5. • 2017 Internet2 Global Summit: 23–26 Apr, Washington, DC
■Demos of latest TIER work, including Grouper and the
new deployment guide, CoManage, work on packaging
(e.g Docker) of Shib, Grouper, etc., Consent work
■Sessions on sustainability and governance of TIER
broadly, Shibboleth specifically
■IAM “front and center” for the first time at a Global
Summit in terms of a Keynote focused on its importance
Past Events
6. • 2017 Open Apereo: 4-8 June, Philadelphia, PA
• InCommon Shibboleth Workshop: 13-14 June, Denver, CO
• InCommon Shibboleth Workshop: 19-20 July, Lafayette
College, Easton, PA
• Internet2 2017 Technology Exchange: 15-18 Oct, San
Francisco, CA
• EDUCAUSE 2017 Annual Conference: 31-03 Oct-Nov,
Philadelphia, PA
• InCommon Shibboleth Workshop: 7-8 Nov, NIH, Bethesda,
MD
Upcoming Events
7. IAM Trends
•MFA, Risk-based Adaptive AuthN for Shibboleth, CAS
•OpenID Connect / OAuth2
•Metadata Query (MDQ) Protocol
•Mobile app & API authentication
•TIER: Packaging, APIs, Person Registry, ...
•Cloud deployments
8. IDP | SP
Mike Grady
Community Updates &
Unicon Contributions
9. Community Update
● Identity Provider
○ Current Stable Release
■ IdP v3.3.1 (March 15, 2017)
■ IdP v3.3.1.1 - Windows Only (March 23, 2017)
○ All previous v2’s, v3’s are no longer supported
○ Security Advisory 5/18/17 concerning Kerberos
usage
● Service Provider
○ Current Stable Release
■ Linux: SP v2.6.0 (June 29, 2016)
■ Windows: SP v2.6.0.1 (November 3, 2016)
10. Shibboleth - What’s New
● Identity Provider 3.3.1
○ Fixes second-factor authentication bypass
■ ALL VERSIONS < 3.3.1 SHOULD UPGRADE!
■ https://shibboleth.net/community/advisories/secadv_20
170315.txt
○ 3.3.1.1 (Windows Only)
■ Fixes issue related to new installations not installing
Jetty (IDP-1149) correctly
11. Shibboleth - New in 3.3.x
● Built-in MFA (“composable” flow) support,
including Duo support (Unicon’s Duo extension, won’t work
with >= v3.3)
●Support for limiting password attempts in IdP
●Resolver changes to simplify namespaces,
define attributes from environment, subject, etc.
●Updates for accessibility in default views
●Support for local file-based dynamic
resolution of metadata
12. Shib IdP v3.3
● Lots of new objects (beans and configuration files),
properties, and variety of other new features added
with 3.3.1 and 3.3
● Some warnings/”be aware” noted for upgrades
followed by information on enhancements
○ Notes to Upgraders 3.3.1
■ https://wiki.shibboleth.net/confluence/x/aYEEAQ
○ Notes to Upgraders 3.3
■ https://wiki.shibboleth.net/confluence/x/aYEEAQ
14. Sustaining Engineering
● Shib-CAS-AuthN v3
https://github.com/Unicon/shib-cas-authn3
● Hazelcast Storage Service
https://github.com/UniconLabs/shibboleth-hazelcast-storage-
service
●Shib IdP as a Gradle Overlay
https://github.com/UniconLabs/shibboleth-idp-gradle-overlay
● IdP v3 powered by Docker
https://github.com/unicon/shibboleth-idp-dockerized
● Provide accessibility-related UI tweaks to project
● Retired:
○ Duo Support for IdP v3
15. Sustaining Engineering
● Planning to do a security analysis of Shibboleth
○ Threat model, code analysis
○ OWASP recommendations
○ Execute in conjunction with TIER efforts and
recommendations (TIER Security & Audit Working
Group)
● Consideration on UI in progress
● Consideration on reporting and monitoring
● Discussion on storage backends, Redis
16. Shib IdP v3.4
● Next version of Shib IdP scheduled Q4 2017
○ Support for configurable trust for remotely
accessed TLS-protected configuration resources
○ Support for key pinning of LDAP connections
○ Metadata generated at first install now has a
validUntil of the date of installation. (IDP-1118)
17. Shib SP V3.0
● More work on the SP on the Shib team roadmap,
see the end of the Committed Work section:
○ https://wiki.shibboleth.net/confluence/x/OYBC
○ Q1 2018
○ SP has been “on minimal needed maintenance”
while team focused on IdP 3.x
○ SP v3.0
○ Module for IIS 7+
19. CAS 5
● CAS 5.0 Highlights
○ Simplified Configuration Management & Setup
○ OpenID Connect Support
○ Multi-Factor Authentication
(DuoSecurity,RADIUS, YubiKey, and more ...)
