What’s New in JA-SIG CAS? JA-SIG Summer Conference Denver, CO June 24 – 27, 2007

What’s New in JA-SIG CAS?

JA-SIG Summer ConferenceDenver, CO

June 24 – 27, 2007

JA-SIG Summer Conference – June 24 – June 27, 2007

What’s New in CAS 3.1?

Who am I?

• I’m Scott Battaglia!

• Application Developer @ Rutgers

• Java Developer for 5+ Years

• Lead Developer/Architect on JA-SIG CAS

• Committer to Acegi Security



What is CAS?

JA-SIG CAS is an enterprise-level single

sign on service for the Web



History

CAS 3.1 released with attribute support, single log out, etc.

June 2007

Minor revisions to CAS adding more support for Authentication Handlers

July 2005 – May 2007

CAS 3.0 released supporting CAS1 and CAS2 protocol while providing pluggable architecture.

June 2005

CAS becomes a JA-SIG project.December 2004

Initial CAS 3 talksSeptember 2004



CAS Deployers

Your school goes here.



Libraries/Integration

• Acegi Security for Spring• AuthCAS (Perl Apache module)• PerlCAS• phpCAS• for Prado (a PHP framework)• for Seraph (a Java security framework)• for uPortal• for WebObjects• for Zope• Java• MOD_CAS• PAM_CAS• ISAPI filter• PL/SQL



Agenda

• Supported Protocols• Administrative Features• Configuration• Architecture• Acknowledgements• Future Directions• Discussion



1.Supported Protocols



CAS 1.0 / CAS 2.0

• Continued support for CAS 1.0 / 2.0 Protocol

• Only way to get proxied authentication



SAML 1.1

• OASIS standard

• XML-based

• Communicates– Authentication– Entitlement– Attribute



OpenID

• Decentralized framework for user-centric digital identity

• User name is URI– http://openid.ja-sig.org/battags

• Support “dumb” mode

• Allows CAS clients -> OpenID clients

http://openid.ja-sig.org/battags



How OpenID Works



Single Log Out

• Two kinds of sessions– Global CAS Session– Individual Application Sessions

• CAS 1/2/3 Logout ends global session

• CAS 3.1 “suggests” that all sessions end



Google Accounts Integration

• Minimal SAML 2 support

• Requires Key sharing between Google Accounts

• Allows Google Accounts to participate in existing SSO solution.



2.Administrative Features



Services Management

• Optional Feature

• Control what services access CAS.

• Control what features they have access to.



Services Management



Services Management



Attributes

• AttributeRepository defines “interesting” attributes

• Services Management dictates who sees what

• CAS sends those attributes to services



Pseudo anonymous Support

• Send a persistent random identifier

• Only identifies user with respect to service



3.Configuration



Authentication Support

• Added Support for– NTLM– SPNEGO– RADIUS

• On top of…– LDAP– Database– X.509– JAAS– File– …



Maven 2

• Apache project – Software project management tool– Manage build, reporting document

• Enforces project structure

• Encourages modules which means code compartmentalization

• Dependency management



Ticket Registry

• BerkeleyDbTicketRegistry– Based on BerkeleyDb– Long Term Ticket Storage

• JBossCacheTicketRegistry– Distributed

• DefaultTicketRegistry– Simple, in-memory, single-instance CAS



Updated Views

• Simpler views

• Provide user with more active feedback.

• Easier to customize for institution



4.Architecture



Performance Improvements

• Reduction in arbitrary object creation

• Removal of unnecessary synchronization

• Removal of unnecessary reflection usage

• Options for explicit configuration



Java 5 Required

• Only runs on Java 1.5

• Allows us to take advantage of advances to language:– Generics– java.util.concurrent– Enumerations– Minimize dependencies– JVM performance, garbage collection, etc.



Extension Points

• Authentication Handlers• Non-Interactive Credentials• Ticket Registries• Attribute Repositories• Argument/Protocol Extractors• Themes• Internationalization



Library Upgrades

• Upgrades to– Spring WebFlow– Spring Framework– Spring LDAP

• Leverage new features, bug fixes, and enhancements



Internationalization

• Leverage Spring’s Internationalization Support

• Added Chinese, Russian, German, Japanese

• 11 languages in total!!



Functional Tests

• Canoo Web Tests– Faster Development/Testing Time

– Deployers can test their own instance

– Find issues before deployment



5.Acknowledgements



Thanks to…

• Arnaud Lesueur • Marvin S. Addison• Julien Henry• Julien Marchal • Andres March • Shifei Luo • David D. Kilzer

• Andrew Petro • Jan Van der Velpen• Marc-Antoine Garrigue • Stephen More• Shoji Kajita• Javier D' Accorso• Bart Grebowiec



6.Future Directions



Future Directions

• Additional Protocol Support

• Internationalization

• Configuration/Setup Screens

• Advanced Monitoring

• Integration with Account Management Systems



7.Discussion



CAS Mailing Lists

• CAS Community Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas

• CAS Developer’s Discussion List– http://tp.its.yale.edu/mailman/listinfo/cas-dev

• CAS Announcement List– https://lists.wisc.edu/read/all_forums/subscribe?name=cas-ann

ounce

• Links to archives, etc.:– http://www.ja-sig.org/products/cas/community/lists/

http://tp.its.yale.edu/mailman/listinfo/cas

http://tp.its.yale.edu/mailman/listinfo/cas

http://tp.its.yale.edu/mailman/listinfo/cas-dev



https://lists.wisc.edu/read/all_forums/subscribe?name=cas-announce

https://lists.wisc.edu/read/all_forums/subscribe?name=cas-announce

http://www.ja-sig.org/products/cas/community/lists/



Important Links

• Product Web Site– http://www.ja-sig.org/products/cas/

• Wiki– http://www.ja-sig.org/wiki

• Issue Tracker– http://www.ja-sig.org/issues

• Source Code– http://developer.ja-sig.org/source/

http://www.ja-sig.org/products/cas/

http://www.ja-sig.org/wiki

http://www.ja-sig.org/issues

http://developer.ja-sig.org/source/

Questions?

Documents

What’s New in JA-SIG CAS? JA-SIG Summer Conference Denver, CO June 24 – 27, 2007