Introducing JA-SIG Central Authentication Service 3.0Scott Battagliascott_battaglia@rutgers.eduRutgers, the State University of New Jersey

Outline

What is CAS? History of CAS

CAS 1.x CAS 2.x

Introducing CAS 3 Development Process/Developers Design Goals Why build CAS 3?

Advanced CAS 3 Usage Clustering/Load Balancing Accepting Multiple Credential Types SAML Support

The Future Helping with CAS Development

What is CAS?

CAS is…Single sign on for the webA trusted intermediaryA proxy authenticator to back-end services

History of CAS

CAS 1.x

CAS 2.x

History of CAS: CAS 1.x

Original version released by Yale University

Offered single sign on for the web Consisted of servlets and JSP pages

History of CAS: CAS 2

Also developed at Yale University Introduced concept of proxy authentication

to CAS Simple: 6 servlets and fewer than 10 JSPs Extremely popular Large User Community

Introducing CAS 3.0

CAS 3.0: Why Build CAS 3?

CAS 2.0 was an excellent project CAS 2.0 was easy to use CAS 2.0 was not easy to extend or

augment with local requirements CAS 3.0 attempts to solve the last

problem!

CAS 3.0: Why Build CAS 3?

Making changes to CAS 2.0 generally requires forking the code base

Adding new features may require a lot of copying and pasting which may get out of sync with core code base.

CAS 3.0: Why Build CAS 3?

CAS 3 offers…CAS 2 compliance out of the boxUnit/Integration Tests and Compliance TestsProper domain modelRevamped architectureSupport for well-known modifications

CAS 3.0: Design Goals

First and foremost CAS3 will be Flexible, Extensible and Elegant.

CAS3 will maintain backward compatibility with CAS 2.0 and CAS 1.0 protocols while providing extension points for well-known modifications and new features such as support for Web Services, SAML and Shibboleth.

CAS Clients written for older versions of CAS will work with CAS3 without modification.

CAS 3.0: Development Process

Started as a Yale/Rutgers collaboration Became JA-SIG Project in December

2004 JA-SIG project makes it open-source Available in public JA-SIG CVS, nightly

builds on Clearinghouse machines, etc.

CAS 3.0: Development Team

Yale University Susan Bramhall Howard Gilbert Drew Mazurek Andy Newman Andrew Petro

Rutgers, the State University of New Jersey Scott Battaglia Dmitriy Kopylenko Bill Thompson

CAS 2 Compliance

In terms of protocol, drop in replacement for CAS 2.0

Requires no modifications to client applications

Includes adaptor to allow plugging in CAS 2 PasswordHandler into CAS 3 architecture

Unit/Integration/Compliance Tests

Unit and Integration Tests coverage of major components Utilizes JUnit, Clover According to Clover, 99.5% test coverage Allows us to refactor with confidence!

Compliance Tests Run against live server Test compliance to CAS 2 specification Currently 48 tests

Proper Domain Model

Major Breakthrough: Only Two Types of Tickets Ticket Granting Ticket Service Tickets

Domain logic belongs with Domain Objects Example: A ticket can determine if its expired Simplifies implementations of supporting pieces

Revamped Architecture

Built on popular open-source frameworks Spring Framework Quartz xFire Jakarta Commons Log4j Maven

Design Philosophy: don’t reinvent the wheel

Revamped Architecture

Loose coupling of componentsVia Dependency InjectionDeclarative configuration via XML files

Coding to interfacesSwap implementations to suite needs Implementations adhere to contractExample: TicketRegistry

Revamped Architecture

Uses Design PatternsPatterns allow for a common understandingExample: Template Design Pattern

Layered ArchitectureSeparation of UI concerns from business

concernsAllows for better re-use of codeExample: Web Tier vs. Web Service

Revamped Architecture

Use of AOP to separate cross-cutting concerns for business logicAllows for major additions to functionality

without modifying core codeExample: auditing

Use of Spring Workflow allows for declarative reconfiguration of Login process

Support for Well-Known Modifications

Gathered list from current and future (potential) CAS deployers

CAS 3 includes extensions points for well-known modifications

CAS 3 (via Spring) supports using AOP to introduce modifications

Support for Well-Known Modifications

Audit Trail Modification (identified by CalPoly)

Services Whitelist (identified by Columbia and University of Delaware)

Additional Principal (and Authentication) Attributes (Rutgers, others)

Ticket Statistics (Yale)

Support for Well-Known Modifications

Audit Trail ModificationCAS supports publishing of eventsEventListener listens for eventsDeployers can code and register

“EventHandlers” that allow them to log particular events

Support for Well-Known Modifications Attributes

CAS supports plugging in PrincipalResolvers and MetaDataPopulators

Allow to attach attributes to principals (i.e. hair color or employee type)

Attach attributes to Authentication (i.e. safeword authentication)

Can customize view to pass back attributes.

Support for Well-Known Modifications

Ticket StatisticsExposed via JMXTell how many of each ticket type were

vendedTell how many tickets of each type were

vended per second

Advanced CAS 3 Usage

Clustering/Load Balancing CAS

All CAS Domain objects are serializable Tickets are only stored in TicketRegistry TicketRegistry is interface Implement JGroups TicketRegistry (David

Stacey)

Accepting Multiple Credential Types

Web Login defined by workflow Dartmouth identified need to have

augmented login workflow Need to check for Client Certificate before

displaying login form

SAML Support

Standard XML-based framework Used to create and exchange info

amongst online partners CAS can offer alternatives to the CAS 2

Protocol views One alternative is a SAML response

The Future of CAS

The Future of CAS

Advanced SAML Support Support for both SAML request and responses

Shibboleth Support Requires advanced SAML support Allow CAS to speak to Shibboleth

Who knows what else… current architecture allows for many possibilities

The Future of CAS

Already working on a 3.0.1 (and beyond)XMLBeans viewMore robust registry cleaners Increased compatibility testingSupport for Single Sign out (requires new

clients)

Helping with CAS 3.0 Development

What can YOU do to help? Look at what CAS 3 has to offer Use CAS 3 Report bugs/feature requests/etc to the development

list Give your extensions back to the community Share your experiences using CAS with the

community Join the CAS mailing list

Questions or comments?