Скачать презентацию Jasig CAS 3 5 What s new Jasig-Sakai 2012 Скачать презентацию Jasig CAS 3 5 What s new Jasig-Sakai 2012

55414e33554afb80f17dfccc3bcbb16d.ppt

  • Количество слайдов: 59

Jasig CAS 3. 5 What’s new? Jasig-Sakai 2012 Monday June 11 th 2012 Atlanta, Jasig CAS 3. 5 What’s new? Jasig-Sakai 2012 Monday June 11 th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Who am I? CAS committer Previously, CAS steering committee member Who am I? CAS committer Previously, CAS steering committee member

I work for Trusted Partner since 1993 Expertise in Open Source Software for Education I work for Trusted Partner since 1993 Expertise in Open Source Software for Education Professional Services for CAS, Shibboleth, u. Portal, Sakai, Grouper, Student Success Plan, . . . Innovative Cooperative Support program

CAS-related at this conference - today Jasig CAS 3. 5 - What’s new? (this) CAS-related at this conference - today Jasig CAS 3. 5 - What’s new? (this) Fordham Goes ABAC for CAS - Extending CAS with Attribute-Based Access Control

CAS-related at this conference - tomorrow Columbia Goes Goo-Google for CAS - Extending CAS CAS-related at this conference - tomorrow Columbia Goes Goo-Google for CAS - Extending CAS with WIND Protocol Support and Service Registry High Availability in Hurricane Alley - Multi-site Multinode CAS Deep in the Heart of Texas

CAS-related at this conference - Thursday Shibboleth and CAS - more perfect together CAS-related at this conference - Thursday Shibboleth and CAS - more perfect together

This session What is CAS anyway? Status of CAS 3. 4 What’s new in This session What is CAS anyway? Status of CAS 3. 4 What’s new in CAS 3. 5? What’s otherwise new in CAS? Questions, discussion Lunch!

What is CAS, anyway? What is CAS, anyway?

CAS is open source single sign-on for the Web Modify applications to rely upon CAS is open source single sign-on for the Web Modify applications to rely upon CAS to authenticate the user

Good features Pluggable, flexible, and malleable a toolkit for building your institutional login experience Good features Pluggable, flexible, and malleable a toolkit for building your institutional login experience Simple CAS protocol and client libraries n-tier delegated authentication password replay still possible if you really want

You are here. You are here.

CAS is simple Example: CAS doesn’t want to *be* your store of credentials, your CAS is simple Example: CAS doesn’t want to *be* your store of credentials, your account management system, your attribute repository. It wants to leverage your Id. M infrastructure to broker Web logins Kinds of credentials CAS supports: passwords (bind against LDAP, in a database, . . . ) x. 509 certificates OAuth

Spring Web Flow Spring Web Flow

Spring Web Flow useful for adding Acceptable Use Policy acceptance prompt stale / expired Spring Web Flow useful for adding Acceptable Use Policy acceptance prompt stale / expired password warning / enforcement nuanced authentication error messaging / handling coarse grained access control target-application-specific handling. . .

Lots of integration libraries Java / Java Servlet Filter / Spring Security / Apache Lots of integration libraries Java / Java Servlet Filter / Spring Security / Apache Shiro / Tomcat Apache module. NET PHP Perl Ruby PAM module

Lots of applications with available CAS support u. Portal Sakai Drupal Wordpress Liferay Blackboard. Lots of applications with available CAS support u. Portal Sakai Drupal Wordpress Liferay Blackboard. . .

Lots of adopting institutions Unclear how many? http: //millionshort. com/search. php? q=Jasig+CAS&re move=1000 k Lots of adopting institutions Unclear how many? http: //millionshort. com/search. php? q=Jasig+CAS&re move=1000 k

Community (via Jasig) email lists wiki and issue tracker source control (now on Git. Community (via Jasig) email lists wiki and issue tracker source control (now on Git. Hub) this conference. . .

Implement using Maven overlay Factor your CAS implementation as pom. xml dependency declaration, local Implement using Maven overlay Factor your CAS implementation as pom. xml dependency declaration, local configuration, and local customizations CAS distribution + your dependencies + your changes + your configuration = your CAS implementation

CAS 3. 4 CAS 3. 4

CAS 3. 4 Mature, well-known 3. 4. 12 is latest patch release Patch releases CAS 3. 4 Mature, well-known 3. 4. 12 is latest patch release Patch releases are intended to be zero pain drop-in upgrades Well understood and a fine conservative choice for your CAS implementation today

CAS 3. 4. 12 is latest release Regular expression support in service registration matching CAS 3. 4. 12 is latest release Regular expression support in service registration matching Misc. fixes and improvements in recent 3. 4. x releases

CAS 3. 5 - what’s new CAS 3. 5 - what’s new

3. 5 “minor” release Incur some upgrade pain on 3. 4 to 3. 5 3. 5 “minor” release Incur some upgrade pain on 3. 4 to 3. 5 In exchange for new functionality and improvements

Themes Theme 1: extensions coming into CAS product Theme 2: incremental honing and maturity Themes Theme 1: extensions coming into CAS product Theme 2: incremental honing and maturity

