Check out the highlights about CAS, Shibboleth and Grouper!

1. Unicon IAM Webinar
CAS, Shibboleth, Grouper
May 19, 2017 - 10am Pacific Time (PT)
Mike Grady • Dmitriy Kopylenko • John Gasper

2. OSS Briefing Agenda
CAS - Shibboleth - Grouper
○Goals of the OSS Briefing
○IAM Events & Trends
○Shibboleth, CAS, Grouper
■Community News & Activities
■Unicon OSS SE contribution
■Unicon “other” contributions
○Open Forum/Q&A

3. Presenters
Mike Grady
Shibboleth IDP | Shibboleth SP
Dmitriy Kopylenko
CAS
John Gasper
Grouper
Charise Arrowood
MC

4. Events & Trends

5. • 2017 Internet2 Global Summit: 23–26 Apr, Washington, DC
■Demos of latest TIER work, including Grouper and the
new deployment guide, CoManage, work on packaging
(e.g Docker) of Shib, Grouper, etc., Consent work
■Sessions on sustainability and governance of TIER
broadly, Shibboleth specifically
■IAM “front and center” for the first time at a Global
Summit in terms of a Keynote focused on its importance
Past Events

6. • 2017 Open Apereo: 4-8 June, Philadelphia, PA
• InCommon Shibboleth Workshop: 13-14 June, Denver, CO
• InCommon Shibboleth Workshop: 19-20 July, Lafayette
College, Easton, PA
• Internet2 2017 Technology Exchange: 15-18 Oct, San
Francisco, CA
• EDUCAUSE 2017 Annual Conference: 31-03 Oct-Nov,
Philadelphia, PA
• InCommon Shibboleth Workshop: 7-8 Nov, NIH, Bethesda,
MD
Upcoming Events

7. IAM Trends
•MFA, Risk-based Adaptive AuthN for Shibboleth, CAS
•OpenID Connect / OAuth2
•Metadata Query (MDQ) Protocol
•Mobile app & API authentication
•TIER: Packaging, APIs, Person Registry, ...
•Cloud deployments

8. IDP | SP
Mike Grady
Community Updates &
Unicon Contributions

9. Community Update
● Identity Provider
○ Current Stable Release
■ IdP v3.3.1 (March 15, 2017)
■ IdP v3.3.1.1 - Windows Only (March 23, 2017)
○ All previous v2’s, v3’s are no longer supported
○ Security Advisory 5/18/17 concerning Kerberos
usage
● Service Provider
○ Current Stable Release
■ Linux: SP v2.6.0 (June 29, 2016)
■ Windows: SP v2.6.0.1 (November 3, 2016)

10. Shibboleth - What’s New
● Identity Provider 3.3.1
○ Fixes second-factor authentication bypass
■ ALL VERSIONS < 3.3.1 SHOULD UPGRADE!
■ https://shibboleth.net/community/advisories/secadv_20
170315.txt
○ 3.3.1.1 (Windows Only)
■ Fixes issue related to new installations not installing
Jetty (IDP-1149) correctly

11. Shibboleth - New in 3.3.x
● Built-in MFA (“composable” flow) support,
including Duo support (Unicon’s Duo extension, won’t work
with >= v3.3)
●Support for limiting password attempts in IdP
●Resolver changes to simplify namespaces,
define attributes from environment, subject, etc.
●Updates for accessibility in default views
●Support for local file-based dynamic
resolution of metadata

12. Shib IdP v3.3
● Lots of new objects (beans and configuration files),
properties, and variety of other new features added
with 3.3.1 and 3.3
● Some warnings/”be aware” noted for upgrades
followed by information on enhancements
○ Notes to Upgraders 3.3.1
■ https://wiki.shibboleth.net/confluence/x/aYEEAQ
○ Notes to Upgraders 3.3
■ https://wiki.shibboleth.net/confluence/x/aYEEAQ

13. Community Sponsored Work
● OpenID Connect (U Chicago)
https://github.com/uchicago/shibboleth-oidc

14. Sustaining Engineering
● Shib-CAS-AuthN v3
https://github.com/Unicon/shib-cas-authn3
● Hazelcast Storage Service
https://github.com/UniconLabs/shibboleth-hazelcast-storage-
service
●Shib IdP as a Gradle Overlay
https://github.com/UniconLabs/shibboleth-idp-gradle-overlay
● IdP v3 powered by Docker
https://github.com/unicon/shibboleth-idp-dockerized
● Provide accessibility-related UI tweaks to project
● Retired:
○ Duo Support for IdP v3

