Welcome to June 2014 IAM Briefing
During this briefing we will discuss: updates on CAS, Shibboleth and Grouper; Unicon contributions to CAS, Shibboleth and Grouper; and Unicon's Open Source Support. We'll end with questions and answers.
Our presenters are Mike Grady and Misagh Moayyed. Mike works with IAM, Shibboleth, CAS, Internet2 Scalable Privacy. He worked 36 years at University of Illinois before going working for Unicon. He is Unicon’s Open Source Support for Shibboleth technical lead.
Misagh works with IAM, Shibboleth, CAS, uPortal, and uMobile and is Unicon’s Open Source Support for CAS technical lead.
This presentation is being recorded and can be re-watched by visiting http://unicon.adobeconnect.com/p3bi78sdcou/. The slide deck can be seen at http://www.slideshare.net/slideshow/embed_code/36758225.
Observations and Highlights
There were two events this last quarter:
- Shibboleth Workshop Series was March 24-25 in Durham, NC.
- Internet2 Global Summit was April 6-10 in Denver, CO.
- Open Apereo 2014 was June 1-4 in Miami, FL.
There were some session during Open Apereo that maybe of interest:
- CASifying PeopleSoft & ADFS: http://lanyrd.com/2014/apereo/sdbbdp/
- To CAS 3 and Beyond: http://lanyrd.com/2014/apereo/sczzzt/
- Grouper for Beginners: http://lanyrd.com/2014/apereo/sdbdmm/
- 2FA Authentication with CAS: http://lanyrd.com/2014/apereo/sdbbdh/
You can see the recordings and slides.
The industry has several events coming up in the near future:
- Shibboleth Workshop Series on July 24-25, 2014 in Indianapolis, IN.
- Shibboleth Workshop Series on Sept 29-30, 2014 in Newark, NJ.
- Internet2 Technology Exchange/Identity Week on Oct 26-30, 2014 in Indianapolis, IN.
- Shibboleth Workshop Series on Nov 10-11, 2014 in Salt Lake City, UT.
Highlights About CAS
During the last quarter their was a patch released to fix vulnerabilities in CAS Server version 3.5.2 and 3.4.12. An exploit was found in the SAML 2.0 support for Google Apps. If you haven't already patched you'll want to upgrade immediately to versions 126.96.36.199 or 188.8.131.52 respectively.
CAS Server 4.0 has been released. There are many new features that are included. A few highlights include a new service validate endpoint that extends the CAS 2.0 protocol payload but now includes attributes. LPPE has been improved with better support for OpenLDAP and other directories. An empty Service Registry is no longer allowed, and proxy authentication is no longer on by default. Documentation for the 4.0 release can be found at http://jasig.github.io/cas.
Discussions about CAS Server v4.1 have already started on the mailing lists. To participate, join email@example.com. Also, the CAS AppSec working has formed to take a closer look at CAS Server practices from the security prospective. More information about the AppSec working group can be found at https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group.
Highlights About Shibboleth
Shibboleth is has also has some movement. It was just announced that an Alpha release of IdP v3 has released. The latest stable version of Shibboleth identity provider is still v2.4.0. The latest version of Shibboleth service provider is v2.5.3, however the Windows version of the service provider has had to patches. Those patches are related to OpenSSL and Heartbleed. Please verify that your Windows SPs have been patched.
The Multi-Context Broker which provides a framework for multi-factor authentication. It has several production deployments now. Duo and Toopher both can be used as the MFA component.
The Shibboleth IdP v3 project's release goals include supporting extensions (i.e uApprove) within profiles and improving “rough spots” in the API. It will be V2 protocol interoperable but, it will API-incompatible (see https://wiki.shibboleth.net/confluence/display/IDP30/Software+Design). It is planned for a Q3 Fall 2014 release. Check out https://wiki.shibboleth.net/confluence/display/DEV/IdP3Details for details.
Highlights About Grouper
The Grouper roadmap can be found at http://goo.gl/5LrGAR. The 2.2 release is expected anytime. Grouper version 2.2 will sport a new user interface that is optimized for desktop and mobile. It will be end user friendly, but also has security enhancements. The new UI is available at http://grouper-ui.uchicago.edu/hifi.
Highlights About Unicon Participation in CAS, Shibboleth and Grouper
Open Source Support
Unicon supports open source software as adopted by the community. Unicon collaborates to maintain the supported open source software making it more supportable and valuable to subscribers. Our motto is to “Act in the best interests of the subscribers, of the community, and of Unicon”.
The cas-addons project's home is at https://github.com/Unicon/cas-addons. It includes some nice features that support CAS Server's functionality. The latest available release is version 1.11.1. The Hazelcast ticket registry adds a new option for supporting a replicated ticket registry. We have done some deployments using it instead of ehcache and we believe it has a strong future.
A new project that we have released on Github is the CAS/ADFS Integration. It provides a CAS Server module to delegate CAS authentication to ADFS, and also has instructions for CASifying ADFS. You might find these particularly useful if you are an Office 365 customer. The project can be found at https://github.com/Unicon/cas-adfs-integration.
UniconLabs projects are found at https://github.com/UniconLabs. These are experimental projects:
- simple-cas-overlay-template is a quick start template for building a CAS deployment.
- cas-surrogate-principal is a CAS Server module that allows a principal to authenticate as another.
Shib-CAS authenticator v2 is a CAS “LoginHandler” for Shibboleth Idp v2.x. It provides a simpler, externalized configuration than its predecessor. This version does not require Tomcat context-sharing. It is able to communicate the “entityId” to CAS. The project released its first formal release this spring. Check it out at https://github.com/Unicon/shib-cas-authn2.
We have finalized the Tomcat7 DTA-SSL module. It allows Shibboleth to run under Tomcat 7 and support attribute release.
There is some future work that we foresee. Unicon will be helping with Shib IDP v3 testing and we are in discussion with developer community to find more ways to assist with Shibboleth. Is there a particular missing features you need? Please let us know.
There has been some preliminary work done to swap out uPortal's roles and permissions module with one that utilizes Grouper to provide those.
Unicon continues to contributed AuthZ Connectors for grouper. We'll also make sure that CAS SSO for grouper is solid.
You can see a list of Unicon's Grouper contributions at https://spaces.internet2.edu/display/Grouper/Unicon+Grouper+Contributions.
What we do
The open source support program let's collaborate to maintain current stable recommended releases. We get to work towards next releases on CAS, Shibboleth, and Grouper. We explore extensions and opportunities, and we remain responsive to inputs from subscriber experiences.We are able to work on subscriber's explicit requests, learn from providing you support, and empathize with your needs and projects.
Subscribers are welcome... no, encouraged to get in touch with us directly to discuss how this information relates to your specific situation. Questions can be something as simple as, "Should I upgrade to the next release of shib-cas-authenticator?" By all means, do get in touch!
Let’s do this again
Our next Unicon IAM Update is tentatively planned for Thursday, November 6th, 2014 @ 2:00 PM Eastern/11:00 AM Pacific.