Jasig CAS 3.5 includes new features such as LDAP password policy integration, OAuth support, and additional monitoring capabilities. It also continues to refine existing functionality like service registration matching and SSO session expiration policies. The release remains in testing, but GA is expected soon. Users are encouraged to test the upgrade process outside of production before deploying CAS 3.5.

1. Jasig CAS 3.5 -
What’s new?
Jasig-Sakai 2012
Monday June 11th 2012
Atlanta, GA
Andrew Petro - Unicon, Inc.

2. Who am I?
CAS committer
Previously, CAS steering committee member

3. I work for
Trusted Partner since 1993
Expertise in Open Source Software for Education
Professional Services for CAS, Shibboleth, uPortal,
Sakai, Grouper, Student Success Plan, ...
Innovative Cooperative Support program

4. CAS-related at this
conference - today
Jasig CAS 3.5 - What’s
new? (this)
Fordham Goes ABAC for
CAS - Extending CAS
with Attribute-Based
Access Control

5. CAS-related at this
conference - tomorrow
Columbia Goes Goo- High Availability in
Google for CAS - Hurricane Alley - Multi-
Extending CAS with site Multi-node CAS
WIND Protocol Support Deep in the Heart of
and Service Registry Texas

6. CAS-related at this
conference - Thursday
Shibboleth and CAS -
more perfect together

7. This session
What is CAS anyway?
Status of CAS 3.4
What’s new in CAS 3.5?
What’s otherwise new in
CAS?
Questions, discussion
Lunch!

8. What is CAS, anyway?

11. CAS is
open source Modify applications to
rely upon CAS to
single sign-on
authenticate the user
for the Web

12. Good features
Pluggable, flexible, and malleable
a toolkit for building your institutional login experience
Simple CAS protocol and client libraries
n-tier delegated authentication
password replay still possible if you really want

16. You
are h
ere.

17. CAS is simple
Example: CAS doesn’t Kinds of credentials CAS
want to *be* your store supports:
of credentials, your
passwords (bind
account management
against LDAP, in a
system, your attribute
database, ...)
repository.
x.509 certificates
It wants to leverage your
IdM infrastructure to OAuth
broker Web logins
...

18. Spring Web Flow

19. Spring Web Flow useful for
adding
Acceptable Use Policy acceptance prompt
stale / expired password warning / enforcement
nuanced authentication error messaging / handling
coarse grained access control
target-application-specific handling
...

20. Lots of integration libraries
Java / Java Servlet Ruby
Filter / Spring Security /
PAM module
Apache Shiro / Tomcat
Python
Apache module
...
.NET
PHP
Perl

21. Lots of applications with
available CAS support
uPortal ...
Sakai
Drupal
Wordpress
Liferay
Blackboard

22. Lots of adopting institutions
Unclear how many?
http://millionshort.com/
search.php?q=Jasig
+CAS&remove=1000k

23. Community (via Jasig)
email lists
wiki and issue tracker
source control (now on
GitHub)
this conference
...

24. Implement using Maven
overlay
Factor your CAS CAS distribution + your
implementation as dependencies + your
pom.xml dependency changes + your
declaration, local configuration = your CAS
configuration, and local implementation
customizations

25. CAS 3.4

26. CAS 3.4
Mature, well-known
3.4.12 is latest patch release
Patch releases are intended to be zero pain drop-in
upgrades
Well understood and a fine conservative choice for your
CAS implementation today

27. CAS 3.4.12
3.4.12 is latest release
Regular expression support in service registration
matching
Misc. fixes and improvements in recent 3.4.x releases

28. CAS 3.5 - what’s new

29. 3.5 “minor” release
Incur some upgrade pain on 3.4 to 3.5
In exchange for new functionality and improvements

30. Themes
Theme 1: extensions coming into CAS product
Theme 2: incremental honing and maturity

31. Theme 1: Extensions
coming into CAS product
LPPE - LDAP OAuth2 producer and
Password / Account consumer support -
status reflection more ways to
authenticate users to
ClearPass - optional
CAS and to integrate
password caching and
with CAS in relying
selective, secure release
applications
EhCache Ticket Registry
- another option for
ticket state clustering

32. LPPE - LDAP account
status reflection
Why is authentication Now error codes
against LDAP (Active reflected in UI.
Directory) failing?
Password wrong?
Initially integrates with
Account is locked? Active Directory, with
potential for more error
Other error code?
mappings

33. ClearPass
optional password off by default. several
caching and selective, steps required to turn on
secure password release this feature.
to relying applications
This was a separate CAS
extension, now drawn
into the core CAS
product

34. Why do I need ClearPass??

35. Why else do I need
ClearPass?
Outlook Web Application
CASification?
WebAdvisor
CASification?
It’s a tool. You may need
it. You may be able to
avoid it. Try to avoid.

36. Do I have to cache and
release passwords?
Absolutely not.
Off by default. Very.
But now easier to turn
on, with less messing
around with Maven and
dependencies conflict
resolution.

37. EhCache Ticket Registry
Another option for Options within EhCache
clustering ticket registry for implementing and
state among clustered replicating that cache
CAS server nodes
RMI
Bridges from CAS
Terracotta
TicketRegistry API to
EhCache

38. OAuth Producer and
Consumer support
and improved OpenID
support

39. Choose to login via OAuth

40. Login at e.g. GitHub

41. Validating the ticket

42. Theme 2: Incremental
honing and maturity
Regular expressions in Improved health
service registration monitoring
matching *
Upgrades to
Better SSO session dependencies, Spring
expiration policy * framework version, etc.
Improved properties
handling
* = also in later / latest
CAS 3.4.x release

44. SSO session expiration
policy
(“TicketGrantingTicket” expiration policy)
Set both a hard timeout
And a sliding window idle timeout

45. Improved properties
handling
More in cas.properties
Sensible defaults optionally overridden by
cas.properties (set what you change)
Easier to put cas.properties outside of the .war
Logging configuration file location set in cas.properties

50. (Those were all old, actually)
The incremental feature in CAS 3.5 is additional
monitoring, suitable for targeting with an automated
probe.

51. CAS 3.5 status
3.5 RC2 now available for testing
Doing QA, mopping up issues and glitches
3.5 GA release “soon”
days or weeks, not months or years
Expect patch releases to follow a 3.5.0 release

52. How you upgrade
Update your pom.xml to depend on CAS 3.5
Not using Maven Overlay? good time to start?
Resolve conflicts, merge your configuration with new
defaults, migrate forward your service registry data
Test outside of production!
Roll to production

53. What else is new?
GitHub
New committer Jérôme Leleu
Better integration for using CAS as the login
mechanism for Shibboleth IdP
phpCAS client release

54. CAS now using GitHub

55. New committer
Jérôme Leleu
Contributed OAuth support
admirably active on lists, in the project

56. CAS + Shib = happy
CAS for flexible single sign-on experience
Spring Web Flow!
Shibboleth IdP for rigorous SAML2 and Federation
Better implementation of this at:
https://github.com/Unicon/shib-cas-authenticator
Presentation later in conference

57. phpCAS client library release
Much better handling of proxy CAS (n-tier delegated
authentication) features

58. Summary
Active project
Continued maturity
Gently pulling successful extensions into the core
product

59. Questions? Discussion?

60. Contact information
Andrew Petro
apetro@unicon.net
http://www.unicon.net/blog/apetro
http://www.unicon.net/contact

61. Lunch
Atlanta Ballroom
7th floor

62. Lunch
Atlanta Ballroom
7th floor

63. Contact information
Andrew Petro
apetro@unicon.net
http://www.unicon.net/blog/apetro
http://www.unicon.net/contact