Unicon IAM UpdateCAS, Shibboleth, Grouper

5 Nov 2015 - 11am MSTJonathan Johnson • Misagh Moayyed • David

LangenbergAudio is via Adobe Connect. There is no phone dial-in.

John Gasper

● CAS, Shibboleth, and Grouper Deployer

● Docker Fanboy

Welcome•Community updates on CAS, Shibbolethand Grouper

•Unicon contributions to CAS, Shibboleth and Grouper

•Unicon's Open Source Support•Q&A

Misagh Moayyed

● CAS/Grouper core developer

● Tech lead for Unicon’s OSS CAS

Jonathan (JJ) Johnson

• IAM, Shibboleth, CAS, Grouper

David Langenberg• Shibboleth Trainer, InCommon LLC

• IAM Architect, University of Chicago

• Alumnus Grouper Developer, Internet2

Observations and Highlights

• InCommon Shibboleth Workshop: 17-18 Sept 2015 Cupertino, CA

• Internet2 2015 Technology Exchange: 4-7 Oct 2015 Cleveland, OH

• InCommon Shibboleth Workshop: 19-20 Oct 2015 Arlington, TX

• Open Apereo 2016: 22-25 May 2016 New York City, NY

Events

IAM Trends•MFA for Shibboleth, MFA for CAS, etc

○Device/Location aware features○Risk-based AuthN

•Grouper and Provisioning

•Containerized Deployments

Community Highlights

HighlightsAbout CAS

CAS Server Versions● CAS Server v4.0.6 (Oct 19th)

○Ldaptive Library updated●CAS Server v4.1.1 (Oct 19th)

○ Clean out all STs when TGT is destroyed.

●Patch will continue with 4.1.x and 4.0.x○ Once every 30 days

●Development towards 4.2.0○ Tentative release date: Dec 24, 2015

CAS Server 4.1.x Highlights● Built-in JSON Service Registry● Built-in Hazelcast Ticket Registry● Attribute-based Access Control (ABAC)● CAS Services Management webapp

CAS Services Management

CAS 4.2 – W.I.P

https://wiki.jasig.org/display/CAS/CAS+4.2+Roadmap●Easier LDAP AuthN●CAS SSO Sessions Report●Integration with DuoSecurity/YubiKey●Integration with Social/SAML IdPs●Integration with ADFS/WS-Fed●Tentative release date: Dec 24, 2015

Ldap AuthN: Easy!●New schema via Ldaptive v1.1●Sample AD Authentication:

<ldaptive:ad-authenticator id="authenticator" ldapUrl="${ldap.url}" userFilter="${ldap.authn.searchFilter}" bindDn="${ldap.managerDn}" bindCredential="${ldap.managerPassword}" allowMultipleDns="${ldap.allowMultipleDns:false}" connectTimeout="${ldap.connectTimeout}" .... />

Manage SSO Sessions

Highlights About Shibboleth

Shibboleth Versions● Latest versions:

○ IdP v3.1.2 (1 Jul 2015)○ SP v2.5.4 (21 Jul 2015)

● v3.2.0 will be released soon○ HTML5 storage○ ECP: Delegated SAML proxy○ Bug fixes

• IdP v2.4.4 was released 25 Feb 2015, to address security issue; OpenSAML-J was also updated

• IdP v2 end of life timeline (assuming you haven’t upgraded):

Shibboleth 2.x Lifetime

Dec 31, 2015 Plan to upgradeFeb 29, 2016 Done with upgradeMar 31, 2016 Really done with upgradeJuly 31, 2016 IdP 2.x full EOL

IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc

●Community-effort to support OIDC protocol

●Sponsored by University of Chicago

●Developed by Unicon

Highlights About Grouper

Grouper v2.2.2http://software.internet2.edu/grouper/release/2.2.2/patches/●Released 23 Sept 2015.

○ Includes ~47 2.2.1 patches○ New features:

■ Read Only Admin■ Run Loader Jobs from the UI■ Auto-create user folders

●5 patches already available:○ Options to show Lite and Admin UI links○ Bug fixes

More Grouper 2.2.2 Enhancements

● Grouper loader failsafe threshold● Rename include/exclude affects all groups● Add composite details to membership list● Startup checks for Java version and UTF-8 abilities

● New hooks (unique objects names, privilege inheritance)

● Move and copy from WS- Courtesy of Chris Hyzer’s Tech Exchange BOF Presentation

Grouper.Next● TIER packaging

○ Revise building/package management● Improve folder privileges● Rule configuration in new UI● New UI support attributes/permissions / etc● Add attribute/permissions operations to WS● More...

- Courtesy of Chris Hyzer’s Tech Exchange Presentation

Highlights About Unicon Participation in CAS, Shibboleth and

Grouper

Open Source Support

● Support OSS as adopted by the community● Collaboration with community and subscribers● “Act in the best interest of the subscribers, the

community, and the project”

CAS-related progress

CAS 4.x Roadmap● Much of CAS 4.X is done through OSS funding:

○MFA support inspired by CAS-MFA ○Risk-based MFA○Dockerized CAS; Community Images○Better OIDC/SAML support○…

https://wiki.jasig.org/display/CAS/CAS+4.3+Roadmap

Other/Ongoing work● CAS WS-Fed module for CAS 4.0

https://github.com/Unicon/cas-adfs-integration

● Allow a principal to authN as anotherhttps://github.com/UniconLabs/cas-surrogate-principal

● Java CAS client: regex in proxy chainshttps://github.com/Jasig/java-cas-client

CAS Addons

●4.X: https://github.com/unicon-cas-addons ○ 4.x compatible versions are available as individual

libraries instead of a monolithic library.○ No changes since the last webinar.

● 3.6.X: https://github.com/Unicon/cas-addons○ 1.17 and 1.18 released since last webinar○ CAS Core Dependency and Hazelcast update

CAS MFA

https://github.com/Unicon/cas-mfa

● MFA Support based on CAS 3.6● CAS proxying/Clearpass support● Trigger MFA via list/group membership.

Shibboleth-related progress

Shib-CAS AuthN v3https://github.com/Unicon/shib-cas-authn3● v3.0.0

○ Shibboleth IdP v3.X support○ Fixed encoding on entityId/service parameters.

● v2.0.5 should be used with IdP 2.4.x● IdP v3.2 will add support for:

○ Attributes from CAS○ AuthN Context Class w.r.t MFA

Other/Ongoing work● Hazelcast Storage Service

https://github.com/UniconLabs/shibboleth-hazelcast-storage-service

● Duo Support for IdP v3https://github.com/Unicon/shib-mfa-duo-auth

● IdP v3 powered by Dockerhttps://github.com/unicon/shibboleth-idp-dockerized

●User-selectable NameID

Grouper-related progress

Grouper-related● Grouper Bugs Reporting

○ …●Grouper-Demo for Dockerhttps://registry.hub.docker.com/u/unicon/grouper-demo

● Grouper ESB AMQP Publisherhttps://github.com/Unicon/grouper-amqp-esb-publisher

●Grouper GoogleApps Provisioner

○ Now part of https://github.com/Internet2/grouper

Next Steps

What we do● Collaborate to maintain current stable recommended releases

● Work towards next releases● Explore extensions and opportunities● Responsive to inputs from subscriber experiences

○ Feedback is especially welcome!○ Learn from providing support○ Empathize with your needs and projects

Questions / Discussion

•Misagh Moayyed, mmoayyed@unicon.net

•Jonathan (JJ) Johnson, jj@unicon.net

•David Langenberg, dlangenberg@unicon.net