
implementation as dependencies + your
pom.xml dependency changes + your
declaration, local configuration = your CAS
configuration, and local implementation
customizations
26. CAS 3.4
Mature, well-known
3.4.12 is latest patch release
Patch releases are intended to be zero pain drop-in
upgrades
Well understood and a fine conservative choice for your
CAS implementation today
27. CAS 3.4.12
3.4.12 is latest release
Regular expression support in service registration
matching
Misc. fixes and improvements in recent 3.4.x releases
31. Theme 1: Extensions
coming into CAS product
LPPE - LDAP OAuth2 producer and
Password / Account consumer support -
status reflection more ways to
authenticate users to
ClearPass - optional
CAS and to integrate
password caching and
with CAS in relying
selective, secure release
applications
EhCache Ticket Registry
- another option for
ticket state clustering
32. LPPE - LDAP account
status reflection
Why is authentication Now error codes
against LDAP (Active reflected in UI.
Directory) failing?
Password wrong?
Initially integrates with
Account is locked? Active Directory, with
potential for more error
Other error code?
mappings
33. ClearPass
optional password off by default. several
caching and selective, steps required to turn on
secure password release this feature.
to relying applications
This was a separate CAS
extension, now drawn
into the core CAS
product
35. Why else do I need
ClearPass?
Outlook Web Application
CASification?
WebAdvisor
CASification?
It’s a tool. You may need
it. You may be able to
avoid it. Try to avoid.
36. Do I have to cache and
release passwords?
Absolutely not.
Off by default. Very.
But now easier to turn
on, with less messing
around with Maven and
dependencies conflict
resolution.
37. EhCache Ticket Registry
Another option for Options within EhCache
clustering ticket registry for implementing and
state among clustered replicating that cache
CAS server nodes
RMI
Bridges from CAS
Terracotta
TicketRegistry API to
EhCache
42. Theme 2: Incremental
honing and maturity
Regular expressions in Improved health
service registration monitoring
matching *
Upgrades to
Better SSO session dependencies, Spring
expiration policy * framework version, etc.
Improved properties
handling
* = also in later / latest
CAS 3.4.x release
43.
44. SSO session expiration
policy
(“TicketGrantingTicket” expiration policy)
Set both a hard timeout
And a sliding window idle timeout
45. Improved properties
handling
More in cas.properties
Sensible defaults optionally overridden by
cas.properties (set what you change)
Easier to put cas.properties outside of the .war
Logging configuration file location set in cas.properties
46.
47.
48.
49.
50. (Those were all old, actually)
The incremental feature in CAS 3.5 is additional
monitoring, suitable for targeting with an automated
probe.
51. CAS 3.5 status
3.5 RC2 now available for testing
Doing QA, mopping up issues and glitches
3.5 GA release “soon”
days or weeks, not months or years
Expect patch releases to follow a 3.5.0 release
52. How you upgrade
Update your pom.xml to depend on CAS 3.5
Not using Maven Overlay? good time to start?
Resolve conflicts, merge your configuration with new
defaults, migrate forward your service registry data
Test outside of production!
Roll to production
53. What else is new?
GitHub
New committer Jérôme Leleu
Better integration for using CAS as the login
mechanism for Shibboleth IdP
phpCAS client release
56. CAS + Shib = happy
CAS for flexible single sign-on experience
Spring Web Flow!
Shibboleth IdP for rigorous SAML2 and Federation
Better implementation of this at:
https://github.com/Unicon/shib-cas-authenticator
Presentation later in conference
57. phpCAS client library release
Much better handling of proxy CAS (n-tier delegated
authentication) features