○ SAML2 Service Provider (SP) Integrations
○ Thymeleaf templating engine
20. CAS 5.1
● Feature highlights of this release:
○ Risk-Based authentication
○ Redis ticket registry
○ MongoDB ticket registry
○ DynamoDB ticket registry
○ Enhance CAS admin endpoints security
○ Multiple attribute repositories config via
cas.properties
○ Scripted attribute release
○ Spring Boot based CAS admin server
○ And much, much more….
21. ● CAS-related projects - 50% completed within SE
● Spring Boot auto config for CAS Java clients
https://github.com/Unicon/cas-client-autoconfig-support
● Command line tool for smoke testing distributed service
registries
https://github.com/cas-projects/duct
● Command line tool for CAS5 admin endpoints (experimental)
https://github.com/cas-projects/casctl
● Publish CAS5 events to RabbitMQ (experimental)
https://github.com/UniconLabs/cas-publish-events-via-spring-cloud-stream
Sustaining Engineering
22. CAS Resources
● CAS maintenance policy:
https://apereo.github.io/cas/developer/Maintenance-
Policy.html
● Apereo Blog:
https://apereo.github.io/
24. Grouper v2.3.0
●New functionality announced at Internet2
Global Summit:
○ Instrumentation
○ Real time loader
○ Loader in UI
○ Attestation
○ Subject API diagnostics
○ Configuration migrated to hierarchical properties
files
○ PSPNG
25. Grouper Deployment Guide
● Guidance on Deploying Grouper
● Goal to have consistency across deployers
https://spaces.internet2.edu/download/attacments/936510
00/TI.25.1-TIERGrouperDeploymentGuide.pdf
26. Grouper Training
● Half Day Grouper Training at Open Apereo
○ When: June 4th, 2017, 1:30pm
○ Where: Philadelphia, Pennsylvania
○ Trainers: Bill Thompson & Chris Hyzer
● Rumor: They will be serving free food!
Can’t make it? Unicon can do on-site training
27. Community Sponsored Work
● Google Apps (G Suite) Provisioner
(recently additions by Columbia University)
https://github.com/Internet2/grouper/tree/master/grouper-
misc/googleapps-grouper-provisioner
● External Subjects UI Enhancement
(sponsored by Columbia University)
https://github.com/Unicon/grouper-external-email-users
● Subject Customizer
(recently additions sponsored by UC Berkeley)
https://github.com/Unicon/grouper-subject-customizer
● Google to Grouper Group Migration
(sponsored by the University of Notre Dame)
https://github.com/Unicon/grouper-subject-customizer
28. Sustaining Engineering
● Internet2 Grouper Dockerized: Composable
images/containers (regularly updated with Grouper patches)
https://github.com/Unicon/grouper-dockerized
● Grouper-Demo for Docker
(regularly updated with Grouper, but also has been getting a face lift)
https://hub.docker.com/r/unicon/grouper-demo/
● Custom Provisioning Target Form (minor updates)
https://github.com/Unicon/grouper-provisioning-target-ui
● Azure AD (Office 365) Provisioner (updates planned)
https://github.com/Unicon/office365-and-azure-ad-grouper-
provisioner
29. Questions / Discussion
Mike Grady
mgrady@unicon.net
Dmitry Kopylenko
dkopylenko@unicon.net
John Gasper
jgasper@unicon.net
Editor's Notes
Unicon's CAS strategy* Participate directly in CAS* Develop open source software on behalf of clients* Inform maintenance development through support. You have to source your support somewhere* In-house staff* Goodwill and engagement of the community* Commercial partner (e.g., Unicon)* (Reality Often combination of these)Unicon's "Cooperative" Support* Cooperates with you, your staff, the community* Support experiences yield improved public documentation* Support-inspired and subscriber-needs-guided open source maintenance development** Directly in and available for adoption with the Jasig CAS softwareThank you to our support subscribers!* Support subscriptions make Unicon maintenance development possible* Support experiences and subscriber input guide Unicon maintenance development towards the worthwhile
U Michigan is now looking at it.
Shib-cas-authn3: recent updates include better handling errors when the IdP session expired or isn’t available when the CAS ticket is returned to the IdP (usually caused by the user staying on CAS too long, or Shib IdPs being bounced). The RP’s entityId can now officially be passed as part of the service querystring allowing for the CAS Service Registry to support make auth and MFA decisions. CAS Server 5.1 will have support for using the entityId as the serviceId and not requiring Regex hacks to make it work.
There’s more than one way to skin a cat, and the Grouper Deployment Guide aims to get folks using a common/consistent taxonomy.
Google Apps (Also contribution by Columbia University)
External Subjects - UI Enhancement (sponsored by Columbia, but future enhancements will likely be OSS)