Unicon IAM Update CAS, Shibboleth, Grouper 13 February 2014 Mike Grady • Misagh Moayyed Audio is via Adobe Connect. There is no phone dial-in.
Nov 29, 2014
Unicon IAM UpdateCAS, Shibboleth, Grouper
13 February 2014Mike Grady • Misagh Moayyed
Audio is via Adobe Connect. There is no phone dial-in.
Welcome to this briefing
• Updates on CAS, Shibboleth and Grouper
• Unicon contributions to CAS, Shibboleth and Grouper
• Unicon's Open Source Support
• Thanks, Q&A
Introduction: Mike Grady
• IAM, Shibboleth, CAS, Internet2 Scalable Privacy
• 36 years at University of Illinois before Unicon
• Unicon’s Open Source Support for Shibboleth technical lead
Introduction: Misagh Moayyed
• IAM, Shibboleth, CAS, uPortal, uMobile
• 2 years full time with Unicon
• Unicon’s Open Source Support for CAS technical lead
This session is being recorded.
• Will post after:
• Slides
• Notes blog post with useful hyperlinks
• Slidecast with audio
Observations and Highlights
• Identity Week, November 11-15 2013: REFEDS, CAMP, ACAMPBurlingame, CA
• Apereo Camp, January 27-30 2014:CAS, uPortal, OpenRegistry, SakaiMesa, AZ
Past Events
Upcoming Events• Shibboleth Workshop Series - March 24-25
Durham, NC
• Internet2 Global Summit - April 6-10Denver, CO
• Open Apereo 2014 - June 1-4Miami, FL
• Internet2 Technology Exchange – Oct 26-30Indianapolis, IN
HighlightsAbout CAS
CAS4
• RC3 released. To RC4 and beyond...
• APIs to support MFA use cases
• Password policy improvements
• CAS documentation revamp; See http://jasig.github.io/cas
CAS4 - Documentation
Highlights About Shibboleth
Shibboleth
• IdP v3 development in progress;https://wiki.shibboleth.net/confluence/display/DEV/IdP3Details
• Community news at http://shibboleth.net/community/news
• Latest versions: IdP v2.4.0, SP v2.5.3
Identity Provider v3
• Release Goals:
• Support extensions (i.e uApprove) within profiles
• Improve “rough spots” in the API
• V2 protocol interoperable; API-incompatiblehttps://wiki.shibboleth.net/confluence/display/IDP30/Software+Design
• Q3 Fall 2014 release is planned
Multi-Context Brokerhttps://github.com/Internet2/Shibboleth-Multi-Context-Broker
• IdP “LoginHandler” to orchestrate among multiple authentication contexts, including MFA.
• Provide support for InCommon Assurance initative
• Pluggable authentication modules
• V1.0.0 is now available
Highlights About Grouper
Grouper v2.2http://goo.gl/5LrGAR
• Release expected by late Spring
• Services in Grouper
• Ability to write SCIM
• Improved Grouper configuration
• ...and...
New Grouper UI!http://grouper-ui.uchicago.edu/hifi
Highlights About Unicon Participation in CAS,
Shibboleth and Grouper
Open Source Support• Support for open source software as
adopted by the community
• Unicon collaborates to maintain the supported open source software making it more supportable and valuable to subscribers
• “Act in the best interests of the subscribers, of the community, and of Unicon”
CAS-related progress
CAS
• Password policy improvements
• Attributes in the CAS response
cas-addons• https://github.com/Unicon/cas-addons
• Latest available release: 1.10
• New extensions:
• Hazelcast ticket registry
• Dynamic login view selection
• Request-based ticket expiration policy
• …
cas-addons - HazelcastTicketRegistry
UniconLabshttps://github.com/UniconLabs
• cas-strap
• cas-sso-sessions-report
• service-registry-pattern-tester
• ...
Shibboleth-related progress
Shib-CAS authenticator v2
• https://github.com/UniconLabs/shib-cas-authn2
• CAS “LoginHandler” for Shibboleth Idp v2.x
• Simpler, externalized configuration
• No context-sharing requirement
• Communicate the “entityId” to CAS
• Currently in BETA status
Shib-CAS authenticator v2
CAS-Shibboleth: Integration possibilities
• Shib-CAS-authenticator v2 combined with Multi-Context broker?
• CAS attributes to supplement the IdP's authentication context?
• CAS to resolve/release attributes to the IdP?
...reduce duplicate configuration and overhead
Shib-Config-UI
• https://github.com/UniconLabs/shib-config-ui
• Web interface to explore the configuration:
• What attributes are released to this SP?
• What is the SSO session length?
• Further UI enhancements and features planned
Future work
• In discussion with developer community to find more ways to assist
• Finalizing Tomcat7 DTA-SSL
• Particular missing features you need?
Grouper-related progress
AuthZ Connectors
• Grouper & Apache Shiro
• Grouper & Spring Security
• Grouper & .NET Framework
• Grouper & Person Directory
• Grouper & OAuth w/ CAS
https://spaces.internet2.edu/display/Grouper/Unicon+Grouper+Contributions
More potential
• Additional authZ connectors?
• CAS-SSO for Grouper?
• Grouper & uPortal: Roles and Permissions?
Next Steps
What we do• Collaborate to maintain current stable
recommended releases
• Work towards next releases
• Explore extensions and opportunities
• Responsive to inputs from subscriber experiences
• Explicit requests
• Learn from providing support
• Empathize with your needs and projects
Feedback welcome
• Subscribers are welcome encouraged to get in touch directly if you’d like any of this information contextualized to your specific situation. E.g., Should I upgrade to the next release of shib-cas-authenticator?
• By all means, do get in touch.
Let’s do this again.
• Next Unicon IAM Update:
• Thursday June 19th 2014
• 12 PM MST
Questions / Discussion via Adobe Connect
chat?• Mike Grady,
Support for Shibboleth Technical Lead [email protected]
• Misagh Moayyed, Support for CAS Technical [email protected]
(License)
This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/3.0/us/.
Photo credits
• Personal photos of Mike, and Misagh: all rights reserved.
• Microphone:http://www.flickr.com/photos/deanhp/3711222265/http://creativecommons.org/licenses/by/2.0/deed.en