The document summarizes updates and plans regarding the Central Authentication Service (CAS) software. It discusses recent releases of CAS Server 3.5 and related addons. It covers Unicon's cooperative support activities for CAS, including maintaining current releases, contributing to CAS 4, and innovating new features. Upcoming conferences and seminars on CAS and Shibboleth are also mentioned.

1. Unicon CAS Update
27 March 2013
Bill Thompson • Andrew Petro
Wednesday, March 27, 13

2. Agenda
1. What is this briefing?
2. Highlights and observations
3. Unicon activities since previous update
4. Intentions
5. Next steps
Wednesday, March 27, 13

3. Welcome to this
briefing
• Unicon’s CAS strategy
• Sourcing support for open source software
• Unicon’s “Cooperative” Support
• Thank you to our support subscribers
Wednesday, March 27, 13

4. Introduction:
Andrew Petro
• Jasig CAS committer,
involved in CAS since
before CAS 3
• 7 years with Unicon, most
of which in Cooperative
Support
• Unicon’s Cooperative
Support for CAS
technical lead
Wednesday, March 27, 13

5. This session is being
recorded.
• Will post after:
• Slides
• Notes blog post with
useful hyperlinks
• Slidecast with audio
Wednesday, March 27, 13

6. Observations and
Highlights
Wednesday, March 27, 13

7. CAS Server 3.5
• Still the current stable release.
• What you adopt or upgrade to today.
Wednesday, March 27, 13

8. CAS Server 3.5.2
released February 22nd
• Security fixes
• require proxy chain for accessing /cas/
clearPass
• handle exception on bad execution ID
(looked like a JavaScript injection
vulnerability, but isn’t really)
• Improvements:
• OAuth, monitoring, logging
Wednesday, March 27, 13

9. CAS addons
• Free and open source
add-ons for CAS server
• Trends towards newer,
exploratory features
• https://github.com/
Unicon/cas-addons
Wednesday, March 27, 13

10. cas-addons
• JSON, MongoDb Service Registry
• MongoDb Service Registry
• JSON Person Attribute DAO
• JSON CAS ticket validation response
• Stormpath Authentication Handler
• ...
Wednesday, March 27, 13

11. cas-java-clients-addons
• Free and open source
add-ons for Java CAS
clients (Jasig Java CAS
Client, Spring Security,
Apache Shiro)
• Trends towards newer,
exploratory features
• https://github.com/
Unicon/cas-java-clients-
addons
Wednesday, March 27, 13

12. Add to your Maven overlay, e.g.
Wednesday, March 27, 13

13. CAS 4
• Roadmap:
• level of assurance capabilities and
attendant protocol evolution
• Improved authentication APIs supporting
multiple credentials, in part supporting this
• Catch up documented protocol to evident
practices
Wednesday, March 27, 13

14. CAS AppSec
Working Group
• Public cas-appsec email list
• https://wiki.jasig.org/x/goRmAw
Wednesday, March 27, 13

15. Jasig + Sakai = Apereo
• Jasig (the non-profit context for CAS,
uPortal, Bedework, SSP, etc.) consolidated
with the Sakai Foundation (the non-profit
context for Sakai CLE, etc.)
• New organization named “Apereo”
• http://www.apereo.org/
Wednesday, March 27, 13

16. Jasig-Sakai
UnConference
• Held January 14-16th at
ASU Polytechnic campus
• discussions including
• review of code towards
CAS 4
• local customizations and
usages of CAS
• automating 2fa token
onboarding
Wednesday, March 27, 13

17. Open Apereo 2013
Conference
• Registration open!
• Early bird until
May 3rd
• ~ Sunday June 2nd
through Thursday June
6th 2013
• San Diego
Wednesday, March 27, 13

18. Apereo 2013
http://conf2013.apereo.org/schedule
Wednesday, March 27, 13

19. CAS and Shib pre-
conference seminar!
Wednesday, March 27, 13

20. Unicon development,
contribution, participation
in CAS since last Update
Wednesday, March 27, 13

21. What is “Cooperative
Development”?
• Sustaining engineering budget under the
Cooperative Support for CAS program
• Unicon maintains the supported open
source software making it more
supportable and valuable to subscribers
• What I tell the team:
“Act in the best interests of the subscribers, of
the community, and of Unicon”
Wednesday, March 27, 13

22. Maintain CAS Generally
and Unicon-led features
• Example: ClearPass enhanced in CAS 3.5.2
to reject bare service tickets (only proxy
tickets with a blessed proxy chain allowed)
Wednesday, March 27, 13

