Power Point - Jasig

quaggahooliganInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 6 μήνες)

200 εμφανίσεις

CAS Lightning Talk

Jasig
-
Sakai 2012

Tuesday June 12th 2012

Atlanta, GA


Andrew Petro
-

Unicon, Inc.

What is CAS, anyway?

CAS is

open source

single sign
-
on

for the Web




Modify applications to rely upon CAS to authenticate
the user

Good features

Pluggable, flexible, and malleable

a toolkit for building your institutional login
experience

Simple CAS protocol and client libraries

n
-
tier delegated authentication

password replay still possible if you really want

CAS is simple

Example: CAS doesn’t want to *be* your store of
credentials, your account management system, your
attribute repository.

It wants to leverage your IdM infrastructure to broker
Web logins

Kinds of credentials CAS supports:

passwords (bind against LDAP, in a database, ...)

x.509 certificates

OAuth

...

Spring Web Flow

Spring Web Flow useful for
adding

Acceptable Use Policy acceptance prompt

stale / expired password warning / enforcement

nuanced authentication error messaging / handling

coarse grained access control

target
-
application
-
specific handling

...

Lots of integration libraries

Java / Java Servlet Filter / Spring Security / Apache
Shiro / Tomcat

Apache module

.NET

PHP

Perl

Ruby

PAM module

Python

...

Lots of applications with
available CAS support

uPortal

Sakai

Drupal

Wordpress

Liferay

Blackboard

...

Lots of adopting institutions

Unclear how many?

http://millionshort.com/search.php?q=Jasig+CAS&re
move=1000k

Community (via Jasig)

email lists

wiki and issue tracker

source control (now on GitHub)

this conference

...

Implement using Maven
overlay

Factor your CAS implementation as pom.xml
dependency declaration, local configuration, and local
customizations



CAS distribution + your dependencies + your changes
+ your configuration = your CAS implementation

CAS 3.5
-

what’s new

3.5 “minor” release

Incur some upgrade pain on 3.4 to 3.5

In exchange for new functionality and improvements

Themes

Theme 1: extensions coming into CAS product

Theme 2: incremental honing and maturity

Theme 1: Extensions
coming into CAS product

LPPE
-

LDAP Password / Account status reflection

ClearPass
-

optional password caching and selective,
secure release

EhCache Ticket Registry
-

another option for ticket
state clustering

OAuth2 producer and consumer support
-

more ways
to authenticate users to CAS and to integrate with
CAS in relying applications

LPPE
-

LDAP account
status reflection

Why is authentication against LDAP (Active Directory)
failing?

Password wrong?

Account is locked?

Other error code?

Now error codes reflected in UI.


Initially integrates with Active Directory, with potential
for more error mappings

ClearPass

optional password caching and selective, secure
password release to relying applications

This was a separate CAS extension, now drawn into
the core CAS product

off by default. several steps required to turn on this
feature.

Why do I need ClearPass??

Why else do I need
ClearPass?

Outlook Web Application CASification?

WebAdvisor CASification?


It’s a tool. You may need it. You may be able to
avoid it. Try to avoid.

Do I have to cache and
release passwords?

Absolutely not.

Off by default. Very.

But now easier to turn on, with less messing around
with Maven and dependencies conflict resolution.

EhCache Ticket Registry

Another option for clustering ticket registry state
among clustered CAS server nodes

Bridges from CAS TicketRegistry API to EhCache


Options within EhCache for implementing and
replicating that cache

RMI

Terracotta

OAuth Producer and
Consumer support

and improved OpenID support

Choose to login via OAuth

Login at e.g. GitHub

Validating the ticket

Theme 2: Incremental
honing and maturity

Regular expressions in service registration matching *

Better SSO session expiration policy *

Improved properties handling

Improved health monitoring

Upgrades to dependencies, Spring framework
version, etc.


* = also in later / latest CAS 3.4.x release

SSO session expiration
policy

(“TicketGrantingTicket” expiration policy)

Set both a hard timeout

And a sliding window idle timeout

Improved properties
handling

More in cas.properties

Sensible defaults optionally overridden by
cas.properties (set what you change)

Easier to put cas.properties outside of the .war

Logging configuration file location set in
cas.properties

(Those were all old,
actually)

The incremental feature in CAS 3.5 is additional
monitoring, suitable for targeting with an automated
probe.

Contact information

Andrew Petro

apetro@unicon.net

http://www.unicon.net/blog/apetro

http://www.unicon.net/contact