Download - Cas iu-pres
![Page 2: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/2.jpg)
Open Apereo - June 1-4 2014
Agenda
Introduction
Environment Overview
Functional Requirements
Features Overview
Demo
Development Workflow
Discussion & Questions
![Page 3: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/3.jpg)
Introduction: Nubli Kasa
Lead Systems Analyst
Programmer at Identity
Management Systems
With Indiana University for 6
years
Technical lead for the project;
Responsible for managing CAS
and Shibboleth deployments
![Page 4: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/4.jpg)
Introduction: Misagh MoayyedIAM Consultant @ Unicon
3 years with Unicon; 5 years with
JasigApereoUnicon’s technical lead for the
project
![Page 5: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/5.jpg)
Current Environment
Current CAS based on Yale CAS v2
Diverged from Apereo CAS in many ways
Utilizes large set of AppCodes
◦ Authentication request type, authorization, …
StepUp Authentication; Staff @ admin
permissions
Challenges to meet business need have led
to many large and small CAS changes.
![Page 6: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/6.jpg)
Functional Requirements
Upgrade to CAS 3.5.2
Design and Implementation of AppCodes
◦ Dynamic UI Rendering
◦ AppCode Validation vs. StepUp AuthN
Primary AuthN via Jaas & KB
StepUp AuthN via RADIUS
Protocol extension; Support for IUCAS
Active-Active HA Deployment with EhCache
![Page 7: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/7.jpg)
What is an AppCode?
Token to describe the requesting app
◦What theme to use?
◦What authentication methods to allow?
Analogous yet parallel to service registry
Grouped by 4 primary AppCodes
◦IU, GUEST, SAFEWORD, ANY
Recognize changes automatically
![Page 8: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/8.jpg)
AppCodeRegistry
![Page 9: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/9.jpg)
Dynamic Theme Selection
AppCode groups can specify
themes
AppCodeResourceViewResolver
![Page 10: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/10.jpg)
Primary AuthN: Jaas & Krb
Jaas.conf:
Krb5.conf:
Problem: how do we tie realms to
KDCs?!
![Page 11: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/11.jpg)
New JaasAuthenticationHandler
No Krb5.conf; System Props
instead:◦ java.security.krb5.realm
◦ java.security.krb5.kdc
Let CAS pick Realms and KDCs!
![Page 12: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/12.jpg)
StepUp RADIUS AuthN Config
Additional properties for NAS
settings
![Page 13: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/13.jpg)
StepUp AuthN via RADIUS
Primary based on @cas-mfa
codebase:
◦https://github.com/Unicon/cas-mfa
Initiated by SAFEWORD AppCode
CAS remembers a single AppCode;
knows its relationship to other
AppCodes
![Page 14: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/14.jpg)
StepUp AuthN Rules
Depending on credentials, ANY can
both be IU or GUEST!
![Page 15: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/15.jpg)
CAS Protocol ExtensionsIU CAS Protocol CAS Protocol
Equivalent
cassvc ${appcode:IU}
casurl service
casticket ticket
CAS Validation Response:
![Page 16: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/16.jpg)
EhCacheTicketRegistry
Distributed cache across live nodes
Replication via Java RMI; Manual
discovery
Two separate caches for STs and TGTs
No need for ticket registry cleaners!
Simple setup; No external process
required
![Page 17: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/17.jpg)
EhCache Replication
RMI replication & manual peer
discovery
Specify “other” nodes in the cluster
![Page 18: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/18.jpg)
Discoverable Host Names
Single cas.properties file for all
nodes
Discover ${host.name}
automatically
![Page 19: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/19.jpg)
Demo
![Page 20: Cas iu-pres](https://reader036.vdocuments.us/reader036/viewer/2022062313/558a5dc4d8b42a044a8b458e/html5/thumbnails/20.jpg)
Development Workflow
BitBucket Git
repository; Code + Docs
Real-time issue tracking
& collaboration
Automated deployment
via Jenkins CIbitbucket