Unicon IAM WebinarCAS, Shibboleth, Grouper

15 September 2016 - 11am Pacific Time (PT)Mike Grady • Dmitriy Kopylenko • John Gasper

Join from PC, Mac, Linux, iOS or Android: https://unicon.zoom.us/j/588322739

Or iPhone one-tap (US Toll): +16465588656,588322739# or

+14086380968,588322739#

Or Telephone: Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968

(US Toll) Meeting ID: 588 322 739

Welcome• Community updates

• Unicon contributions

• Q&A

Presenters

Mike GradyShibboleth IDP | Shibboleth

SP

Dmitriy KopylenkoCAS

John GasperGrouper

Charise ArrowoodMC

Events & Trends

• OpenID Connect Workshop: 22-23, 24-25 Feb 2016 in Denver, CO

• Open Apereo Conference: 22-25 May 2016 in NYC

• 2016 Internet2 Global Summit: 15–18 May, Chicago, IL

Past Events

• Internet2 2016 Technology Exchange: 25-29 Sept, Miami, FL

• EDUCAUSE 2016 Annual Conference: 25-28 Oct, Anaheim, CA

• InCommon Shibboleth Workshop: 27-28 Oct, Long Beach, CA

• 2017 Internet2 Global Summit: 23–26 Apr, Washington, DC

• 2017 Open Apereo: 4-8 June, Philadelphia, PA

Upcoming Events

IAM Trends•MFA for Shibboleth, CAS

○Risk-based Adaptive AuthN

•OpenID Connect

•TIER: Packaging, APIs, Person Registry, ...

•SAML Integrations w/ O365 & ADFS

•Metadata Query (MDQ) Protocol

IAM Trends

•IAM in the Cloud○Hosted SSO services and more

○Unicon’s offering: https://www.unicon.net/solutions/IAM-cloud

IDP | SPMike Grady

Unicon Contributions

News● Identity Provider V2.4.5, OpenSAML 2.6.6

○ EOL !!!! V2 full End-Of-Life date was July 31, 2016○ 2.4.4 was last 2.x “minimum safe release”

● Service Provider V2.6.0 Now Available○ Includes a new version of the Xerces XML parser that addresses

Apache Xerces-C XML Parser library versionsprior to V3.1.4 security vulnerability

Shibboleth Versions● Latest versions:

○ IdP v3.2.1 (19 Dec 2015)○ V3.1.1 considered “minimum safe release”○ SP v2.6.0 (27 June 2016)

● v3.2.0 and v3.2.1 released○ HTML5 local storage○ SLO: Front channel SAML and CAS○ SPNEGO authentication○ Bug fixes

Now Past End-Of-Life …..How soon that is a significant problem is unknown, could be tomorrow, could be months, but you need to have a plan to upgrade.

Shibboleth 2.x Lifetime

IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc

●Authorization/Implicit Flow●Dynamic Discovery●Standard/Custom claims●Certified by OpenID foundation for University of Chicago

Shib-CAS AuthN v3https://github.com/Unicon/shib-cas-authn3● v3.1.0

○ Shibboleth IdP v3.X support○ Fixed encoding on entityId/service parameters.

● Plan to produce a version where attributes returned from CAS are available to the IdP, and the AuthN Context Class w.r.t MFA.○ Info from CAS coming back is done, now need a

“data connector” to expose it for use within the IdP

Other/Ongoing work● Hazelcast Storage Service

https://github.com/UniconLabs/shibboleth-hazelcast-storage-service

● Duo Support for IdP v3https://github.com/Unicon/shib-mfa-duo-auth

●Shib IdP as a Gradle Overlayhttps://github.com/UniconLabs/shibboleth-idp-gradle-overlay

● IdP v3 powered by Dockerhttps://github.com/unicon/shibboleth-idp-dockerized

Other/Ongoing work● Split Authn

○ Support for users coming from 2 different Authentication/Attribute sources in distinct config files, only one or the other used for Authn and Resolver for any given authentication.

○ Easy to “hard code” attributes based on source (“role”) chosen. “Role” choice on Login page.

○ Demo with 2 LDAP servers, but should work with any 2 sources

○ https://github.com/Unicon/ccc-shib-split-authn

Other/Ongoing work● Coming Soon: Symantec VIP MFA

○ Token Authentication○ OTP Authentication○ Push Authentication○ Risk based Authentication○ Sponsored by the University of Wisconsin -

Whitewater○ Work done, but not yet “fully generalized” for open

source

Shib IdP v3.3● Next version of Shib IdP due by late 2016● Improvements to logout options and accessibility aspects of such

● Adding in more built-in support for metadata filtering, more “conditionals”, etc.

● New login flow(s) allowing combining factors in what the Shib Dev core team believes will be a more manageable/predictable way

Shib IdP v3.3● Looks like an “out-of-the-box” Duo flow will be part of it

●Unicon will need to determine if our current Duo plugin should be “retired” or updated for the new version.

○ Or if there are updates to the supplied one that make sense to add

● Unicon will need to verify and/or “modify” our other current authentication flow add-ons

Highlights

Dmitriy Kopylenko

Unicon Contributions

CAS v4.2● v4.2.5 is the current version

○ Dynamic Plug-N-Play module configuration○ ADFS/WS-FED delegated authN○ UIs to manage SSO sessions/statistics○ BASIC, JWT, Shiro, MongoDB, Stormpath authN○ Couchbase, Ignite, Infinispan ticket registries○ ABAC via attributes, time, or Grouper

●See http://jasig.github.io/cas/4.2.x/index.html

CAS v5.0.0 ● Tentative release date: October 2016● Current release: 5.0.0.RC1● Major features:

○ MFA via DuoSecurity, RADIUS, YubiKey■ Risk-based adaptive authN

○ SAML2 Web SSO support○ OAuth/OIDC support○ Full internal config re-architecture via Spring Boot○ Java 8

Other/Ongoing work● Auto config for CAS Java clients

https://github.com/Unicon/cas-client-autoconfig-support

● Delegated SAML authN for CAS 3.5.xhttps://github.com/UniconLabs/cas-saml-auth

● Bootstrap CAS via a Gradle overlay:https://github.com/UniconLabs/cas-strap

Further CAS Resources● CAS maintenance policy:

https://apereo.github.io/cas/developer/Maintenance-Policy.html

● Apereo Blog:https://apereo.github.io/

John Gasper

Unicon Contributions

Grouper v2.3.0 ● Can run multiple simultaneous Loader/Daemon instances

●WS: Manage attribute/permission defs; TIER authorization

●PSP-NG: New Grouper provisioner○ LDAP and AD connectors built-in

●Exporting tree to GSH script.

●Lots of patches: ○ API: 24, UI: 8, WS: 5, PSP-NG: 2

Other/Ongoing work●Internet2 Grouper Dockerized: Composable images/containershttps://github.com/Unicon/grouper-dockerized

● Grouper-Demo for Dockerhttps://hub.docker.com/r/unicon/grouper-demo/

● Custom Provisioning Target Formhttps://github.com/Unicon/grouper-provisioning-target-ui

● Azure AD (Office 365) Provisionerhttps://github.com/Unicon/office365-and-azure-ad-grouper-provisioner

Docker Demo

Grouper environment based on the

composable images/container

Questions / Discussion

Mike Gradymgrady@unicon.net

Dmitry Kopylenkodkopylenko@unicon.net

John Gasperjgasper@unicon.net