2016 09-15 unicon-iam-update
•Download as PPTX, PDF•
0 likes•579 views
September 15, 2016 Unicon IAM Quarterly briefing.
Recommended
Recommended
More Related Content
What's hot
What's hot (12)
Similar to 2016 09-15 unicon-iam-update
Similar to 2016 09-15 unicon-iam-update (20)
Recently uploaded
Recently uploaded (20)
2016 09-15 unicon-iam-update
- 1. Unicon IAM Webinar CAS, Shibboleth, Grouper 15 September 2016 - 11am Pacific Time (PT) Mike Grady • Dmitriy Kopylenko • John Gasper Join from PC, Mac, Linux, iOS or Android: https://unicon.zoom.us/j/588322739 Or iPhone one-tap (US Toll): +16465588656,588322739# or +14086380968,588322739# Or Telephone: Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll) Meeting ID: 588 322 739
- 2. Welcome • Community updates • Unicon contributions • Q&A
- 3. Presenters Mike Grady Shibboleth IDP | Shibboleth SP Dmitriy Kopylenko CAS John Gasper Grouper Charise Arrowood MC
- 5. • OpenID Connect Workshop: 22-23, 24-25 Feb 2016 in Denver, CO • Open Apereo Conference: 22-25 May 2016 in NYC • 2016 Internet2 Global Summit: 15–18 May, Chicago, IL Past Events
- 6. • Internet2 2016 Technology Exchange: 25-29 Sept, Miami, FL • EDUCAUSE 2016 Annual Conference: 25-28 Oct, Anaheim, CA • InCommon Shibboleth Workshop: 27-28 Oct, Long Beach, CA • 2017 Internet2 Global Summit: 23–26 Apr, Washington, DC • 2017 Open Apereo: 4-8 June, Philadelphia, PA Upcoming Events
- 7. IAM Trends •MFA for Shibboleth, CAS ○Risk-based Adaptive AuthN •OpenID Connect •TIER: Packaging, APIs, Person Registry, ... •SAML Integrations w/ O365 & ADFS •Metadata Query (MDQ) Protocol
- 8. IAM Trends •IAM in the Cloud ○Hosted SSO services and more ○Unicon’s offering: https://www.unicon.net/solutions/IAM-cloud
- 9. IDP | SP Mike Grady Unicon Contributions
- 10. News ● Identity Provider V2.4.5, OpenSAML 2.6.6 ○ EOL !!!! V2 full End-Of-Life date was July 31, 2016 ○ 2.4.4 was last 2.x “minimum safe release” ● Service Provider V2.6.0 Now Available ○ Includes a new version of the Xerces XML parser that addresses Apache Xerces-C XML Parser library versions prior to V3.1.4 security vulnerability
- 11. Shibboleth Versions ● Latest versions: ○ IdP v3.2.1 (19 Dec 2015) ○ V3.1.1 considered “minimum safe release” ○ SP v2.6.0 (27 June 2016) ● v3.2.0 and v3.2.1 released ○ HTML5 local storage ○ SLO: Front channel SAML and CAS ○ SPNEGO authentication ○ Bug fixes
- 12. Now Past End-Of-Life ….. How soon that is a significant problem is unknown, could be tomorrow, could be months, but you need to have a plan to upgrade. Shibboleth 2.x Lifetime
- 13. IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc ●Authorization/Implicit Flow ●Dynamic Discovery ●Standard/Custom claims ●Certified by OpenID foundation for University of Chicago
- 14. Shib-CAS AuthN v3 https://github.com/Unicon/shib-cas-authn3 ● v3.1.0 ○ Shibboleth IdP v3.X support ○ Fixed encoding on entityId/service parameters. ● Plan to produce a version where attributes returned from CAS are available to the IdP, and the AuthN Context Class w.r.t MFA. ○ Info from CAS coming back is done, now need a “data connector” to expose it for use within the IdP
- 15. Other/Ongoing work ● Hazelcast Storage Service https://github.com/UniconLabs/shibboleth-hazelcast-storage-service ● Duo Support for IdP v3 https://github.com/Unicon/shib-mfa-duo-auth ●Shib IdP as a Gradle Overlay https://github.com/UniconLabs/shibboleth-idp-gradle-overlay ● IdP v3 powered by Docker https://github.com/unicon/shibboleth-idp-dockerized
- 16. Other/Ongoing work ● Split Authn ○ Support for users coming from 2 different Authentication/Attribute sources in distinct config files, only one or the other used for Authn and Resolver for any given authentication. ○ Easy to “hard code” attributes based on source (“role”) chosen. “Role” choice on Login page. ○ Demo with 2 LDAP servers, but should work with any 2 sources ○ https://github.com/Unicon/ccc-shib-split-authn
