Welcome to Nov 2014 IAM Briefing
Note: This webinar was recorded. Watch the recording.
During this briefing we will discuss:
- Updates on CAS, Shibboleth and Grouper
- Unicon contributions to CAS, Shibboleth and Grouper
- Unicon's Open Source Support work.
We'll end with questions and answers.
Our presenters were Mike Grady, Misagh Moayyed, and David Langenberg.
Mike works with IAM, Shibboleth, CAS, SimpleSAMLphp, and Internet2 Scalable Privacy. He worked 36 years at University of Illinois before working for Unicon. He is Unicon’s Open Source Support for Shibboleth technical lead.
Misagh works with IAM, Shibboleth, CAS, uPortal, and uMobile and is Unicon’s Open Source Support for CAS technical lead.
David Langenberg is a guest presenter here to talk about recent developments with Grouper. He primarily works as a senior programmer at the University of Chicago but also works with Internet2 on Grouper and with InCommon as a Shibboleth Trainer.
Observations and Highlights
There were two events this last quarter:
- Shibboleth Workshop Series on Sept 29-30, 2014 in Newark, NJ.
- Internet2 Technology Exchange/Identity Week on Oct 26-30, 2014 in Indianapolis, IN.
The industry has several events coming up in the near future:
- Shibboleth Workshop Series on Nov 10-11, 2014 in Salt Lake City, UT.
Unicon's IAM has noticed several emerging trends in the IAM industry. There has been growth in interest in, and deployment of, multifactor authentication (MFA), on both the Shibboleth and CAS platforms. User consent (allowing users to acknowledge/consent to the release of their info to service providers) is increasingly being considered, and will be bundled with Shib IdP v3. Also, there's growing community discussion around the concerns and caveats of deploying IAM infrastructure to the cloud. Another notable trend is the desire of some institutions to use social identities (Facebook, Twitter, Google) to provide the authentication of "less-strongly-affiliated" individuals. Using a Social-to-SAML gateway, and potentially including invitation and/or account linking services, can solve some campus access control requirements around guests and other non-core affiliations.
Highlights About CAS
CAS Server version 188.8.131.52 was released in the Spring to fix a security vulnerability in the Google Apps/SAML 2.0 support.
CAS Server 4.0 was released in May. It still has seen any major deployments, so 184.108.40.206 is still considered by Unicon to be the flagship release. Some of the highlights of 4.0 include:
- a new CAS protocol that is similar to the CAS 2.0 protocol, but includes releasing user attributes.
- improvements to the LDAP password policy enforcement.
- a secure services registry configuration out of the box.
Check out Misagh's presentation at Open Apereo 2014 for details about the many changes 4.0 has.
Lots of work has gone one for the CAS Server v4.1 release. There are a couple of notable highlights. The login sequence is no longer tied to the Java Web Session. Auto configuration of the host name is now possible for highly available deployments. There is a new JSON Service Registry. It is anticipated that 4.1 will be released in the Spring.
Several CAS Clients have been updated in recent months. The Java CAS Client has been updated to version 3.3.3 and fixes a problem with parameter encoding. The .NET CAS Client has been updated to version 1.0.2 and fixes a similar problem with parameter encoding and adds the ability to configure the proxy callback url. Both clients should be updated sometime in the future to support the new CAS 3.0 protocol.
Highlights About Shibboleth
Shibboleth has also had some movement. IdP v3 has had several alpha releases, with a beta release expected soon. The latest stable version of the Shibboleth Identity Provider is now v2.4.3. v2.4.3 was released this week and should be looked into as it is a security release.
The latest version of the Shibboleth Service Provider (SP) is v2.5.3. The Windows version of the service provider still requires additional patches on existing installs. Those patches are related to OpenSSL and Heartbleed. Please verify that your Windows SPs have been patched.
Shibboleth IdP v3 will be available with a shell installer and Windows installer. The latest version is not compatible with previous alpha releases, but there is now some ability to upgrade config files from IdP v2. IdP v3 will also have basic CAS support bundled in.
The Multi-Context Broker is now at version 1.2.1, which was released in September. It fixed some bugs and includes a few minor enhancements. It contains plugins for Duo and Toopher. Analysis has been done of the required work to bring it inline with IdP v3.
Highlights About Grouper
Grouper version 2.2 was released on July 10th. It sports a new user interface that is optimized for desktop and mobile. It is end user friendly, but also has security enhancements. There are also some Grouper Loader performance improvements.
The version 2.2.1 release is planned for around Nov 7th. It fixes bugs found in version 2.2, and it will include an upgrader to assist in upgrading existing deployments.
Highlights About Unicon Participation in CAS, Shibboleth and Grouper
Open Source Support
Unicon supports open source software as adopted by the community. Unicon collaborates to maintain the supported open source software making it more supportable and valuable to subscribers. Our motto is to “Act in the best interests of the subscribers, of the community, and of Unicon”.
Unicon has investigated substantial time in enhancing CAS Server. There are several significant enhancements that Unicon has added to CAS 4.x. Changes have been made to allow the cas.properties file to be used across all nodes in a cluster instead of needing individual tailoring. The principal (username) is now available for implementors to display on the login success view. Full theming support is now available. Unicon was instrumental in obtaining full JDK7 support for the server. We added support for an external keystore for SSL certs used in proxy authentication, so that trusted sites certs don't need to be added to Java's cacerts file.
The cas-addons project's home is at https://github.com/Unicon/cas-addons. The latest available release is version 1.13. This change includes updates to the Hazelcast library used in the Hazelcast ticket registry. Work on CAS Server 4.x compatible versions has begun.
With regards to multifactor support in CAS, the cas-mfa project (https://github.com/Unicon/cas-mfa) has made significant advances in recent months. It now has Duo, Toopher, Yubikey and RADIUS support. cas-mfa can only be used with 3.5.2.x, but CAS 4.x support is planned.
Shib-CAS-Authenticator v2 is a CAS “LoginHandler” for Shibboleth Idp v2.x. Since the last briefing, it has been updated with some bug fixes related to forced/passive AuthN and some enhancements which include the ability for CAS to pass info, other than the principal name, back to Shibboleth. Check it out at https://github.com/Unicon/shib-cas-authn2.
There are two other projects related to Shibboleth that Unicon is undertaking at this time. The first is a Hazelcast-based session storage mechanism that can be used when clustering Shibboleth IdPs to maintain state between nodes. The other is aa start to creating a user interface for managing the contents of some key IdP config files, starting with the relying-parties.xml file. See https://github.com/UniconLabs/shib-hazelcast-storage-service and https://github.com/UniconLabs/shib-admin, respectively.
Under contract with Oregon State University, Unicon has developed a Grouper provisioner for Google Apps. OSU has graciously allow us to open source the project. The provisioner synchronizes groups and users from Grouper down to Google Groups. There is fined grained control over which groups get provisioned. It has support for managing assigning Google Group ownership via Grouper permissions. Check out https://github.com/Unicon/googleapps-grouper-provisioner for details.
What we do
The open source support program lets us collaborate to maintain current stable recommended releases. We get to work towards next releases on CAS, Shibboleth, and Grouper. We explore extensions and opportunities, and we remain responsive to inputs from subscriber experiences. We are also able to work on subscriber's explicit requests, learn from providing you support, and empathize with your needs and projects.
Subscribers are welcome to get in touch with us directly to discuss how this information relates to your specific situation. Questions can be something as simple as, "Should I upgrade to the next release of shib-cas-authenticator?" By all means, do get in touch!
Existing Open Source Support customers can open a ticket via Zendesk. Others can start a conversation by submitting them on our contact page.