Unicon IAM UpdateCAS, Shibboleth, Grouper

09 July 2015Jonathan Johnson • Misagh Moayyed • David

LangenbergAudio is via Adobe Connect. There is no phone dial-in.

Welcome to this briefing

• Updates on CAS, Shibboleth and Grouper• Unicon contributions to CAS, Shibboleth and Grouper

• Unicon's Open Source Support• Q&A

Misagh Moayyed

• IAM, Shibboleth, CAS, uPortal

• Unicon’s Open Source Support for CAS technical lead

Jonathan (JJ) Johnson

• IAM, Shibboleth, CAS, Grouper

David Langenberg

• Grouper Developer, Internet2

• Shibboleth Trainer, InCommon LLC

• IAM Architect, University of Chicago

Observations and Highlights

• Internet2 Global Summit: 26-30 Apr 2015 Washington D.C.

• Educause Security Professionals Conf: 4-6 May Minneapolis, MN

• Open Apereo: 31 May-4 June Baltimore, MD

Past Events

•InCommon Shibboleth Workshop: 17-18 Sept 2015 Cupertino, CA

•Internet2 2015 Technology Exchange: 4-7 Oct 2015 Cleveland, OH

•InCommon Shibboleth Workshop: 19-20 Oct 2015 Arlington, TX

Upcoming Events

Community Highlights

IAM Trends

•MFA for Shibboleth, MFA for CAS, etc○Device/Location aware features

○Risk-based AuthN

•O365/ADFS Integration with CAS/Shibboleth

•Grouper and Provisioning

HighlightsAbout CAS

CAS Server Versions

●CAS Server v3.6.0 / v4.0.2 (12 Jun 2015)■OAuth/OpenID bug fixes■Localization and UI improvements■Protocol URL/Parameter sanitizations

●CAS Server v4.0.3 (early next week)■Security filter upgrade■LDAP/LPPE bug fixes■Localization/UTF-8 improvements

●CAS Server v4.1.0 (In development)

CAS 4.1 – Goodies

https://youtu.be/P_GTXEAt5oU

● JSON Service Registry / RBAC● Better Management Interface● SLO/Logo/Logout url per application● Password/PGT as attributes● Many more...

CAS Server Security Filter

https://github.com/Jasig/cas-server-security-filter

• Suitable for patching-in-place deployments, vulnerable to CAS-protocol-input attacks.

• v2.0.3 released 3-Jul-2015.

CAS NextGen

https://wiki.jasig.org/display/CAS/CAS+4.2+Roadmap

●SAML SP / ADFS Proxy Support●Better MFA Support●SSO Sessions Dashboard●Surrogate AuthN●More…

Highlights About Shibboleth

Shibboleth Versions

• Latest versions:• IdP v3.1.2 (1 Jul 2015)• SP v2.5.4 (19 Mar 2015)

• New adopters are encouraged to use v3 • Current deployers to explore upgrades

• IdP v2.4.4 was released 25 Feb 2015, to address security issue; OpenSAML-J was also updated

• IdP v2.4 end of life timeline (assuming you haven’t upgraded):

Shibboleth 2.x Lifetime

Dec 31, 2015 Plan to upgrade

Feb 29, 2016 Done with upgrade

Mar 31, 2016 Really done with upgrade

July 31, 2016 IdP 2.x full EOL

Multi-Context Broker

● Analysis of Shib IdPv3 and MCB:https://wiki.shibboleth.net/confluence/x/EoEEAQ

● Believed to be generally un-needed in IdP v3; waiting for general guidance to be released.

IdP: OpenID Connect

https://github.com/uchicago/shibboleth-oidc

● Community-effort to support OIDC protocol

● Sponsored by University of Chicago

● Developed by Unicon

Highlights About Grouper

Grouper v2.2.1

http://goo.gl/5LrGAR

• Released 10 Nov 2014.• 36 patches available (21 since last briefing):

• Selective PSP provisioning• Better UTF-8 character support• Lots of bug fixes

http://software.internet2.edu/grouper/release/2.2.1/patches/

Highlights About Unicon Participation in CAS, Shibboleth and

Grouper

Open Source Support

• Support OSS as adopted by the community

• Collaboration with community and subscribers

• “Act in the best interest of the subscribers, the community, and the project”

CAS-related progress

CAS 4.X Enhancements

• JSON Service Registry• Rest API improvements• SSO Sessions / AUP workflows• LDAP/LPPE bug fixes• ...

Other/Ongoing work

• CAS WS-Fed module for CAS 4.0https://github.com/Unicon/cas-adfs-integration

• Allow a principal to authN as anotherhttps://github.com/UniconLabs/cas-surrogate-principal

• Java CAS client: regex in proxy chainshttps://github.com/Jasig/java-cas-client

CAS Addons

3.5.X: https://github.com/Unicon/cas-addons

4.X: https://github.com/unicon-cas-addons

• 3.15 and 3.16 released since last webinar• 4.x compatible versions are available as individual libraries instead of a monolithic library.

• HazelcastTicketRegistry updated in April.

CAS MFA

https://github.com/Unicon/cas-mfa

• MFA Support based on CAS 3.5/3.6• CAS proxying/Clearpass support• Trigger MFA via list/group membership.

Shibboleth-related progress

Shib-CAS AuthN v3

https://github.com/Unicon/shib-cas-authn3• v3.0.0

• Shibboleth IdP v3.X support• Fixed encoding on entityId/service parameters.

• v2.0.5 should be used with IdP 2.4.x

Other/Ongoing work

• Hazelcast Session Storagehttps://github.com/UniconLabs/shib-hazelcast-storage-service

• Duo Support for IdP v3https://github.com/Unicon/shib-mfa-duo-auth

• IdP v3 powered by Dockerhttps://github.com/jtgasper3/docker-shibboleth-idp

Grouper-related progress

Grouper-related

• Grouper Bugs:○GRP-1137: Group copy issue related to hooks (reported and fixed by devs)

○GRP-1139: Grouper API reports non-fatal issues when multiple hook classes are specified (reported and fixed by Unicon)

• Grouper-Demo for Docker: https://registry.hub.docker.com/u/unicon/grouper-demo

• Grouper ESB AMQP Publisherhttps://github.com/Unicon/grouper-amqp-esb-publisher

Next Steps

What we do

• Collaborate to maintain current stable recommended releases

• Work towards next releases• Explore extensions and opportunities• Responsive to inputs from subscriber

experiences• Feedback is especially welcome!• Learn from providing support• Empathize with your needs and projects

Questions / Discussion

• Misagh Moayyed, Support for CAS Technical Leadmmoayyed@unicon.net

• Jonathan (Jj) Johnson, jj@unicon.net

• David Langenberg, dlangenberg@unicon.net