unicon july 2015 iam briefing
TRANSCRIPT
![Page 1: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/1.jpg)
Unicon IAM UpdateCAS, Shibboleth, Grouper
5 Nov 2015 - 11am MSTJonathan Johnson • Misagh Moayyed • David
LangenbergAudio is via Adobe Connect. There is no phone dial-in.
![Page 2: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/2.jpg)
John Gasper
● CAS, Shibboleth, and Grouper Deployer
● Docker Fanboy
![Page 3: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/3.jpg)
Welcome•Community updates on CAS, Shibbolethand Grouper
•Unicon contributions to CAS, Shibboleth and Grouper
•Unicon's Open Source Support•Q&A
![Page 4: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/4.jpg)
Misagh Moayyed
● CAS/Grouper core developer
● Tech lead for Unicon’s OSS CAS
![Page 5: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/5.jpg)
Jonathan (JJ) Johnson
• IAM, Shibboleth, CAS, Grouper
![Page 6: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/6.jpg)
David Langenberg• Shibboleth Trainer, InCommon LLC
• IAM Architect, University of Chicago
• Alumnus Grouper Developer, Internet2
![Page 7: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/7.jpg)
Observations and Highlights
![Page 8: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/8.jpg)
• InCommon Shibboleth Workshop: 17-18 Sept 2015 Cupertino, CA
• Internet2 2015 Technology Exchange: 4-7 Oct 2015 Cleveland, OH
• InCommon Shibboleth Workshop: 19-20 Oct 2015 Arlington, TX
• Open Apereo 2016: 22-25 May 2016 New York City, NY
Events
![Page 9: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/9.jpg)
IAM Trends•MFA for Shibboleth, MFA for CAS, etc
○Device/Location aware features○Risk-based AuthN
•Grouper and Provisioning
•Containerized Deployments
![Page 10: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/10.jpg)
Community Highlights
![Page 11: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/11.jpg)
HighlightsAbout CAS
![Page 12: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/12.jpg)
CAS Server Versions● CAS Server v4.0.6 (Oct 19th)
○Ldaptive Library updated●CAS Server v4.1.1 (Oct 19th)
○ Clean out all STs when TGT is destroyed.
●Patch will continue with 4.1.x and 4.0.x○ Once every 30 days
●Development towards 4.2.0○ Tentative release date: Dec 24, 2015
![Page 13: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/13.jpg)
CAS Server 4.1.x Highlights● Built-in JSON Service Registry● Built-in Hazelcast Ticket Registry● Attribute-based Access Control (ABAC)● CAS Services Management webapp
![Page 14: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/14.jpg)
CAS Services Management
![Page 15: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/15.jpg)
CAS 4.2 – W.I.P
https://wiki.jasig.org/display/CAS/CAS+4.2+Roadmap●Easier LDAP AuthN●CAS SSO Sessions Report●Integration with DuoSecurity/YubiKey●Integration with Social/SAML IdPs●Integration with ADFS/WS-Fed●Tentative release date: Dec 24, 2015
![Page 16: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/16.jpg)
Ldap AuthN: Easy!●New schema via Ldaptive v1.1●Sample AD Authentication:
<ldaptive:ad-authenticator id="authenticator" ldapUrl="${ldap.url}" userFilter="${ldap.authn.searchFilter}" bindDn="${ldap.managerDn}" bindCredential="${ldap.managerPassword}" allowMultipleDns="${ldap.allowMultipleDns:false}" connectTimeout="${ldap.connectTimeout}" .... />
![Page 17: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/17.jpg)
Manage SSO Sessions
![Page 18: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/18.jpg)
![Page 19: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/19.jpg)
Highlights About Shibboleth
![Page 20: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/20.jpg)
Shibboleth Versions● Latest versions:
○ IdP v3.1.2 (1 Jul 2015)○ SP v2.5.4 (21 Jul 2015)
● v3.2.0 will be released soon○ HTML5 storage○ ECP: Delegated SAML proxy○ Bug fixes
![Page 21: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/21.jpg)
• IdP v2.4.4 was released 25 Feb 2015, to address security issue; OpenSAML-J was also updated
• IdP v2 end of life timeline (assuming you haven’t upgraded):
Shibboleth 2.x Lifetime
Dec 31, 2015 Plan to upgradeFeb 29, 2016 Done with upgradeMar 31, 2016 Really done with upgradeJuly 31, 2016 IdP 2.x full EOL
![Page 22: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/22.jpg)
IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc
●Community-effort to support OIDC protocol
●Sponsored by University of Chicago
●Developed by Unicon
![Page 23: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/23.jpg)
Highlights About Grouper
![Page 24: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/24.jpg)
Grouper v2.2.2http://software.internet2.edu/grouper/release/2.2.2/patches/●Released 23 Sept 2015.
