Public briefing from Unicon's IAM team on observations and highlights about Apereo/Jasig CAS, Internet 2 Shibboleth, and Internet 2 Grouper. Unicon Open Source Support development progress and intentions for the next quarter are also shared. http://www.unicon.net/support
Breaking the Kubernetes Kill Chain: Host Path Mount
Unicon IAM Update on CAS, Shibboleth and Grouper
1. Unicon IAM Update
CAS, Shibboleth, Grouper
6 Nov 2014
Mike Grady • Misagh Moayyed
Audio is via Adobe Connect.
There is no phone dial-in.
2. Welcome to this
briefing
• Updates on CAS, Shibboleth and Grouper
• Unicon contributions to CAS, Shibboleth and
Grouper
• Unicon's Open Source Support
• Q&A
3. Introduction:
Mike Grady
• IAM, Shibboleth, CAS,
SimpleSAMLphp,
Internet2 Scalable Privacy
• 36 years at University of
Illinois before Unicon
• Unicon’s Open Source
Support for Shibboleth
technical lead
4. Introduction:
Misagh Moayyed
• IAM, Shibboleth, CAS,
uPortal, uMobile
• Unicon’s Open Source
Support for CAS
technical lead
5. Guest Speaker:
David Langenberg
• Grouper Developer,
Internet2
• Shibboleth Trainer,
InCommon LLC
• Sr Systems Programmer,
University of Chicago
10. Emerging Trends
• MFA via Shib MCB, CAS-MFA, etc
• MFA management console that meets campus needs
• User consent bundled in Shibboleth IdP V3
• based on uApprove, but can be changed
• Authorization via groups and Grouper
• IAM cloud deployments: concerns and caveats
• Social/External identities for non-core affiliations
12. CAS Versions
• CAS Server 3.5.2.1
• CAS Server 4.0.0 (5/7/2014)
http://lanyrd.com/2014/apereo/sczzxx/
• CAS Server 4.1.0 (In development)
13. CAS 4.0.0
• CAS protocol v3; User Attributes
• Password Policy Enforcement
Improvements
• Secure Service Registry Configuration
14. CAS 4.1 – Goodies
• Login sequence no longer tied to a Java Web
Session.
• Auto-configuration of host name in HA
environments
• JSON Service Registry
• Many more...
15. CAS Client Changes
• Java CAS Client v3.3.3*
- Proper parameter encoding
• .NET CAS Client v1.0.2*
- Proper parameter encoding
- Setting for Proxy Callback URL
* Planned support for CAS Protocol attribute retrieval
16. CAS: Moving Forward
• CAS v4.1: Discussion ongoing
Join cas-dev@lists.jasig.org
• CAS AppSec Working Group:
https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group
18. Shibboleth Versions
• IdP v3 development in progress;
https://wiki.shibboleth.net/confluence/display/DEV/IdP3Details
• Latest versions: IdP v2.4.3*, SP v2.5.3**
* IdP 2.4.0, 2.4.1, and 2.4.2 have vulnerabilities
** The IIS SP requires 2 additional patches to fix OpenSSL
(Heartbleed)
19. Identity Provider v3 Alpha3
https://wiki.shibboleth.net/confluence/display/IDP30/Alpha3+Installation
• Available as a shell script and a windows installer
• Incompatible with previous Alpha releases
• Ability to upgrade from IdP V2
• Bundled basic CAS protocol support
20. Multi-Context Broker
● Note latest release late Sept 2014, version
1.2.1
● Fixes some bugs, minor enhancements
● Plug-ins for both Duo and Toopher
● Analysis of what's needed to work with Shib
IdPv3: https://wiki.shibboleth.net/confluence/x/EoEEAQ
24. Open Source Support
• Support for open source software as adopted
by the community
• Unicon collaborates to maintain the supported
open source software making it more
supportable and valuable to subscribers
• “Act in the best interest of the subscribers, the
community, and the project”
26. CAS 4.X Enhancements
• One cas.properties file for all HA CAS nodes
• Principal available in the success view
• Full theme support
• Upgrade to JDK7
• CAS-specific SSL trust store for proxy authN
27. cas-addons
https://github.com/Unicon/cas-addons
• Latest available release: 1.13 (updates to the
Hazelcast client library)
• Work on CAS Server version 4.X compatible
modules has begun:
https://github.com/unicon-cas-addons
28. cas-mfa
https://github.com/Unicon/cas-mfa
• Support for MFA based on CAS 3.5.2.1*
• Supported providers such as Duo, Toopher, etc
• v1.0.0 M6 is available for testing:
http://bit.ly/1AjQwEj
* Support for CAS 4.x is planned
30. Shib-CAS authenticator v2
https://github.com/Unicon/shib-cas-authn2
(Has been updated since our last briefing)
• v2.0.4
• Fixes in support for both forced and passive
authN
• Interface added to pass additional user info
from CAS to Shib.
31. Other/Ongoing work
• Hazelcast Session Storage
https://github.com/UniconLabs/shib-hazelcast-storage-service
• Shib Admin: initialize/manage your
relying-parties.xml via a UI.
https://github.com/UniconLabs/shib-admin
35. What we do
• Collaborate to maintain current stable recommended releases
• Work towards next releases
• Explore extensions and opportunities
• Responsive to inputs from subscriber experiences
• Feedback is especially welcome!
• Learn from providing support
• Empathize with your needs and projects
36. Questions / Discussion
• Mike Grady,
Support for Shibboleth Technical Lead
mgrady@unicon.net
• Misagh Moayyed,
Support for CAS Technical Lead
mmoayyed@unicon.net
Editor's Notes
Unicon's CAS strategy* Participate directly in CAS* Develop open source software on behalf of clients* Inform maintenance development through supportYou have to source your support somewhere* In-house staff* Goodwill and engagement of the community* Commercial partner (e.g., Unicon)* (Reality Often combination of these)Unicon's "Cooperative" Support* Cooperates with you, your staff, the community* Support experiences yield improved public documentation* Support-inspired and subscriber-needs-guided open source maintenance development** Directly in and available for adoption with the Jasig CAS softwareThank you to our support subscribers!* Support subscriptions make Unicon maintenance development possible* Support experiences and subscriber input guide Unicon maintenance development towards the worthwhile