This document provides updates on CAS, Shibboleth, and Grouper from a briefing held on July 9, 2015. It summarizes recent releases and versions of each, upcoming events, community highlights, trends in identity and access management, and Unicon's contributions and support for the open source projects.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Unicon July 2015 IAM Briefing
1. Unicon IAM Update
CAS, Shibboleth, Grouper
09 July 2015
Jonathan Johnson • Misagh Moayyed • David
Langenberg
Audio is via Adobe Connect.
There is no phone dial-in.
2. Welcome to this briefing
• Updates on CAS, Shibboleth and Grouper
• Unicon contributions to CAS, Shibboleth and
Grouper
• Unicon's Open Source Support
• Q&A
3. Misagh Moayyed
• IAM, Shibboleth,
CAS, uPortal
• Unicon’s Open
Source Support for
CAS technical lead
7. • Internet2 Global Summit: 26-30 Apr 2015 Washington
D.C.
• Educause Security Professionals Conf: 4-6 May
Minneapolis, MN
• Open Apereo: 31 May-4 June Baltimore, MD
Past Events
8. •InCommon Shibboleth Workshop: 17-18 Sept 2015
Cupertino, CA
•Internet2 2015 Technology Exchange: 4-7 Oct 2015
Cleveland, OH
•InCommon Shibboleth Workshop: 19-20 Oct 2015 Arlington,
TX
Upcoming Events
10. IAM Trends
•MFA for Shibboleth, MFA for CAS, etc
○Device/Location aware features
○Risk-based AuthN
•O365/ADFS Integration with CAS/Shibboleth
•Grouper and Provisioning
12. CAS Server Versions
●CAS Server v3.6.0 / v4.0.2 (12 Jun 2015)
■OAuth/OpenID bug fixes
■Localization and UI improvements
■Protocol URL/Parameter sanitizations
●CAS Server v4.0.3 (early next week)
■Security filter upgrade
■LDAP/LPPE bug fixes
■Localization/UTF-8 improvements
●CAS Server v4.1.0 (In development)
13. CAS 4.1 – Goodies
https://youtu.be/P_GTXEAt5oU
● JSON Service Registry / RBAC
● Better Management Interface
● SLO/Logo/Logout url per application
● Password/PGT as attributes
● Many more...
14. CAS Server Security Filter
https://github.com/Jasig/cas-server-security-filter
• Suitable for patching-in-place deployments,
vulnerable to CAS-protocol-input attacks.
• v2.0.3 released 3-Jul-2015.
17. Shibboleth Versions
• Latest versions:
• IdP v3.1.2 (1 Jul 2015)
• SP v2.5.4 (19 Mar 2015)
• New adopters are encouraged to use v3
• Current deployers to explore upgrades
18. • IdP v2.4.4 was released 25 Feb 2015, to address
security issue; OpenSAML-J was also updated
• IdP v2.4 end of life timeline (assuming you haven’t
upgraded):
Shibboleth 2.x Lifetime
Dec 31, 2015 Plan to upgrade
Feb 29, 2016 Done with upgrade
Mar 31, 2016 Really done with upgrade
July 31, 2016 IdP 2.x full EOL
19. Multi-Context Broker
● Analysis of Shib IdPv3 and MCB:
https://wiki.shibboleth.net/confluence/x/EoEEAQ
● Believed to be generally un-needed in IdP
v3; waiting for general guidance to be
released.
22. Grouper v2.2.1
http://goo.gl/5LrGAR
• Released 10 Nov 2014.
• 36 patches available (21 since last briefing):
• Selective PSP provisioning
• Better UTF-8 character support
• Lots of bug fixes
http://software.internet2.edu/grouper/release/2.2.1/patches/
24. Open Source Support
• Support OSS as adopted by the community
• Collaboration with community and subscribers
• “Act in the best interest of the subscribers, the
community, and the project”
26. CAS 4.X Enhancements
• JSON Service Registry
• Rest API improvements
• SSO Sessions / AUP workflows
• LDAP/LPPE bug fixes
• ...
27. Other/Ongoing work
• CAS WS-Fed module for CAS 4.0
https://github.com/Unicon/cas-adfs-integration
• Allow a principal to authN as another
https://github.com/UniconLabs/cas-surrogate-principal
• Java CAS client: regex in proxy chains
https://github.com/Jasig/java-cas-client
28. CAS Addons
3.5.X: https://github.com/Unicon/cas-addons
4.X: https://github.com/unicon-cas-addons
• 3.15 and 3.16 released since last webinar
• 4.x compatible versions are available as
individual libraries instead of a monolithic
library.
• HazelcastTicketRegistry updated in April.
32. Other/Ongoing work
• Hazelcast Session Storage
https://github.com/UniconLabs/shib-hazelcast-storage-service
• Duo Support for IdP v3
https://github.com/Unicon/shib-mfa-duo-auth
• IdP v3 powered by Docker
https://github.com/jtgasper3/docker-shibboleth-idp
34. Grouper-related
• Grouper Bugs:
○GRP-1137: Group copy issue related to hooks
(reported and fixed by devs)
○GRP-1139: Grouper API reports non-fatal issues
when multiple hook classes are specified (reported
and fixed by Unicon)
• Grouper-Demo for Docker:
https://registry.hub.docker.com/u/unicon/grouper-demo
• Grouper ESB AMQP Publisher
https://github.com/Unicon/grouper-amqp-esb-publisher
36. What we do
• Collaborate to maintain current stable
recommended releases
• Work towards next releases
• Explore extensions and opportunities
• Responsive to inputs from subscriber
experiences
• Feedback is especially welcome!
• Learn from providing support
• Empathize with your needs and projects
37. Questions / Discussion
• Misagh Moayyed,
Support for CAS Technical Lead
mmoayyed@unicon.net
• Jonathan (Jj) Johnson,
jj@unicon.net
• David Langenberg,
dlangenberg@unicon.net
Notes de l'éditeur
Unicon's CAS strategy* Participate directly in CAS* Develop open source software on behalf of clients* Inform maintenance development through supportYou have to source your support somewhere* In-house staff* Goodwill and engagement of the community* Commercial partner (e.g., Unicon)* (Reality Often combination of these)Unicon's "Cooperative" Support* Cooperates with you, your staff, the community* Support experiences yield improved public documentation* Support-inspired and subscriber-needs-guided open source maintenance development** Directly in and available for adoption with the Jasig CAS softwareThank you to our support subscribers!* Support subscriptions make Unicon maintenance development possible* Support experiences and subscriber input guide Unicon maintenance development towards the worthwhile