cas iu-pres
TRANSCRIPT
Open Apereo - June 1-4 2014
Agenda
Introduction
Environment Overview
Functional Requirements
Features Overview
Demo
Development Workflow
Discussion & Questions
Introduction: Nubli Kasa
Lead Systems Analyst
Programmer at Identity
Management Systems
With Indiana University for 6
years
Technical lead for the project;
Responsible for managing CAS
and Shibboleth deployments
Introduction: Misagh MoayyedIAM Consultant @ Unicon
3 years with Unicon; 5 years with
JasigApereoUnicon’s technical lead for the
project
Current Environment
Current CAS based on Yale CAS v2
Diverged from Apereo CAS in many ways
Utilizes large set of AppCodes
◦ Authentication request type, authorization, …
StepUp Authentication; Staff @ admin
permissions
Challenges to meet business need have led
to many large and small CAS changes.
Functional Requirements
Upgrade to CAS 3.5.2
Design and Implementation of AppCodes
◦ Dynamic UI Rendering
◦ AppCode Validation vs. StepUp AuthN
Primary AuthN via Jaas & KB
StepUp AuthN via RADIUS
Protocol extension; Support for IUCAS
Active-Active HA Deployment with EhCache
What is an AppCode?
Token to describe the requesting app
◦What theme to use?
◦What authentication methods to allow?
Analogous yet parallel to service registry
Grouped by 4 primary AppCodes
◦IU, GUEST, SAFEWORD, ANY
Recognize changes automatically
AppCodeRegistry
Dynamic Theme Selection
AppCode groups can specify
themes
AppCodeResourceViewResolver
Primary AuthN: Jaas & Krb
Jaas.conf:
Krb5.conf:
Problem: how do we tie realms to
KDCs?!
New JaasAuthenticationHandler
No Krb5.conf; System Props
instead:◦ java.security.krb5.realm
◦ java.security.krb5.kdc
Let CAS pick Realms and KDCs!
StepUp RADIUS AuthN Config
Additional properties for NAS
settings
StepUp AuthN via RADIUS
Primary based on @cas-mfa
codebase:
◦https://github.com/Unicon/cas-mfa
Initiated by SAFEWORD AppCode
CAS remembers a single AppCode;
knows its relationship to other
AppCodes
StepUp AuthN Rules
Depending on credentials, ANY can
both be IU or GUEST!
CAS Protocol ExtensionsIU CAS Protocol CAS Protocol
Equivalent
cassvc ${appcode:IU}
casurl service
casticket ticket
CAS Validation Response:
EhCacheTicketRegistry
Distributed cache across live nodes
Replication via Java RMI; Manual
discovery
Two separate caches for STs and TGTs
No need for ticket registry cleaners!
Simple setup; No external process
required
EhCache Replication
RMI replication & manual peer
discovery
Specify “other” nodes in the cluster
Discoverable Host Names
Single cas.properties file for all
nodes
Discover ${host.name}
automatically
Demo
Development Workflow
BitBucket Git
repository; Code + Docs
Real-time issue tracking
& collaboration
Automated deployment
via Jenkins CIbitbucket