To CAS 3 and Beyond:

The Story of a CAS Upgrade

Nubli Kasa

mmohdkas@iu.edu

Misagh Moayyed

mmoayyed@unicon.net

Agenda

Introduction

Environment Overview

Functional Requirements

Features Overview

Demo

Development Workflow

Discussion & Questions

Open Apereo - June 1-4 2014

Introduction: Nubli Kasa

Lead Systems Analyst Programmer at

Identity Management Systems

With Indiana University for 6 years

Technical lead for the project; Responsible

for managing CAS and Shibboleth

deployments

Introduction: Misagh Moayyed

IAM Consultant @ Unicon

3 years with Unicon; 5 years with

JasigApereo

Unicon’s technical lead for the project

Current Environment

Current CAS based on Yale CAS v2

Diverged from Apereo CAS in many ways

Utilizes large set of AppCodes

◦ Authentication request type, authorization, …

StepUp Authentication; Staff @ admin

permissions

Challenges to meet business need have led to

many large and small CAS changes.

Functional Requirements

Upgrade to CAS 3.5.2

Design and Implementation of AppCodes

◦ Dynamic UI Rendering

◦ AppCode Validation vs. StepUp AuthN

Primary AuthN via Jaas & KB

StepUp AuthN via RADIUS

Protocol extension; Support for IUCAS

Active-Active HA Deployment with EhCache

What is an AppCode?

Token to describe the requesting app

◦ What theme to use?

◦ What authentication methods to allow?

Analogous yet parallel to service registry

Grouped by 4 primary AppCodes

◦ IU, GUEST, SAFEWORD, ANY

Recognize changes automatically

AppCodeRegistry

Dynamic Theme Selection

AppCode groups can specify themes

AppCodeResourceViewResolver

Primary AuthN: Jaas & Krb

Jaas.conf:

Krb5.conf:

Problem: how do we tie realms to KDCs?!

New JaasAuthenticationHandler

No Krb5.conf; System Props instead:

◦ java.security.krb5.realm

◦ java.security.krb5.kdc

Let CAS pick Realms and KDCs!

StepUp RADIUS AuthN Config

Additional properties for NAS settings

StepUp AuthN via RADIUS

Primary based on @cas-mfa codebase:

◦ https://github.com/Unicon/cas-mfa

Initiated by SAFEWORD AppCode

CAS remembers a single AppCode; knows

its relationship to other AppCodes

StepUp AuthN Rules

Depending on credentials, ANY can both be

IU or GUEST!

CAS Protocol Extensions

IU CAS Protocol CAS Protocol Equivalent

cassvc ${appcode:IU}

casurl service

casticket ticket

CAS Validation Response:

EhCacheTicketRegistry

Distributed cache across live nodes

Replication via Java RMI; Manual discovery

Two separate caches for STs and TGTs

No need for ticket registry cleaners!

Simple setup; No external process required

EhCache Replication

RMI replication & manual peer discovery

Specify “other” nodes in the cluster

Discoverable Host Names

Single cas.properties file for all nodes

Discover ${host.name} automatically

Demo

Development Workflow

BitBucket Git repository;

Code + Docs

Real-time issue tracking &

collaboration

Automated deployment via

Jenkins CI

bitbucket

Questions?

Open Apereo - June 1-4 2014

Nubli Kasa

mmohdkas@iu.edu

Misagh Moayyed

mmoayyed@unicon.net