Welcome to this briefing
The agenda for the briefing is to discuss: updates on CAS, Shibboleth and Grouper; Unicon contributions to CAS, Shibboleth and Grouper; and Unicon’s Open Source Support. We’ll end with questions and answers.
Please click here to download the presentation slides.
Observations and Highlights
There were two events this last quarter:
- Identity Week which is November 11-15 2013: REFEDS, CAMP, ACAMP at Burlingame, CA.
- Apereo Camp, January 27-30 2014: CAS, uPortal, OpenRegistry at Sakai Mesa, AZ.
The industry has several events coming up in the near future:
- Shibboleth Workshop Series on March 24-25 at Durham, NC.
- Internet2 Global Summit on April 6-10 at Denver, CO.
- Open Apereo 2014 on June 1-4 at Miami, FL.
- Internet2 Technology Exchange on Oct 26-30 at Indianapolis, IN.
Highlights About CAS
CAS 4.0’s Release Candidate 3 has been released, and we anticipate that there will be an RC4. CAS 4.0 includes new APIs to support MFA use cases. There are also password policy improvements. The dev team has put in significant time in revaming the CAS documentation. Documentation for CAS 4.0 will be hosted at http://jasig.github.io/cas.
Highlights About Shibboleth
You can find community news at http://shibboleth.net/community/news. The latest version of Shibboleth identity provider is v2.4.0. The latest version of Shibboleth service provider is v2.5.3.
The Shibboleth IdP v3 project’s release goals include supporting extensions (i.e uApprove) within profiles and improving “rough spots” in the API. It will be V2 protocol interoperable but, it will API-incompatible (see https://wiki.shibboleth.net/confluence/display/IDP30/Software+Design). It is planned for a Q3 Fall 2014 release. Check out https://wiki.shibboleth.net/confluence/display/DEV/IdP3Details for details.
The multi-context broker is an IdP “LoginHandler” that orchestrate among multiple authentication contexts, including MFA. It provide support for InCommon Assurance initiative and sports pluggable authentication modules. Version 1.0.0 is now available. It can be found athttps://github.com/Internet2/Shibboleth-Multi-Context-Broker.
Highlights About Grouper
The Grouper roadmap can be found at http://goo.gl/5LrGAR. The 2.2 release is expected by late Spring. There will be support in services in Grouper 2.2. It will have the ability to write cross-domain identity management (SCIM) compliant data to help. Version 2.0 will have improved Grouper configuration, and… Grouper version 2.2 will sport a new user interface. See a mockup at http://grouper-ui.uchicago.edu/hifi.
Highlights About Unicon Participation in CAS, Shibboleth and Grouper
Open Source Support
Unicon supports open source software as adopted by the community. Unicon collaborates to maintain the supported open source software making it more supportable and valuable to subscribers. Our motto is to “Act in the best interests of the subscribers, of the community, and of Unicon”.
*In the last quarter, Unicon made some improvements to the password policy. We fixed an issue with attributes in the CAS response.
The cas-addons project’s home is at https://github.com/Unicon/cas-addons. It includes some nice features that support CAS Server’s functionality. The latest available release is version 1.10. New extensions include:
- The Hazelcast ticket registry adds a new option for supporting a replicated ticket registry.
- The Dynamic login view selection feature makes it easy to swap out login views based on a parameter passed along with the service url.
- The Request-based ticket expiration policy component makes it easy to dynmaically change the expiration of a TGT based on various attributes such as the user’s ip address.
UniconLabs projects are found at https://github.com/UniconLabs. These are experimental projects:
- cas-strap allows you to download a small bootstrap file and have a running CAS server with no other dependencies needed other than the JDK.
- cas-sso-sessions-report is a module that permits administrators to pull information about the active SSO sessions.
- service-registry-pattern-tester makes it easy to test your service registry patterns before making them live.
Shib-CAS authenticator v2 is a CAS “LoginHandler” for Shibboleth Idp v2.x. It provides a simpler, externalized configuration than its predecessor. This version does not require Tomcat context-sharing. It is able to communicate the “entityId” to CAS. The project is currently in BETA status. Check it out at https://github.com/Unicon/shib-cas-authn2. One benefit to the new version is that the configuration has been externalized.
*There are some additional integration possibilities with Shib-CAS-authenticator v2. We considering things like combining it with Multi-Context broker? Future development may include passing CAS attributes along to supplement the IdP’s authentication context. This would allow CAS to resolve/release attributes to the IdP. We ultimately want to reduce duplicate configuration and overhead.
The Shib-Config-UI project can be found at https://github.com/UniconLabs/shib-config-ui. The goal of this project is to provide a web interface to explore your Shibboleth configuration. It can help you answer such questions as “What attributes are released to this SP?” and “What is the SSO session length?”. Further UI enhancements and features are planned for the project.
There is some future work that we foresee. Unicon is in discussion with developer community to find more ways to assist with Shibboleth. We are finalizing the Tomcat7 DTA-SSL module that will allow Shibboleth to run under Tomcat 7 and support attribute release. Is there a particular missing features you need? Please let us know.
Unicon contributed multiple AuthZ Connectors for grouper. The list includes Grouper & Apache Shiro, Grouper & Spring Security, Grouper & .NET Framework, Grouper & Person Directory, and Grouper & OAuth w/ CAS. Checkout them out athttps://spaces.internet2.edu/display/Grouper/Unicon+Grouper+Contributions.
We anticipate that there are more authZ connectors that we can develop and contribute. Other projects might include cas-ifying Grouper? We also see future with Grouper & uPortal, specifically dealing with roles and permissions.
What we do
The open source support program let’s collaborate to maintain current stable recommended releases. We get to work towards next releases on CAS, Shibboleth, and Grouper. We explore extensions and opportunities, and we remain responsive to inputs from subscriber experiences.We are able to work on subscriber’s explicit requests, learn from providing you support, and empathize with your needs and projects.
Subscribers are welcome… no, encouraged to get in touch with us directly to discuss how this information relates to your specific situation. Questions can be something as simple as, “Should I upgrade to the next release of shib-cas-authenticator?” By all means, do get in touch!
Let’s do this again
Our next Unicon IAM Update is tentatively planned for Thursday, June 19th, 2014 @ 12:00 PM MST/PDT.