This session summarizes recent developments in the Central Authentication Service (CAS) including the latest server and client releases. It discusses CAS 4.1.x features currently in development, CAS clients and integration with Shibboleth identity providers. The presentation provides an overview of CAS capabilities and roadmap for future enhancements.

1. Open Apereo - June 1-4 2015
The latest about the
Central Authentication Service
Misagh Moayyed
mmoayyed@unicon.net

2. This session will summarize the achievements
in the latest available Central Authentication
Service server product, client library releases,
available plugins and enhancements in the
community around CAS.
Also see Open Apereo 2014 presentation:
http://lanyrd.com/2014/apereo/sczzxx/
Open Apereo - June 1-4 2015

3.  Introduction
 CAS Releases
 CAS 4.1.x
 CAS Clients
 CAS and Shibboleth
 Questions and Discussion
Open Apereo - June 1-4 2015

4.  Monday:
◦ 10:30am - ESUP CAS Packaging
 Tuesday
◦ 10:30am – The latest news about CAS
 Wednesday:
◦ 11:45am - A tale of two factors: 2FA AuthN with CAS
Open Apereo - June 1-4 2015

5.  CAS Committer; PMC member
 Software Engineer/IAM Consultant
 4 years with Unicon; 6 years with Apereo
https://twitter.com/misagh84
https://github.com/mmoayyed
mmoayyed@unicon.net
Open Apereo - June 1-4 2015

6.  Free and open source
enterprise single sign-on
for the web
 Open well-documented
protocol
 Java server software;
plethora of client libraries
Open Apereo - June 1-4 2015

7. Open Apereo - June 1-4 2015
 Recommended method to deploy CAS
 Local source control with only your custom CAS
recipe (in pom.xml) and your customizations and
configuration
 Maven overlay builds this on top of specified CAS
server version
 https://github.com/UniconLabs/simple-cas4-overlay-template

8. Open Apereo - June 1-4 2015
Releases

9.  Available
◦ 3.5.x release: CAS 3.5.3
◦ 4.x release: CAS 4.0.1
 Upcoming
◦ CAS 3.6.0
 OAuth/OpenId security improvements
 LDAP authN bug fix
 Proxy authN configuration bug fix
◦ CAS 4.0.2
 UI and Internationalization bug fixes
 OAuth/OpenId security improvements
Open Apereo - June 1-4 2015

10. Open Apereo - June 1-4 2015
CAS 4.1.x

11. Open Apereo - June 1-4 2015
 Development since May 2014
 130+ issues/pull requests resolved
 4.1.0-SNAPSHOT releases to Maven
central/overlays
 Docs will be available at:
http://jasig.github.io/cas/4.1.0/

12. Open Apereo - June 1-4 2015
 CAS management webapp
 Client-side session management
 CAS security filter v2.0.2
 Fetch CRLs from Ldap
 Require service for authN
 Config state report
 Metrics/Stats reports
 OpenId Connect / Pac4j v1.7
 “Public workstation”

13. Open Apereo - June 1-4 2015
 Acceptable usage policy flow
 SSO sessions report
 CAS cookie encryption+signing
 OpenSAML v3.1.1
 Password/PGT as user attributes
 Role-based service authz
 JSON service registry
 SAML 1.1 “TARGET” validation
 OAuth bypass approval prompt

14. Open Apereo - June 1-4 2015
 Deprecated JBoss, Uber-Webapp, Restlet
 Hostname auto-gen for HA deployment
 CAS local keystore config
 Principal attribute caching
 Dynamic salt for JDBC authN
 SLO/Logo/Logout url per service
 TGT/PGT encryption in logs
 SPNEGO client selection strategies
 3rd party libraries update
 Many others…

15. Open Apereo - June 1-4 2015
Demo

16. Open Apereo - June 1-4 2015
CAS Clients

17.  Features include:
◦ OpenSAML dependency now optional
◦ Support for CAS /p3/serviceValidate
◦ Configuration strategy from system, web, context
and external
◦ Other bug fixes
Open Apereo - June 1-4 2015

18. Open Apereo - June 1-4 2015
 Specify in an external properties resource
 Build once, deploy everywhere
<context-param>
<param-name>configurationStrategy</param-name>
<param-value>PROPERTY_FILE</param-value>
</context-param>
<context-param>
<param-name>configFileLocation</param-name>
<param-value>/etc/java-cas-client.properties</param-value>
</context-param>

19. Open Apereo - June 1-4 2015
CAS and Shibboleth

20.  CAS protocol v2 built into IdP v3
 AuthN via IdP; client exchange via CAS
 Enabled per relying party config
 Service registry analogue to SAML metadata
 More at: http://bit.ly/1QOshTM
Open Apereo - June 1-4 2015

21.  Compatible with Shibboleth IdP v3.x
 Delegate Shib IdP authN to CAS server
 CAS authN webflow
 Configuration in idp.properties
 Available at:
https://github.com/Unicon/shib-cas-authn3
Open Apereo - June 1-4 2015

22.  Evaluate features, use cases and
requirements before adoption
 Leverage CAS support in IdP v3 for existing
CAS client applications
 Delegate IdP authN to a CAS server via shib-
cas-authn3
Open Apereo - June 1-4 2015

23. Open Apereo - June 1-4 2015
CAS Extensions

24.  CAS acting as a SAML SP
https://github.com/UniconLabs/cas-saml-auth
 Java CAS client auto configuration
https://github.com/Unicon/cas-client-autoconfig-support
 CAS [micro] add-ons
https://github.com/unicon-cas-addons
Open Apereo - June 1-4 2015

25. Open Apereo - June 1-4 2015
CAS NextGen

26.  Roadmap under development
◦ SAML SP support
◦ MFA support
◦ ADFS support
◦ SSO management redesign
◦ OAuth redesign
◦ Front-channel logout
◦ Java 8
◦ …
 Join the @cas-dev mailing list
 CAS AppSec Working Group:
◦ https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group
Open Apereo - June 1-4 2015

27. Open Apereo - June 1-4 2015
https://twitter.com/misagh84
https://github.com/mmoayyed
mmoayyed@unicon.net