5. • OpenID Connect Workshop: 22-23, 24-25 Feb 2016 in
Denver, CO
• Open Apereo Conference: 22-25 May 2016 in NYC
• 2016 Internet2 Global Summit: 15–18 May, Chicago, IL
Past Events
6. • Internet2 2016 Technology Exchange: 25-29 Sept, Miami,
FL
• EDUCAUSE 2016 Annual Conference: 25-28 Oct, Anaheim,
CA
• InCommon Shibboleth Workshop: 27-28 Oct, Long Beach,
CA
• 2017 Internet2 Global Summit: 23–26 Apr, Washington, DC
• 2017 Open Apereo: 4-8 June, Philadelphia, PA
Upcoming Events
7. IAM Trends
•MFA for Shibboleth, CAS
○Risk-based Adaptive AuthN
•OpenID Connect
•TIER: Packaging, APIs, Person Registry, ...
•SAML Integrations w/ O365 & ADFS
•Metadata Query (MDQ) Protocol
8. IAM Trends
•IAM in the Cloud
○Hosted SSO services and more
○Unicon’s offering:
https://www.unicon.net/solutions/IAM-cloud
10. News
● Identity Provider V2.4.5, OpenSAML 2.6.6
○ EOL !!!! V2 full End-Of-Life date was July 31, 2016
○ 2.4.4 was last 2.x “minimum safe release”
● Service Provider V2.6.0 Now Available
○ Includes a new version of the Xerces XML parser that addresses
Apache Xerces-C XML Parser library versions
prior to V3.1.4 security vulnerability
11. Shibboleth Versions
● Latest versions:
○ IdP v3.2.1 (19 Dec 2015)
○ V3.1.1 considered “minimum safe release”
○ SP v2.6.0 (27 June 2016)
● v3.2.0 and v3.2.1 released
○ HTML5 local storage
○ SLO: Front channel SAML and CAS
○ SPNEGO authentication
○ Bug fixes
12. Now Past End-Of-Life …..
How soon that is a significant problem is unknown,
could be tomorrow, could be months, but you need to
have a plan to upgrade.
Shibboleth 2.x Lifetime
14. Shib-CAS AuthN v3
https://github.com/Unicon/shib-cas-authn3
● v3.1.0
○ Shibboleth IdP v3.X support
○ Fixed encoding on entityId/service parameters.
● Plan to produce a version where attributes
returned from CAS are available to the IdP,
and the AuthN Context Class w.r.t MFA.
○ Info from CAS coming back is done, now need a
“data connector” to expose it for use within the IdP
15. Other/Ongoing work
● Hazelcast Storage Service
https://github.com/UniconLabs/shibboleth-hazelcast-storage-service
● Duo Support for IdP v3
https://github.com/Unicon/shib-mfa-duo-auth
●Shib IdP as a Gradle Overlay
https://github.com/UniconLabs/shibboleth-idp-gradle-overlay
● IdP v3 powered by Docker
https://github.com/unicon/shibboleth-idp-dockerized
16. Other/Ongoing work
● Split Authn
○ Support for users coming from 2 different
Authentication/Attribute sources in distinct config
files, only one or the other used for Authn and
Resolver for any given authentication.
○ Easy to “hard code” attributes based on source
(“role”) chosen. “Role” choice on Login page.
○ Demo with 2 LDAP servers, but should work with
any 2 sources
○ https://github.com/Unicon/ccc-shib-split-authn
17. Other/Ongoing work
● Coming Soon: Symantec VIP MFA
○ Token Authentication
○ OTP Authentication
○ Push Authentication
○ Risk based Authentication
○ Sponsored by the University of Wisconsin -
Whitewater
○ Work done, but not yet “fully generalized” for open
source
18. Shib IdP v3.3
● Next version of Shib IdP due by late 2016
● Improvements to logout options and
accessibility aspects of such
● Adding in more built-in support for metadata
filtering, more “conditionals”, etc.
● New login flow(s) allowing combining factors
in what the Shib Dev core team believes will
be a more manageable/predictable way
19. Shib IdP v3.3
● Looks like an “out-of-the-box” Duo flow will be
part of it
●Unicon will need to determine if our current
Duo plugin should be “retired” or updated for
the new version.
○ Or if there are updates to the supplied one that
make sense to add
● Unicon will need to verify and/or “modify” our
other current authentication flow add-ons
21. CAS v4.2
● v4.2.5 is the current version
○ Dynamic Plug-N-Play module configuration
○ ADFS/WS-FED delegated authN
○ UIs to manage SSO sessions/statistics
○ BASIC, JWT, Shiro, MongoDB, Stormpath authN
○ Couchbase, Ignite, Infinispan ticket registries
○ ABAC via attributes, time, or Grouper
●See http://jasig.github.io/cas/4.2.x/index.html
22. CAS v5.0.0
● Tentative release date: October 2016
● Current release: 5.0.0.RC1
● Major features:
○ MFA via DuoSecurity, RADIUS, YubiKey
■ Risk-based adaptive authN
○ SAML2 Web SSO support
○ OAuth/OIDC support
○ Full internal config re-architecture via Spring Boot
○ Java 8
23. Other/Ongoing work
● Auto config for CAS Java clients
https://github.com/Unicon/cas-client-autoconfig-support
● Delegated SAML authN for CAS 3.5.x
https://github.com/UniconLabs/cas-saml-auth
● Bootstrap CAS via a Gradle overlay:
https://github.com/UniconLabs/cas-strap
24. Further CAS Resources
● CAS maintenance policy:
https://apereo.github.io/cas/developer/Maintenance-
Policy.html
● Apereo Blog:
https://apereo.github.io/
29. Questions / Discussion
Mike Grady
mgrady@unicon.net
Dmitry Kopylenko
dkopylenko@unicon.net
John Gasper
jgasper@unicon.net
Editor's Notes
Unicon's CAS strategy* Participate directly in CAS* Develop open source software on behalf of clients* Inform maintenance development through support. You have to source your support somewhere* In-house staff* Goodwill and engagement of the community* Commercial partner (e.g., Unicon)* (Reality Often combination of these)Unicon's "Cooperative" Support* Cooperates with you, your staff, the community* Support experiences yield improved public documentation* Support-inspired and subscriber-needs-guided open source maintenance development** Directly in and available for adoption with the Jasig CAS softwareThank you to our support subscribers!* Support subscriptions make Unicon maintenance development possible* Support experiences and subscriber input guide Unicon maintenance development towards the worthwhile