Download - Unicon July 2015 IAM Briefing
Unicon IAM UpdateCAS, Shibboleth, Grouper
09 July 2015Jonathan Johnson • Misagh Moayyed • David
LangenbergAudio is via Adobe Connect. There is no phone dial-in.
Welcome to this briefing
• Updates on CAS, Shibboleth and Grouper• Unicon contributions to CAS, Shibboleth and Grouper
• Unicon's Open Source Support• Q&A
Misagh Moayyed
• IAM, Shibboleth, CAS, uPortal
• Unicon’s Open Source Support for CAS technical lead
David Langenberg
• Grouper Developer, Internet2
• Shibboleth Trainer, InCommon LLC
• IAM Architect, University of Chicago
• Internet2 Global Summit: 26-30 Apr 2015 Washington D.C.
• Educause Security Professionals Conf: 4-6 May Minneapolis, MN
• Open Apereo: 31 May-4 June Baltimore, MD
Past Events
•InCommon Shibboleth Workshop: 17-18 Sept 2015 Cupertino, CA
•Internet2 2015 Technology Exchange: 4-7 Oct 2015 Cleveland, OH
•InCommon Shibboleth Workshop: 19-20 Oct 2015 Arlington, TX
Upcoming Events
IAM Trends
•MFA for Shibboleth, MFA for CAS, etc○Device/Location aware features
○Risk-based AuthN
•O365/ADFS Integration with CAS/Shibboleth
•Grouper and Provisioning
CAS Server Versions
●CAS Server v3.6.0 / v4.0.2 (12 Jun 2015)■OAuth/OpenID bug fixes■Localization and UI improvements■Protocol URL/Parameter sanitizations
●CAS Server v4.0.3 (early next week)■Security filter upgrade■LDAP/LPPE bug fixes■Localization/UTF-8 improvements
●CAS Server v4.1.0 (In development)
CAS 4.1 – Goodies
https://youtu.be/P_GTXEAt5oU
● JSON Service Registry / RBAC● Better Management Interface● SLO/Logo/Logout url per application● Password/PGT as attributes● Many more...
CAS Server Security Filter
https://github.com/Jasig/cas-server-security-filter
• Suitable for patching-in-place deployments, vulnerable to CAS-protocol-input attacks.
• v2.0.3 released 3-Jul-2015.
CAS NextGen
https://wiki.jasig.org/display/CAS/CAS+4.2+Roadmap
●SAML SP / ADFS Proxy Support●Better MFA Support●SSO Sessions Dashboard●Surrogate AuthN●More…
Shibboleth Versions
• Latest versions:• IdP v3.1.2 (1 Jul 2015)• SP v2.5.4 (19 Mar 2015)
• New adopters are encouraged to use v3 • Current deployers to explore upgrades
• IdP v2.4.4 was released 25 Feb 2015, to address security issue; OpenSAML-J was also updated
• IdP v2.4 end of life timeline (assuming you haven’t upgraded):
Shibboleth 2.x Lifetime
Dec 31, 2015 Plan to upgrade
Feb 29, 2016 Done with upgrade
Mar 31, 2016 Really done with upgrade
July 31, 2016 IdP 2.x full EOL
Multi-Context Broker
● Analysis of Shib IdPv3 and MCB:https://wiki.shibboleth.net/confluence/x/EoEEAQ
● Believed to be generally un-needed in IdP v3; waiting for general guidance to be released.
IdP: OpenID Connect
https://github.com/uchicago/shibboleth-oidc
● Community-effort to support OIDC protocol
● Sponsored by University of Chicago
● Developed by Unicon
Grouper v2.2.1
http://goo.gl/5LrGAR
• Released 10 Nov 2014.• 36 patches available (21 since last briefing):
• Selective PSP provisioning• Better UTF-8 character support• Lots of bug fixes
http://software.internet2.edu/grouper/release/2.2.1/patches/
Open Source Support
• Support OSS as adopted by the community
• Collaboration with community and subscribers
• “Act in the best interest of the subscribers, the community, and the project”
CAS 4.X Enhancements
• JSON Service Registry• Rest API improvements• SSO Sessions / AUP workflows• LDAP/LPPE bug fixes• ...
Other/Ongoing work
• CAS WS-Fed module for CAS 4.0https://github.com/Unicon/cas-adfs-integration
• Allow a principal to authN as anotherhttps://github.com/UniconLabs/cas-surrogate-principal
• Java CAS client: regex in proxy chainshttps://github.com/Jasig/java-cas-client
CAS Addons
3.5.X: https://github.com/Unicon/cas-addons
4.X: https://github.com/unicon-cas-addons
• 3.15 and 3.16 released since last webinar• 4.x compatible versions are available as individual libraries instead of a monolithic library.
• HazelcastTicketRegistry updated in April.
CAS MFA
https://github.com/Unicon/cas-mfa
• MFA Support based on CAS 3.5/3.6• CAS proxying/Clearpass support• Trigger MFA via list/group membership.
Shib-CAS AuthN v3
https://github.com/Unicon/shib-cas-authn3• v3.0.0
• Shibboleth IdP v3.X support• Fixed encoding on entityId/service parameters.
• v2.0.5 should be used with IdP 2.4.x
Other/Ongoing work
• Hazelcast Session Storagehttps://github.com/UniconLabs/shib-hazelcast-storage-service
• Duo Support for IdP v3https://github.com/Unicon/shib-mfa-duo-auth
• IdP v3 powered by Dockerhttps://github.com/jtgasper3/docker-shibboleth-idp
Grouper-related
• Grouper Bugs:○GRP-1137: Group copy issue related to hooks (reported and fixed by devs)
○GRP-1139: Grouper API reports non-fatal issues when multiple hook classes are specified (reported and fixed by Unicon)
• Grouper-Demo for Docker: https://registry.hub.docker.com/u/unicon/grouper-demo
• Grouper ESB AMQP Publisherhttps://github.com/Unicon/grouper-amqp-esb-publisher
What we do
• Collaborate to maintain current stable recommended releases
• Work towards next releases• Explore extensions and opportunities• Responsive to inputs from subscriber
experiences• Feedback is especially welcome!• Learn from providing support• Empathize with your needs and projects
Questions / Discussion
• Misagh Moayyed, Support for CAS Technical [email protected]
• Jonathan (Jj) Johnson, [email protected]
• David Langenberg, [email protected]