23. Work towards the next CAS
features release (CAS 4)
• support custom filters for releasing
attributes to a service
• improved message bundle handling (prefer
an English message over failure)
• JavaScript file selection power in themes
• richer markup for Login form messages
Wednesday, March 27, 13

24. Innovate on Unicon-led
features
• EhCache ticket registry support for bulk
ticket retrieval
Wednesday, March 27, 13

25. cas-addons
• cas-addons 1.1
• Events framework
• Assertions convenience class
• cas-addons 1.2
• Register per-service whether login initiates
a single sign-on session
Wednesday, March 27, 13

26. cas-java-clients-addons
• Spring Security extension to integrate with
ClearPass
• ClearPass proxy ticket validator
Wednesday, March 27, 13

27. unicon-shibboleth-idp-
template
• Template Shibboleth IdP
• Demonstrates deferring to CAS for login
experience, credentials validation
Wednesday, March 27, 13

28. What this means for
you: tactically
• Tighten ClearPass configuration
• Upgrade to CAS 3.5.2
• continue to look to cas-addons etc. for extra
features you might value, such as nuancing
logging in to which services initiates SSO
Wednesday, March 27, 13

29. What this means for
you: strategically
• Each CAS release gets a little better
• Glitches and defects are addressed
• Extra features available for adoption out of
cas-addons
Wednesday, March 27, 13

30. Intentions for near-term
development and
participation
Wednesday, March 27, 13

31. What we do
• Maintain CAS 3.5 (current stable recommended
release)
• Work towards CAS 4 (next release)
• Explore extensions and opportunities
• Responsive to inputs from subscriber experiences
• Explicit requests / votes
• Learn from providing support
• Empathize with your needs and projects
Wednesday, March 27, 13

32. Maintain CAS 3.5
• especially ClearPass and
EhCacheTicketRegisty
• Example: default ClearPass to encrypt
credentials in cache
• Example: revisit JSP session creation
• Participate in CAS AppSec WG
Wednesday, March 27, 13

33. Maintain client libraries
• Example: more and better ClearPass support
in the client libraries
Wednesday, March 27, 13

34. Work towards CAS 4
• CAS protocol update, now with a Working
Group
• LPPE evolution beyond LDAP
• Multi-factor authentication support
Wednesday, March 27, 13

35. Facilitate integrations
among FLOSS projects
• CAS and Shibboleth IdP integration
• CAS and Grouper integration?
Wednesday, March 27, 13

36. Next Steps
Wednesday, March 27, 13

37. This session is being
recorded.
• Will post after:
• Slides
• Notes blog post with
useful hyperlinks
• Slidecast with audio
Wednesday, March 27, 13

38. Let’s do this again.
• Next Unicon CAS
Update:
• Friday June 28th
• 8:30 am Pacific ==
11:30 am Eastern
• This is a date
change.
Wednesday, March 27, 13

39. Feedback welcome.
• By all means, please do get in touch.
Wednesday, March 27, 13

40. Reminder to support
subscribers:
• You’re welcome encouraged to get in touch
directly if you’d like any of this information
contextualized to your specific situation.
E.g., Does my particular ClearPass configuration
need updated to require a proxy chain?
• Feedback especially welcome.
Wednesday, March 27, 13

41. Call to action
• Consider attending Open Apereo 2013
• Likely great CAS content, certainly great
colleagues to meet with and conversations
to be had.
• Kick it off with a pre-conference seminar or
two.
Wednesday, March 27, 13

42. Contact Information
• Bill Thompson,
Director of Identity and Access Management
wgthom@unicon.net
• Andrew Petro,
Cooperative Support for CAS Technical Lead
apetro@unicon.net
Wednesday, March 27, 13

43. (License)
This work is licensed under the Creative
Commons Attribution-NonCommercial 3.0
United States License. To view a copy of this
license, visit http://creativecommons.org/
licenses/by-nc/3.0/us/.
Wednesday, March 27, 13

44. Photo credits
• Personal photos of Jim and Andrew: all rights reserved.
• Microphone:
http://www.flickr.com/photos/deanhp/3711222265/
http://creativecommons.org/licenses/by/2.0/deed.en
• Cactus:
http://www.flickr.com/photos/robertrd/2788387337/
http://creativecommons.org/licenses/by-nc-nd/2.0/
• San Diego:
http://www.flickr.com/photos/nchill4x4/3430830083/
http://creativecommons.org/licenses/by-nc-nd/2.0/
• Sun Flower:
http://www.flickr.com/photos/59773274@N00
http://creativecommons.org/licenses/by/2.0/
Wednesday, March 27, 13