unicon july 2015 iam briefing
TRANSCRIPT
Unicon IAM UpdateCAS, Shibboleth, Grouper
5 Nov 2015 - 11am MSTJonathan Johnson • Misagh Moayyed • David
LangenbergAudio is via Adobe Connect. There is no phone dial-in.
John Gasper
● CAS, Shibboleth, and Grouper Deployer
● Docker Fanboy
Welcome•Community updates on CAS, Shibbolethand Grouper
•Unicon contributions to CAS, Shibboleth and Grouper
•Unicon's Open Source Support•Q&A
Misagh Moayyed
● CAS/Grouper core developer
● Tech lead for Unicon’s OSS CAS
Jonathan (JJ) Johnson
• IAM, Shibboleth, CAS, Grouper
David Langenberg• Shibboleth Trainer, InCommon LLC
• IAM Architect, University of Chicago
• Alumnus Grouper Developer, Internet2
Observations and Highlights
• InCommon Shibboleth Workshop: 17-18 Sept 2015 Cupertino, CA
• Internet2 2015 Technology Exchange: 4-7 Oct 2015 Cleveland, OH
• InCommon Shibboleth Workshop: 19-20 Oct 2015 Arlington, TX
• Open Apereo 2016: 22-25 May 2016 New York City, NY
Events
IAM Trends•MFA for Shibboleth, MFA for CAS, etc
○Device/Location aware features○Risk-based AuthN
•Grouper and Provisioning
•Containerized Deployments
Community Highlights
HighlightsAbout CAS
CAS Server Versions● CAS Server v4.0.6 (Oct 19th)
○Ldaptive Library updated●CAS Server v4.1.1 (Oct 19th)
○ Clean out all STs when TGT is destroyed.
●Patch will continue with 4.1.x and 4.0.x○ Once every 30 days
●Development towards 4.2.0○ Tentative release date: Dec 24, 2015
CAS Server 4.1.x Highlights● Built-in JSON Service Registry● Built-in Hazelcast Ticket Registry● Attribute-based Access Control (ABAC)● CAS Services Management webapp
CAS Services Management
CAS 4.2 – W.I.P
https://wiki.jasig.org/display/CAS/CAS+4.2+Roadmap●Easier LDAP AuthN●CAS SSO Sessions Report●Integration with DuoSecurity/YubiKey●Integration with Social/SAML IdPs●Integration with ADFS/WS-Fed●Tentative release date: Dec 24, 2015
Ldap AuthN: Easy!●New schema via Ldaptive v1.1●Sample AD Authentication:
<ldaptive:ad-authenticator id="authenticator" ldapUrl="${ldap.url}" userFilter="${ldap.authn.searchFilter}" bindDn="${ldap.managerDn}" bindCredential="${ldap.managerPassword}" allowMultipleDns="${ldap.allowMultipleDns:false}" connectTimeout="${ldap.connectTimeout}" .... />
Manage SSO Sessions
Highlights About Shibboleth
Shibboleth Versions● Latest versions:
○ IdP v3.1.2 (1 Jul 2015)○ SP v2.5.4 (21 Jul 2015)
● v3.2.0 will be released soon○ HTML5 storage○ ECP: Delegated SAML proxy○ Bug fixes
• IdP v2.4.4 was released 25 Feb 2015, to address security issue; OpenSAML-J was also updated
• IdP v2 end of life timeline (assuming you haven’t upgraded):
Shibboleth 2.x Lifetime
Dec 31, 2015 Plan to upgradeFeb 29, 2016 Done with upgradeMar 31, 2016 Really done with upgradeJuly 31, 2016 IdP 2.x full EOL
IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc
●Community-effort to support OIDC protocol
●Sponsored by University of Chicago
●Developed by Unicon
Highlights About Grouper
Grouper v2.2.2http://software.internet2.edu/grouper/release/2.2.2/patches/●Released 23 Sept 2015.
○ Includes ~47 2.2.1 patches○ New features:
■ Read Only Admin■ Run Loader Jobs from the UI■ Auto-create user folders
●5 patches already available:○ Options to show Lite and Admin UI links○ Bug fixes
More Grouper 2.2.2 Enhancements
● Grouper loader failsafe threshold● Rename include/exclude affects all groups● Add composite details to membership list● Startup checks for Java version and UTF-8 abilities
● New hooks (unique objects names, privilege inheritance)
● Move and copy from WS- Courtesy of Chris Hyzer’s Tech Exchange BOF Presentation
Grouper.Next● TIER packaging
○ Revise building/package management● Improve folder privileges● Rule configuration in new UI● New UI support attributes/permissions / etc● Add attribute/permissions operations to WS● More...
- Courtesy of Chris Hyzer’s Tech Exchange Presentation
Highlights About Unicon Participation in CAS, Shibboleth and
Grouper
Open Source Support
● Support OSS as adopted by the community● Collaboration with community and subscribers● “Act in the best interest of the subscribers, the
community, and the project”
CAS-related progress
CAS 4.x Roadmap● Much of CAS 4.X is done through OSS funding:
○MFA support inspired by CAS-MFA ○Risk-based MFA○Dockerized CAS; Community Images○Better OIDC/SAML support○…
https://wiki.jasig.org/display/CAS/CAS+4.3+Roadmap
Other/Ongoing work● CAS WS-Fed module for CAS 4.0
https://github.com/Unicon/cas-adfs-integration
● Allow a principal to authN as anotherhttps://github.com/UniconLabs/cas-surrogate-principal
● Java CAS client: regex in proxy chainshttps://github.com/Jasig/java-cas-client
CAS Addons
●4.X: https://github.com/unicon-cas-addons ○ 4.x compatible versions are available as individual
libraries instead of a monolithic library.○ No changes since the last webinar.
● 3.6.X: https://github.com/Unicon/cas-addons○ 1.17 and 1.18 released since last webinar○ CAS Core Dependency and Hazelcast update
CAS MFA
https://github.com/Unicon/cas-mfa
● MFA Support based on CAS 3.6● CAS proxying/Clearpass support● Trigger MFA via list/group membership.
Shibboleth-related progress
Shib-CAS AuthN v3https://github.com/Unicon/shib-cas-authn3● v3.0.0
○ Shibboleth IdP v3.X support○ Fixed encoding on entityId/service parameters.
● v2.0.5 should be used with IdP 2.4.x● IdP v3.2 will add support for:
○ Attributes from CAS○ AuthN Context Class w.r.t MFA
Other/Ongoing work● Hazelcast Storage Service
https://github.com/UniconLabs/shibboleth-hazelcast-storage-service
● Duo Support for IdP v3https://github.com/Unicon/shib-mfa-duo-auth
● IdP v3 powered by Dockerhttps://github.com/unicon/shibboleth-idp-dockerized
●User-selectable NameID
Grouper-related progress
Grouper-related● Grouper Bugs Reporting
○ …●Grouper-Demo for Dockerhttps://registry.hub.docker.com/u/unicon/grouper-demo
● Grouper ESB AMQP Publisherhttps://github.com/Unicon/grouper-amqp-esb-publisher
●Grouper GoogleApps Provisioner
○ Now part of https://github.com/Internet2/grouper
Next Steps
What we do● Collaborate to maintain current stable recommended releases
● Work towards next releases● Explore extensions and opportunities● Responsive to inputs from subscriber experiences
○ Feedback is especially welcome!○ Learn from providing support○ Empathize with your needs and projects
Questions / Discussion
•Misagh Moayyed, [email protected]
•Jonathan (JJ) Johnson, [email protected]
•David Langenberg, [email protected]