February 13th, 2014 - Unicon IAM Webinar Update

Unicon IAM UpdateCAS, Shibboleth, Grouper

13 February 2014Mike Grady • Misagh Moayyed

Audio is via Adobe Connect. There is no phone dial-in.

Welcome to this briefing

• Updates on CAS, Shibboleth and Grouper

• Unicon contributions to CAS, Shibboleth and Grouper

• Unicon's Open Source Support

• Thanks, Q&A

Introduction: Mike Grady

• IAM, Shibboleth, CAS, Internet2 Scalable Privacy

• 36 years at University of Illinois before Unicon

• Unicon’s Open Source Support for Shibboleth technical lead

Introduction: Misagh Moayyed

• IAM, Shibboleth, CAS, uPortal, uMobile

• 2 years full time with Unicon

• Unicon’s Open Source Support for CAS technical lead

This session is being recorded.

• Will post after:

• Slides

• Notes blog post with useful hyperlinks

• Slidecast with audio

Observations and Highlights

• Identity Week, November 11-15 2013: REFEDS, CAMP, ACAMPBurlingame, CA

• Apereo Camp, January 27-30 2014:CAS, uPortal, OpenRegistry, SakaiMesa, AZ

Past Events

Upcoming Events• Shibboleth Workshop Series - March 24-25

Durham, NC

• Internet2 Global Summit - April 6-10Denver, CO

• Open Apereo 2014 - June 1-4Miami, FL

• Internet2 Technology Exchange – Oct 26-30Indianapolis, IN

HighlightsAbout CAS

CAS4

• RC3 released. To RC4 and beyond...

• APIs to support MFA use cases

• Password policy improvements

• CAS documentation revamp; See http://jasig.github.io/cas

CAS4 - Documentation

Highlights About Shibboleth

Shibboleth

• IdP v3 development in progress;https://wiki.shibboleth.net/confluence/display/DEV/IdP3Details

• Community news at http://shibboleth.net/community/news

• Latest versions: IdP v2.4.0, SP v2.5.3

Identity Provider v3

• Release Goals:

• Support extensions (i.e uApprove) within profiles

• Improve “rough spots” in the API

• V2 protocol interoperable; API-incompatiblehttps://wiki.shibboleth.net/confluence/display/IDP30/Software+Design

• Q3 Fall 2014 release is planned

Multi-Context Brokerhttps://github.com/Internet2/Shibboleth-Multi-Context-Broker

• IdP “LoginHandler” to orchestrate among multiple authentication contexts, including MFA.

• Provide support for InCommon Assurance initative

• Pluggable authentication modules

• V1.0.0 is now available

Highlights About Grouper

Grouper v2.2http://goo.gl/5LrGAR

• Release expected by late Spring

• Services in Grouper

• Ability to write SCIM

• Improved Grouper configuration

• ...and...

New Grouper UI!http://grouper-ui.uchicago.edu/hifi

Highlights About Unicon Participation in CAS,

Shibboleth and Grouper

Open Source Support• Support for open source software as

adopted by the community

• Unicon collaborates to maintain the supported open source software making it more supportable and valuable to subscribers

• “Act in the best interests of the subscribers, of the community, and of Unicon”

CAS-related progress

CAS

• Password policy improvements

• Attributes in the CAS response

cas-addons• https://github.com/Unicon/cas-addons

• Latest available release: 1.10

• New extensions:

• Hazelcast ticket registry

• Dynamic login view selection

• Request-based ticket expiration policy

• …

cas-addons - HazelcastTicketRegistry

UniconLabshttps://github.com/UniconLabs

• cas-strap

• cas-sso-sessions-report

• service-registry-pattern-tester

• ...

Shibboleth-related progress

Shib-CAS authenticator v2

• https://github.com/UniconLabs/shib-cas-authn2

• CAS “LoginHandler” for Shibboleth Idp v2.x

• Simpler, externalized configuration

• No context-sharing requirement

• Communicate the “entityId” to CAS

• Currently in BETA status

Shib-CAS authenticator v2

CAS-Shibboleth: Integration possibilities

• Shib-CAS-authenticator v2 combined with Multi-Context broker?

• CAS attributes to supplement the IdP's authentication context?

• CAS to resolve/release attributes to the IdP?

...reduce duplicate configuration and overhead

Shib-Config-UI

• https://github.com/UniconLabs/shib-config-ui

• Web interface to explore the configuration:

• What attributes are released to this SP?

• What is the SSO session length?

• Further UI enhancements and features planned

Future work

• In discussion with developer community to find more ways to assist

• Finalizing Tomcat7 DTA-SSL

• Particular missing features you need?

Grouper-related progress

AuthZ Connectors

• Grouper & Apache Shiro

• Grouper & Spring Security

• Grouper & .NET Framework

• Grouper & Person Directory

• Grouper & OAuth w/ CAS

https://spaces.internet2.edu/display/Grouper/Unicon+Grouper+Contributions

More potential

• Additional authZ connectors?

• CAS-SSO for Grouper?

• Grouper & uPortal: Roles and Permissions?

Next Steps

What we do• Collaborate to maintain current stable

recommended releases

• Work towards next releases

• Explore extensions and opportunities

• Responsive to inputs from subscriber experiences

• Explicit requests

• Learn from providing support

• Empathize with your needs and projects

Feedback welcome

• Subscribers are welcome encouraged to get in touch directly if you’d like any of this information contextualized to your specific situation. E.g., Should I upgrade to the next release of shib-cas-authenticator?

• By all means, do get in touch.

Let’s do this again.

• Next Unicon IAM Update:

• Thursday June 19th 2014

• 12 PM MST

Questions / Discussion via Adobe Connect

chat?• Mike Grady,

Support for Shibboleth Technical Lead [email protected]

• Misagh Moayyed, Support for CAS Technical [email protected]

(License)

This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/3.0/us/.

Photo credits

• Personal photos of Mike, and Misagh: all rights reserved.

• Microphone:http://www.flickr.com/photos/deanhp/3711222265/http://creativecommons.org/licenses/by/2.0/deed.en