Jasig CAS 3.5 -What’s new?Jasig-Sakai 2012Monday June 11th 2012Atlanta, GAAndrew Petro - Unicon, Inc.
Who am I?CAS committerPreviously, CAS steering committee member
I work for Trusted Partner since 1993 Expertise in Open Source Software for Education Professional Services for CAS, Shibboleth, uPortal, Sakai, Grouper, Student Success Plan, ... Innovative Cooperative Support program
CAS-related at thisconference - today Jasig CAS 3.5 - What’s new? (this) Fordham Goes ABAC for CAS - Extending CAS with Attribute-Based Access Control
CAS-related at thisconference - tomorrowColumbia Goes Goo- High Availability inGoogle for CAS - Hurricane Alley - Multi-Extending CAS with site Multi-node CASWIND Protocol Support Deep in the Heart ofand Service Registry Texas
CAS-related at thisconference - Thursday Shibboleth and CAS - more perfect together
This session What is CAS anyway? Status of CAS 3.4 What’s new in CAS 3.5? What’s otherwise new in CAS? Questions, discussion Lunch!
CAS isopen source Modify applications to rely upon CAS tosingle sign-on authenticate the userfor the Web
Good featuresPluggable, ﬂexible, and malleable a toolkit for building your institutional login experienceSimple CAS protocol and client librariesn-tier delegated authenticationpassword replay still possible if you really want
CAS is simple Example: CAS doesn’t Kinds of credentials CAS want to *be* your store supports: of credentials, your passwords (bind account management against LDAP, in a system, your attribute database, ...) repository. x.509 certiﬁcates It wants to leverage your IdM infrastructure to OAuth broker Web logins ...
Lots of applications withavailable CAS support uPortal ... Sakai Drupal Wordpress Liferay Blackboard
Lots of adopting institutions Unclear how many? http://millionshort.com/ search.php?q=Jasig +CAS&remove=1000k
Community (via Jasig) email lists wiki and issue tracker source control (now on GitHub) this conference ...
Implement using MavenoverlayFactor your CAS CAS distribution + yourimplementation as dependencies + yourpom.xml dependency changes + yourdeclaration, local conﬁguration = your CASconﬁguration, and local implementationcustomizations
3.5 “minor” release Incur some upgrade pain on 3.4 to 3.5 In exchange for new functionality and improvements
ThemesTheme 1: extensions coming into CAS productTheme 2: incremental honing and maturity
Theme 1: Extensionscoming into CAS productLPPE - LDAP OAuth2 producer andPassword / Account consumer support -status reﬂection more ways to authenticate users toClearPass - optional CAS and to integratepassword caching and with CAS in relyingselective, secure release applicationsEhCache Ticket Registry- another option forticket state clustering
LPPE - LDAP accountstatus reﬂectionWhy is authentication Now error codesagainst LDAP (Active reﬂected in UI.Directory) failing?Password wrong? Initially integrates withAccount is locked? Active Directory, with potential for more errorOther error code? mappings
ClearPassoptional password off by default. severalcaching and selective, steps required to turn onsecure password release this feature.to relying applicationsThis was a separate CASextension, now drawninto the core CASproduct
Why else do I needClearPass? Outlook Web Application CASiﬁcation? WebAdvisor CASiﬁcation? It’s a tool. You may need it. You may be able to avoid it. Try to avoid.
Do I have to cache andrelease passwords? Absolutely not. Off by default. Very. But now easier to turn on, with less messing around with Maven and dependencies conﬂict resolution.
EhCache Ticket Registry Another option for Options within EhCache clustering ticket registry for implementing and state among clustered replicating that cache CAS server nodes RMI Bridges from CAS Terracotta TicketRegistry API to EhCache
Theme 2: Incrementalhoning and maturityRegular expressions in Improved healthservice registration monitoringmatching * Upgrades toBetter SSO session dependencies, Springexpiration policy * framework version, etc.Improved propertieshandling * = also in later / latest CAS 3.4.x release
SSO session expirationpolicy (“TicketGrantingTicket” expiration policy) Set both a hard timeout And a sliding window idle timeout
Improved propertieshandling More in cas.properties Sensible defaults optionally overridden by cas.properties (set what you change) Easier to put cas.properties outside of the .war Logging conﬁguration ﬁle location set in cas.properties
(Those were all old, actually) The incremental feature in CAS 3.5 is additional monitoring, suitable for targeting with an automated probe.
CAS 3.5 status3.5 RC2 now available for testingDoing QA, mopping up issues and glitches3.5 GA release “soon” days or weeks, not months or yearsExpect patch releases to follow a 3.5.0 release
How you upgradeUpdate your pom.xml to depend on CAS 3.5 Not using Maven Overlay? good time to start?Resolve conﬂicts, merge your conﬁguration with newdefaults, migrate forward your service registry dataTest outside of production!Roll to production
What else is new? GitHub New committer Jérôme Leleu Better integration for using CAS as the login mechanism for Shibboleth IdP phpCAS client release
New committerJérôme LeleuContributed OAuth supportadmirably active on lists, in the project
CAS + Shib = happyCAS for ﬂexible single sign-on experience Spring Web Flow!Shibboleth IdP for rigorous SAML2 and FederationBetter implementation of this at:https://github.com/Unicon/shib-cas-authenticatorPresentation later in conference
phpCAS client library release Much better handling of proxy CAS (n-tier delegated authentication) features
SummaryActive projectContinued maturityGently pulling successful extensions into the coreproduct