○ Includes ~47 2.2.1 patches○ New features:
■ Read Only Admin■ Run Loader Jobs from the UI■ Auto-create user folders
●5 patches already available:○ Options to show Lite and Admin UI links○ Bug fixes
![Page 25: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/25.jpg)
More Grouper 2.2.2 Enhancements
● Grouper loader failsafe threshold● Rename include/exclude affects all groups● Add composite details to membership list● Startup checks for Java version and UTF-8 abilities
● New hooks (unique objects names, privilege inheritance)
● Move and copy from WS- Courtesy of Chris Hyzer’s Tech Exchange BOF Presentation
![Page 26: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/26.jpg)
Grouper.Next● TIER packaging
○ Revise building/package management● Improve folder privileges● Rule configuration in new UI● New UI support attributes/permissions / etc● Add attribute/permissions operations to WS● More...
- Courtesy of Chris Hyzer’s Tech Exchange Presentation
![Page 27: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/27.jpg)
Highlights About Unicon Participation in CAS, Shibboleth and
Grouper
![Page 28: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/28.jpg)
Open Source Support
● Support OSS as adopted by the community● Collaboration with community and subscribers● “Act in the best interest of the subscribers, the
community, and the project”
![Page 29: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/29.jpg)
CAS-related progress
![Page 30: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/30.jpg)
CAS 4.x Roadmap● Much of CAS 4.X is done through OSS funding:
○MFA support inspired by CAS-MFA ○Risk-based MFA○Dockerized CAS; Community Images○Better OIDC/SAML support○…
https://wiki.jasig.org/display/CAS/CAS+4.3+Roadmap
![Page 31: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/31.jpg)
Other/Ongoing work● CAS WS-Fed module for CAS 4.0
https://github.com/Unicon/cas-adfs-integration
● Allow a principal to authN as anotherhttps://github.com/UniconLabs/cas-surrogate-principal
● Java CAS client: regex in proxy chainshttps://github.com/Jasig/java-cas-client
![Page 32: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/32.jpg)
CAS Addons
●4.X: https://github.com/unicon-cas-addons ○ 4.x compatible versions are available as individual
libraries instead of a monolithic library.○ No changes since the last webinar.
● 3.6.X: https://github.com/Unicon/cas-addons○ 1.17 and 1.18 released since last webinar○ CAS Core Dependency and Hazelcast update
![Page 33: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/33.jpg)
CAS MFA
https://github.com/Unicon/cas-mfa
● MFA Support based on CAS 3.6● CAS proxying/Clearpass support● Trigger MFA via list/group membership.
![Page 34: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/34.jpg)
Shibboleth-related progress
![Page 35: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/35.jpg)
Shib-CAS AuthN v3https://github.com/Unicon/shib-cas-authn3● v3.0.0
○ Shibboleth IdP v3.X support○ Fixed encoding on entityId/service parameters.
● v2.0.5 should be used with IdP 2.4.x● IdP v3.2 will add support for:
○ Attributes from CAS○ AuthN Context Class w.r.t MFA
![Page 36: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/36.jpg)
Other/Ongoing work● Hazelcast Storage Service
https://github.com/UniconLabs/shibboleth-hazelcast-storage-service
● Duo Support for IdP v3https://github.com/Unicon/shib-mfa-duo-auth
● IdP v3 powered by Dockerhttps://github.com/unicon/shibboleth-idp-dockerized
●User-selectable NameID
![Page 37: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/37.jpg)
Grouper-related progress
![Page 38: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/38.jpg)
Grouper-related● Grouper Bugs Reporting
○ …●Grouper-Demo for Dockerhttps://registry.hub.docker.com/u/unicon/grouper-demo
● Grouper ESB AMQP Publisherhttps://github.com/Unicon/grouper-amqp-esb-publisher
●Grouper GoogleApps Provisioner
○ Now part of https://github.com/Internet2/grouper
![Page 39: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/39.jpg)
Next Steps
![Page 40: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/40.jpg)
What we do● Collaborate to maintain current stable recommended releases
● Work towards next releases● Explore extensions and opportunities● Responsive to inputs from subscriber experiences
○ Feedback is especially welcome!○ Learn from providing support○ Empathize with your needs and projects
![Page 41: Unicon July 2015 IAM Briefing](https://reader035.vdocument.in/reader035/viewer/2022070603/586fd6541a28ab18428b4eb7/html5/thumbnails/41.jpg)
Questions / Discussion
•Misagh Moayyed, [email protected]
•Jonathan (JJ) Johnson, [email protected]
•David Langenberg, [email protected]