15. Sustaining Engineering
● Planning to do a security analysis of Shibboleth
○ Threat model, code analysis
○ OWASP recommendations
○ Execute in conjunction with TIER efforts and
recommendations (TIER Security & Audit Working
Group)
● Consideration on UI in progress
● Consideration on reporting and monitoring
● Discussion on storage backends, Redis

16. Shib IdP v3.4
● Next version of Shib IdP scheduled Q4 2017
○ Support for configurable trust for remotely
accessed TLS-protected configuration resources
○ Support for key pinning of LDAP connections
○ Metadata generated at first install now has a
validUntil of the date of installation. (IDP-1118)

17. Shib SP V3.0
● More work on the SP on the Shib team roadmap,
see the end of the Committed Work section:
○ https://wiki.shibboleth.net/confluence/x/OYBC
○ Q1 2018
○ SP has been “on minimal needed maintenance”
while team focused on IdP 3.x
○ SP v3.0
○ Module for IIS 7+

18. Highlights
Dmitriy Kopylenko
Community Updates &
Unicon Contributions

19. CAS 5
● CAS 5.0 Highlights
○ Simplified Configuration Management & Setup
○ OpenID Connect Support
○ Multi-Factor Authentication
(DuoSecurity,RADIUS, YubiKey, and more ...)
○ SAML2 Service Provider (SP) Integrations
○ Thymeleaf templating engine

20. CAS 5.1
● Feature highlights of this release:
○ Risk-Based authentication
○ Redis ticket registry
○ MongoDB ticket registry
○ DynamoDB ticket registry
○ Enhance CAS admin endpoints security
○ Multiple attribute repositories config via
cas.properties
○ Scripted attribute release
○ Spring Boot based CAS admin server
○ And much, much more….

21. ● CAS-related projects - 50% completed within SE
● Spring Boot auto config for CAS Java clients
https://github.com/Unicon/cas-client-autoconfig-support
● Command line tool for smoke testing distributed service
registries
https://github.com/cas-projects/duct
● Command line tool for CAS5 admin endpoints (experimental)
https://github.com/cas-projects/casctl
● Publish CAS5 events to RabbitMQ (experimental)
https://github.com/UniconLabs/cas-publish-events-via-spring-cloud-stream
Sustaining Engineering

22. CAS Resources
● CAS maintenance policy:
https://apereo.github.io/cas/developer/Maintenance-
Policy.html
● Apereo Blog:
https://apereo.github.io/

23. John Gasper
Community Updates &
Unicon Contributions

24. Grouper v2.3.0
●New functionality announced at Internet2
Global Summit:
○ Instrumentation
○ Real time loader
○ Loader in UI
○ Attestation
○ Subject API diagnostics
○ Configuration migrated to hierarchical properties
files
○ PSPNG

25. Grouper Deployment Guide
● Guidance on Deploying Grouper
● Goal to have consistency across deployers
https://spaces.internet2.edu/download/attacments/936510
00/TI.25.1-TIERGrouperDeploymentGuide.pdf

26. Grouper Training
● Half Day Grouper Training at Open Apereo
○ When: June 4th, 2017, 1:30pm
○ Where: Philadelphia, Pennsylvania
○ Trainers: Bill Thompson & Chris Hyzer
● Rumor: They will be serving free food!
Can’t make it? Unicon can do on-site training

27. Community Sponsored Work
● Google Apps (G Suite) Provisioner
(recently additions by Columbia University)
https://github.com/Internet2/grouper/tree/master/grouper-
misc/googleapps-grouper-provisioner
● External Subjects UI Enhancement
(sponsored by Columbia University)
https://github.com/Unicon/grouper-external-email-users
● Subject Customizer
(recently additions sponsored by UC Berkeley)
https://github.com/Unicon/grouper-subject-customizer
● Google to Grouper Group Migration
(sponsored by the University of Notre Dame)
https://github.com/Unicon/grouper-subject-customizer

28. Sustaining Engineering
● Internet2 Grouper Dockerized: Composable
images/containers (regularly updated with Grouper patches)
https://github.com/Unicon/grouper-dockerized
● Grouper-Demo for Docker
(regularly updated with Grouper, but also has been getting a face lift)
https://hub.docker.com/r/unicon/grouper-demo/
● Custom Provisioning Target Form (minor updates)
https://github.com/Unicon/grouper-provisioning-target-ui
● Azure AD (Office 365) Provisioner (updates planned)
https://github.com/Unicon/office365-and-azure-ad-grouper-
provisioner

29. Questions / Discussion
Mike Grady
mgrady@unicon.net
Dmitry Kopylenko
dkopylenko@unicon.net
John Gasper
jgasper@unicon.net