Theme 1: Extensions coming into CAS product LPPE - LDAP Password / Account status Theme 1: Extensions coming into CAS product LPPE - LDAP Password / Account status reflection Clear. Pass - optional password caching and selective, secure release Eh. Cache Ticket Registry - another option for ticket state clustering OAuth 2 producer and consumer support - more ways to authenticate users to CAS and to integrate with CAS in relying applications

LPPE - LDAP account status reflection Why is authentication against LDAP (Active Directory) failing? LPPE - LDAP account status reflection Why is authentication against LDAP (Active Directory) failing? Password wrong? Account is locked? Other error code? Now error codes reflected in UI. Initially integrates with Active Directory, with potential for more error mappings

Clear. Pass optional password caching and selective, secure password release to relying applications This Clear. Pass optional password caching and selective, secure password release to relying applications This was a separate CAS extension, now drawn into the core CAS product off by default. several steps required to turn on this feature.

Why do I need Clear. Pass? ? Why do I need Clear. Pass? ?

Why else do I need Clear. Pass? Outlook Web Application CASification? Web. Advisor CASification? Why else do I need Clear. Pass? Outlook Web Application CASification? Web. Advisor CASification? It’s a tool. You may need it. You may be able to avoid it. Try to avoid.

Do I have to cache and release passwords? Absolutely not. Off by default. Very. Do I have to cache and release passwords? Absolutely not. Off by default. Very. But now easier to turn on, with less messing around with Maven and dependencies conflict resolution.

Eh. Cache Ticket Registry Another option for clustering ticket registry state among clustered CAS Eh. Cache Ticket Registry Another option for clustering ticket registry state among clustered CAS server nodes Bridges from CAS Ticket. Registry API to Eh. Cache Options within Eh. Cache for implementing and replicating that cache RMI Terracotta

OAuth Producer and Consumer support and improved Open. ID support OAuth Producer and Consumer support and improved Open. ID support

Choose to login via OAuth Choose to login via OAuth

Login at e. g. Git. Hub Login at e. g. Git. Hub

Validating the ticket Validating the ticket

Theme 2: Incremental honing and maturity Regular expressions in service registration matching * Better Theme 2: Incremental honing and maturity Regular expressions in service registration matching * Better SSO session expiration policy * Improved properties handling Improved health monitoring Upgrades to dependencies, Spring framework version, etc. * = also in later / latest CAS 3. 4. x release

SSO session expiration policy (“Ticket. Granting. Ticket” expiration policy) Set both a hard timeout SSO session expiration policy (“Ticket. Granting. Ticket” expiration policy) Set both a hard timeout And a sliding window idle timeout

Improved properties handling More in cas. properties Sensible defaults optionally overridden by cas. properties Improved properties handling More in cas. properties Sensible defaults optionally overridden by cas. properties (set what you change) Easier to put cas. properties outside of the. war Logging configuration file location set in cas. properties

(Those were all old, actually) The incremental feature in CAS 3. 5 is additional (Those were all old, actually) The incremental feature in CAS 3. 5 is additional monitoring, suitable for targeting with an automated probe.

CAS 3. 5 status 3. 5 RC 2 now available for testing Doing QA, CAS 3. 5 status 3. 5 RC 2 now available for testing Doing QA, mopping up issues and glitches 3. 5 GA release “soon” days or weeks, not months or years Expect patch releases to follow a 3. 5. 0 release

How you upgrade Update your pom. xml to depend on CAS 3. 5 Not How you upgrade Update your pom. xml to depend on CAS 3. 5 Not using Maven Overlay? good time to start? Resolve conflicts, merge your configuration with new defaults, migrate forward your service registry data Test outside of production! Roll to production

What else is new? Git. Hub New committer Jérôme Leleu Better integration for using What else is new? Git. Hub New committer Jérôme Leleu Better integration for using CAS as the login mechanism for Shibboleth Id. P php. CAS client release

CAS now using Git. Hub CAS now using Git. Hub

New committer Jérôme Leleu Contributed OAuth support admirably active on lists, in the project New committer Jérôme Leleu Contributed OAuth support admirably active on lists, in the project

CAS + Shib = happy CAS for flexible single sign-on experience Spring Web Flow! CAS + Shib = happy CAS for flexible single sign-on experience Spring Web Flow! Shibboleth Id. P for rigorous SAML 2 and Federation Better implementation of this at: https: //github. com/Unicon/shib-cas-authenticator Presentation later in conference

php. CAS client library release Much better handling of proxy CAS (n-tier delegated authentication) php. CAS client library release Much better handling of proxy CAS (n-tier delegated authentication) features

Summary Active project Continued maturity Gently pulling successful extensions into the core product Summary Active project Continued maturity Gently pulling successful extensions into the core product

Questions? Discussion? Questions? Discussion?

Contact information Andrew Petro apetro@unicon. net http: //www. unicon. net/blog/apetro http: //www. unicon. net/contact Contact information Andrew Petro apetro@unicon. net http: //www. unicon. net/blog/apetro http: //www. unicon. net/contact

Lunch Atlanta Ballroom 7 th floor Lunch Atlanta Ballroom 7 th floor

Contact information Andrew Petro apetro@unicon. net http: //www. unicon. net/blog/apetro http: //www. unicon. net/contact Contact information Andrew Petro apetro@unicon. net http: //www. unicon. net/blog/apetro http: //www. unicon. net/contact