central authentication service
TRANSCRIPT
![Page 1: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/1.jpg)
Introducing JA-SIG Central Authentication Service 3.0Scott [email protected], the State University of New Jersey
![Page 2: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/2.jpg)
Outline
What is CAS? History of CAS
CAS 1.x CAS 2.x
Introducing CAS 3 Development Process/Developers Design Goals Why build CAS 3?
Advanced CAS 3 Usage Clustering/Load Balancing Accepting Multiple Credential Types SAML Support
The Future Helping with CAS Development
![Page 3: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/3.jpg)
What is CAS?
CAS is…Single sign on for the webA trusted intermediaryA proxy authenticator to back-end services
![Page 4: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/4.jpg)
History of CAS
CAS 1.x
CAS 2.x
![Page 5: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/5.jpg)
History of CAS: CAS 1.x
Original version released by Yale University
Offered single sign on for the web Consisted of servlets and JSP pages
![Page 6: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/6.jpg)
History of CAS: CAS 2
Also developed at Yale University Introduced concept of proxy authentication
to CAS Simple: 6 servlets and fewer than 10 JSPs Extremely popular Large User Community
![Page 7: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/7.jpg)
Introducing CAS 3.0
![Page 8: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/8.jpg)
CAS 3.0: Why Build CAS 3?
CAS 2.0 was an excellent project CAS 2.0 was easy to use CAS 2.0 was not easy to extend or
augment with local requirements CAS 3.0 attempts to solve the last
problem!
![Page 9: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/9.jpg)
CAS 3.0: Why Build CAS 3?
Making changes to CAS 2.0 generally requires forking the code base
Adding new features may require a lot of copying and pasting which may get out of sync with core code base.
![Page 10: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/10.jpg)
CAS 3.0: Why Build CAS 3?
CAS 3 offers…CAS 2 compliance out of the boxUnit/Integration Tests and Compliance TestsProper domain modelRevamped architectureSupport for well-known modifications
![Page 11: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/11.jpg)
CAS 3.0: Design Goals
First and foremost CAS3 will be Flexible, Extensible and Elegant.
CAS3 will maintain backward compatibility with CAS 2.0 and CAS 1.0 protocols while providing extension points for well-known modifications and new features such as support for Web Services, SAML and Shibboleth.
CAS Clients written for older versions of CAS will work with CAS3 without modification.
![Page 12: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/12.jpg)
CAS 3.0: Development Process
Started as a Yale/Rutgers collaboration Became JA-SIG Project in December
2004 JA-SIG project makes it open-source Available in public JA-SIG CVS, nightly
builds on Clearinghouse machines, etc.
![Page 13: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/13.jpg)
CAS 3.0: Development Team
Yale University Susan Bramhall Howard Gilbert Drew Mazurek Andy Newman Andrew Petro
Rutgers, the State University of New Jersey Scott Battaglia Dmitriy Kopylenko Bill Thompson
![Page 14: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/14.jpg)
CAS 2 Compliance
In terms of protocol, drop in replacement for CAS 2.0
Requires no modifications to client applications
Includes adaptor to allow plugging in CAS 2 PasswordHandler into CAS 3 architecture
![Page 15: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/15.jpg)
Unit/Integration/Compliance Tests
Unit and Integration Tests coverage of major components Utilizes JUnit, Clover According to Clover, 99.5% test coverage Allows us to refactor with confidence!
Compliance Tests Run against live server Test compliance to CAS 2 specification Currently 48 tests
![Page 16: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/16.jpg)
Proper Domain Model
Major Breakthrough: Only Two Types of Tickets Ticket Granting Ticket Service Tickets
Domain logic belongs with Domain Objects Example: A ticket can determine if its expired Simplifies implementations of supporting pieces
![Page 17: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/17.jpg)
Revamped Architecture
Built on popular open-source frameworks Spring Framework Quartz xFire Jakarta Commons Log4j Maven
Design Philosophy: don’t reinvent the wheel
![Page 18: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/18.jpg)
Revamped Architecture
Loose coupling of componentsVia Dependency InjectionDeclarative configuration via XML files
Coding to interfacesSwap implementations to suite needs Implementations adhere to contractExample: TicketRegistry
![Page 19: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/19.jpg)
Revamped Architecture
Uses Design PatternsPatterns allow for a common understandingExample: Template Design Pattern
Layered ArchitectureSeparation of UI concerns from business
concernsAllows for better re-use of codeExample: Web Tier vs. Web Service
![Page 20: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/20.jpg)
Revamped Architecture
Use of AOP to separate cross-cutting concerns for business logicAllows for major additions to functionality
without modifying core codeExample: auditing
Use of Spring Workflow allows for declarative reconfiguration of Login process
![Page 21: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/21.jpg)
Support for Well-Known Modifications Gathered list from current and future
(potential) CAS deployers CAS 3 includes extensions points for well-
known modifications CAS 3 (via Spring) supports using AOP to
introduce modifications
![Page 22: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/22.jpg)
Support for Well-Known Modifications Audit Trail Modification (identified by
CalPoly) Services Whitelist (identified by Columbia
and University of Delaware) Additional Principal (and Authentication)
Attributes (Rutgers, others) Ticket Statistics (Yale)
![Page 23: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/23.jpg)
Support for Well-Known Modifications Audit Trail Modification
CAS supports publishing of eventsEventListener listens for eventsDeployers can code and register
“EventHandlers” that allow them to log particular events
![Page 24: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/24.jpg)
Support for Well-Known Modifications Attributes
CAS supports plugging in PrincipalResolvers and MetaDataPopulators
Allow to attach attributes to principals (i.e. hair color or employee type)
Attach attributes to Authentication (i.e. safeword authentication)
Can customize view to pass back attributes.
![Page 25: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/25.jpg)
Support for Well-Known Modifications Ticket Statistics
Exposed via JMXTell how many of each ticket type were
vendedTell how many tickets of each type were
vended per second
![Page 26: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/26.jpg)
Advanced CAS 3 Usage
![Page 27: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/27.jpg)
Clustering/Load Balancing CAS
All CAS Domain objects are serializable Tickets are only stored in TicketRegistry TicketRegistry is interface Implement JGroups TicketRegistry (David
Stacey)
![Page 28: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/28.jpg)
Accepting Multiple Credential Types Web Login defined by workflow Dartmouth identified need to have
augmented login workflow Need to check for Client Certificate before
displaying login form
![Page 29: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/29.jpg)
SAML Support
Standard XML-based framework Used to create and exchange info
amongst online partners CAS can offer alternatives to the CAS 2
Protocol views One alternative is a SAML response
![Page 30: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/30.jpg)
The Future of CAS
![Page 31: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/31.jpg)
The Future of CAS
Advanced SAML Support Support for both SAML request and responses
Shibboleth Support Requires advanced SAML support Allow CAS to speak to Shibboleth
Who knows what else… current architecture allows for many possibilities
![Page 32: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/32.jpg)
The Future of CAS
Already working on a 3.0.1 (and beyond)XMLBeans viewMore robust registry cleaners Increased compatibility testingSupport for Single Sign out (requires new
clients)
![Page 33: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/33.jpg)
Helping with CAS 3.0 Development
What can YOU do to help? Look at what CAS 3 has to offer Use CAS 3 Report bugs/feature requests/etc to the development
list Give your extensions back to the community Share your experiences using CAS with the
community Join the CAS mailing list
![Page 34: Central Authentication Service](https://reader035.vdocuments.mx/reader035/viewer/2022062406/558a5d18d8b42aa21b8b4719/html5/thumbnails/34.jpg)
Questions or comments?