- 17. Other/Ongoing work ● Coming Soon: Symantec VIP MFA ○ Token Authentication ○ OTP Authentication ○ Push Authentication ○ Risk based Authentication ○ Sponsored by the University of Wisconsin - Whitewater ○ Work done, but not yet “fully generalized” for open source
- 18. Shib IdP v3.3 ● Next version of Shib IdP due by late 2016 ● Improvements to logout options and accessibility aspects of such ● Adding in more built-in support for metadata filtering, more “conditionals”, etc. ● New login flow(s) allowing combining factors in what the Shib Dev core team believes will be a more manageable/predictable way
- 19. Shib IdP v3.3 ● Looks like an “out-of-the-box” Duo flow will be part of it ●Unicon will need to determine if our current Duo plugin should be “retired” or updated for the new version. ○ Or if there are updates to the supplied one that make sense to add ● Unicon will need to verify and/or “modify” our other current authentication flow add-ons
- 21. CAS v4.2 ● v4.2.5 is the current version ○ Dynamic Plug-N-Play module configuration ○ ADFS/WS-FED delegated authN ○ UIs to manage SSO sessions/statistics ○ BASIC, JWT, Shiro, MongoDB, Stormpath authN ○ Couchbase, Ignite, Infinispan ticket registries ○ ABAC via attributes, time, or Grouper ●See http://jasig.github.io/cas/4.2.x/index.html
- 22. CAS v5.0.0 ● Tentative release date: October 2016 ● Current release: 5.0.0.RC1 ● Major features: ○ MFA via DuoSecurity, RADIUS, YubiKey ■ Risk-based adaptive authN ○ SAML2 Web SSO support ○ OAuth/OIDC support ○ Full internal config re-architecture via Spring Boot ○ Java 8
- 23. Other/Ongoing work ● Auto config for CAS Java clients https://github.com/Unicon/cas-client-autoconfig-support ● Delegated SAML authN for CAS 3.5.x https://github.com/UniconLabs/cas-saml-auth ● Bootstrap CAS via a Gradle overlay: https://github.com/UniconLabs/cas-strap
- 24. Further CAS Resources ● CAS maintenance policy: https://apereo.github.io/cas/developer/Maintenance- Policy.html ● Apereo Blog: https://apereo.github.io/
- 26. Grouper v2.3.0 ● Can run multiple simultaneous Loader/Daemon instances ●WS: Manage attribute/permission defs; TIER authorization ●PSP-NG: New Grouper provisioner ○ LDAP and AD connectors built-in ●Exporting tree to GSH script. ●Lots of patches: ○ API: 24, UI: 8, WS: 5, PSP-NG: 2
- 27. Other/Ongoing work ●Internet2 Grouper Dockerized: Composable images/containers https://github.com/Unicon/grouper-dockerized ● Grouper-Demo for Docker https://hub.docker.com/r/unicon/grouper-demo/ ● Custom Provisioning Target Form https://github.com/Unicon/grouper-provisioning-target-ui ● Azure AD (Office 365) Provisioner https://github.com/Unicon/office365-and-azure-ad-grouper- provisioner
- 28. Docker Demo Grouper environment based on the composable images/container
- 29. Questions / Discussion Mike Grady mgrady@unicon.net Dmitry Kopylenko dkopylenko@unicon.net John Gasper jgasper@unicon.net
Editor's Notes
- Unicon's CAS strategy* Participate directly in CAS* Develop open source software on behalf of clients* Inform maintenance development through support. You have to source your support somewhere* In-house staff* Goodwill and engagement of the community* Commercial partner (e.g., Unicon)* (Reality Often combination of these)Unicon's "Cooperative" Support* Cooperates with you, your staff, the community* Support experiences yield improved public documentation* Support-inspired and subscriber-needs-guided open source maintenance development** Directly in and available for adoption with the Jasig CAS softwareThank you to our support subscribers!* Support subscriptions make Unicon maintenance development possible* Support experiences and subscriber input guide Unicon maintenance development towards the worthwhile
- https://www.incommon.org/shibtraining/
- https://spaces.internet2.edu/display/Grouper/Grouper+2.3+Release+Announcement https://spaces.internet2.edu/display/Grouper/v2.3+Release+Notes