2016 09-15 unicon-iam-update
TRANSCRIPT
Unicon IAM WebinarCAS, Shibboleth, Grouper
15 September 2016 - 11am Pacific Time (PT)Mike Grady • Dmitriy Kopylenko • John Gasper
Join from PC, Mac, Linux, iOS or Android: https://unicon.zoom.us/j/588322739
Or iPhone one-tap (US Toll): +16465588656,588322739# or
+14086380968,588322739#
Or Telephone: Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968
(US Toll) Meeting ID: 588 322 739
Welcome• Community updates
• Unicon contributions
• Q&A
Presenters
Mike GradyShibboleth IDP | Shibboleth
SP
Dmitriy KopylenkoCAS
John GasperGrouper
Charise ArrowoodMC
Events & Trends
• OpenID Connect Workshop: 22-23, 24-25 Feb 2016 in Denver, CO
• Open Apereo Conference: 22-25 May 2016 in NYC
• 2016 Internet2 Global Summit: 15–18 May, Chicago, IL
Past Events
• Internet2 2016 Technology Exchange: 25-29 Sept, Miami, FL
• EDUCAUSE 2016 Annual Conference: 25-28 Oct, Anaheim, CA
• InCommon Shibboleth Workshop: 27-28 Oct, Long Beach, CA
• 2017 Internet2 Global Summit: 23–26 Apr, Washington, DC
• 2017 Open Apereo: 4-8 June, Philadelphia, PA
Upcoming Events
IAM Trends•MFA for Shibboleth, CAS
○Risk-based Adaptive AuthN
•OpenID Connect
•TIER: Packaging, APIs, Person Registry, ...
•SAML Integrations w/ O365 & ADFS
•Metadata Query (MDQ) Protocol
IAM Trends
•IAM in the Cloud○Hosted SSO services and more
○Unicon’s offering: https://www.unicon.net/solutions/IAM-cloud
IDP | SPMike Grady
Unicon Contributions
News● Identity Provider V2.4.5, OpenSAML 2.6.6
○ EOL !!!! V2 full End-Of-Life date was July 31, 2016○ 2.4.4 was last 2.x “minimum safe release”
● Service Provider V2.6.0 Now Available○ Includes a new version of the Xerces XML parser that addresses
Apache Xerces-C XML Parser library versionsprior to V3.1.4 security vulnerability
Shibboleth Versions● Latest versions:
○ IdP v3.2.1 (19 Dec 2015)○ V3.1.1 considered “minimum safe release”○ SP v2.6.0 (27 June 2016)
● v3.2.0 and v3.2.1 released○ HTML5 local storage○ SLO: Front channel SAML and CAS○ SPNEGO authentication○ Bug fixes
Now Past End-Of-Life …..How soon that is a significant problem is unknown, could be tomorrow, could be months, but you need to have a plan to upgrade.
Shibboleth 2.x Lifetime
IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc
●Authorization/Implicit Flow●Dynamic Discovery●Standard/Custom claims●Certified by OpenID foundation for University of Chicago
Shib-CAS AuthN v3https://github.com/Unicon/shib-cas-authn3● v3.1.0
○ Shibboleth IdP v3.X support○ Fixed encoding on entityId/service parameters.
● Plan to produce a version where attributes returned from CAS are available to the IdP, and the AuthN Context Class w.r.t MFA.○ Info from CAS coming back is done, now need a
“data connector” to expose it for use within the IdP
Other/Ongoing work● Hazelcast Storage Service
https://github.com/UniconLabs/shibboleth-hazelcast-storage-service
● Duo Support for IdP v3https://github.com/Unicon/shib-mfa-duo-auth
●Shib IdP as a Gradle Overlayhttps://github.com/UniconLabs/shibboleth-idp-gradle-overlay
● IdP v3 powered by Dockerhttps://github.com/unicon/shibboleth-idp-dockerized
Other/Ongoing work● Split Authn
○ Support for users coming from 2 different Authentication/Attribute sources in distinct config files, only one or the other used for Authn and Resolver for any given authentication.
○ Easy to “hard code” attributes based on source (“role”) chosen. “Role” choice on Login page.
○ Demo with 2 LDAP servers, but should work with any 2 sources
○ https://github.com/Unicon/ccc-shib-split-authn
Other/Ongoing work● Coming Soon: Symantec VIP MFA
○ Token Authentication○ OTP Authentication○ Push Authentication○ Risk based Authentication○ Sponsored by the University of Wisconsin -
Whitewater○ Work done, but not yet “fully generalized” for open
source
Shib IdP v3.3● Next version of Shib IdP due by late 2016● Improvements to logout options and accessibility aspects of such
● Adding in more built-in support for metadata filtering, more “conditionals”, etc.
● New login flow(s) allowing combining factors in what the Shib Dev core team believes will be a more manageable/predictable way
Shib IdP v3.3● Looks like an “out-of-the-box” Duo flow will be part of it
●Unicon will need to determine if our current Duo plugin should be “retired” or updated for the new version.
○ Or if there are updates to the supplied one that make sense to add
● Unicon will need to verify and/or “modify” our other current authentication flow add-ons
Highlights
Dmitriy Kopylenko
Unicon Contributions
CAS v4.2● v4.2.5 is the current version
○ Dynamic Plug-N-Play module configuration○ ADFS/WS-FED delegated authN○ UIs to manage SSO sessions/statistics○ BASIC, JWT, Shiro, MongoDB, Stormpath authN○ Couchbase, Ignite, Infinispan ticket registries○ ABAC via attributes, time, or Grouper
●See http://jasig.github.io/cas/4.2.x/index.html
CAS v5.0.0 ● Tentative release date: October 2016● Current release: 5.0.0.RC1● Major features:
○ MFA via DuoSecurity, RADIUS, YubiKey■ Risk-based adaptive authN
○ SAML2 Web SSO support○ OAuth/OIDC support○ Full internal config re-architecture via Spring Boot○ Java 8
Other/Ongoing work● Auto config for CAS Java clients
https://github.com/Unicon/cas-client-autoconfig-support
● Delegated SAML authN for CAS 3.5.xhttps://github.com/UniconLabs/cas-saml-auth
● Bootstrap CAS via a Gradle overlay:https://github.com/UniconLabs/cas-strap
Further CAS Resources● CAS maintenance policy:
https://apereo.github.io/cas/developer/Maintenance-Policy.html
● Apereo Blog:https://apereo.github.io/
John Gasper
Unicon Contributions
Grouper v2.3.0 ● Can run multiple simultaneous Loader/Daemon instances
●WS: Manage attribute/permission defs; TIER authorization
●PSP-NG: New Grouper provisioner○ LDAP and AD connectors built-in
●Exporting tree to GSH script.
●Lots of patches: ○ API: 24, UI: 8, WS: 5, PSP-NG: 2
Other/Ongoing work●Internet2 Grouper Dockerized: Composable images/containershttps://github.com/Unicon/grouper-dockerized
● Grouper-Demo for Dockerhttps://hub.docker.com/r/unicon/grouper-demo/
● Custom Provisioning Target Formhttps://github.com/Unicon/grouper-provisioning-target-ui
● Azure AD (Office 365) Provisionerhttps://github.com/Unicon/office365-and-azure-ad-grouper-provisioner
Docker Demo
Grouper environment based on the
composable images/container