�ݺ�ߣ

Unicon IAM Update
CAS, Shibboleth, Grouper
13 February 2014
Mike Grady • Misagh Moayyed

Audio is via Adobe Connect.
There is no phone dial-in.

Welcome to this
briefing
• Updates on CAS, Shibboleth and Grouper
• Unicon contributions to CAS, Shibboleth and
Grouper

• Unicon's Open Source Support
• Thanks, Q&A

Introduction:
Mike Grady
•

IAM, Shibboleth, CAS,
Internet2 Scalable Privacy

•

36 years at University of
Illinois before Unicon

•

Unicon’s Open Source
Support for Shibboleth
technical lead

Introduction:
Misagh Moayyed
•

IAM, Shibboleth, CAS,
uPortal, uMobile

•

2 years full time with
Unicon

•

Unicon’s Open Source
Support for CAS
technical lead

This session is being
recorded.
•

Will post after:

•
•

�ݺ�ߣs

•

�ݺ�ߣcast with audio

Notes blog post with
useful hyperlinks

Past Events
• Identity Week, November 11-15 2013: REFEDS,
CAMP, ACAMP
Burlingame, CA

• Apereo Camp, January 27-30 2014:
CAS, uPortal, OpenRegistry, Sakai
Mesa, AZ

Upcoming Events
• Shibboleth Workshop Series - March 24-25
Durham, NC

• Internet2 Global Summit - April 6-10
Denver, CO

• Open Apereo 2014 - June 1-4
Miami, FL

• Internet2 Technology Exchange – Oct 26-30
Indianapolis, IN

CAS4
• RC3 released. To RC4 and beyond...
• APIs to support MFA use cases
• Password policy improvements
• CAS documentation revamp;
See http://jasig.github.io/cas

Shibboleth
• IdP v3 development in progress;
https://wiki.shibboleth.net/confluence/display/DEV/IdP3Details
• Community news at http://shibboleth.net/community/news
• Latest versions: IdP v2.4.0, SP v2.5.3

Identity Provider v3
• Release Goals:
• Support extensions (i.e uApprove) within profiles
• Improve “rough spots” in the API
• V2 protocol interoperable; API-incompatible
https://wiki.shibboleth.net/confluence/display/IDP30/Software+Design
• Q3 Fall 2014 release is planned

Multi-Context Broker

https://github.com/Internet2/Shibboleth-Multi-Context-Broker

• IdP “LoginHandler” to orchestrate among multiple
authentication contexts, including MFA.

• Provide support for InCommon Assurance initative
• Pluggable authentication modules
• V1.0.0 is now available

Grouper v2.2
http://goo.gl/5LrGAR

• Release expected by late Spring
• Services in Grouper
• Ability to write SCIM
• Improved Grouper configuration
• ...and...

New Grouper UI!
http://grouper-ui.uchicago.edu/hifi

Highlights About Unicon
Participation in CAS,
Shibboleth and Grouper

Open Source Support
• Support for open source software as adopted
by the community

• Unicon collaborates to maintain the supported
open source software making it more
supportable and valuable to subscribers

• “Act in the best interests of the subscribers, of the
community, and of Unicon”

CAS
• Password policy improvements
• Attributes in the CAS response

cas-addons
• https://github.com/Unicon/cas-addons
• Latest available release: 1.10
• New extensions:
• Hazelcast ticket registry
• Dynamic login view selection
• Request-based ticket expiration policy
•…

cas-addons HazelcastTicketRegistry

UniconLabs
https://github.com/UniconLabs

• cas-strap
• cas-sso-sessions-report
• service-registry-pattern-tester
• ...

Shib-CAS authenticator
v2
•
•
•
•
•
•

https://github.com/UniconLabs/shib-cas-authn2
CAS “LoginHandler” for Shibboleth Idp v2.x
Simpler, externalized configuration
No context-sharing requirement
Communicate the “entityId” to CAS
Currently in BETA status

CAS-Shibboleth:
Integration possibilities
•

Shib-CAS-authenticator v2 combined with Multi-Context
broker?

•

CAS attributes to supplement the IdP's authentication
context?

•

CAS to resolve/release attributes to the IdP?


...reduce duplicate configuration and overhead

Shib-Config-UI
•
•
•

https://github.com/UniconLabs/shib-config-ui
Web interface to explore the configuration:

•
•

What attributes are released to this SP?
What is the SSO session length?

Further UI enhancements and features planned

Future work
• In discussion with developer community to
find more ways to assist

• Finalizing Tomcat7 DTA-SSL
• Particular missing features you need?

AuthZ Connectors
• Grouper & Apache Shiro
• Grouper & Spring Security
• Grouper & .NET Framework
• Grouper & Person Directory
• Grouper & OAuth w/ CAS
https://spaces.internet2.edu/display/Grouper/Unicon+Grouper+Contributions

More potential
• Additional authZ connectors?
• CAS-SSO for Grouper?
• Grouper & uPortal: Roles and Permissions?

What we do

•

Collaborate to maintain current stable
recommended releases

•
•
•

Work towards next releases
Explore extensions and opportunities
Responsive to inputs from subscriber experiences

•
•
•

Explicit requests
Learn from providing support
Empathize with your needs and projects

Feedback welcome
• Subscribers are welcome encouraged to get in
touch directly if you’d like any of this
information contextualized to your specific
situation. E.g., Should I upgrade to the next
release of shib-cas-authenticator?

• By all means, do get in touch.

Let’s do this again.
•

Next Unicon IAM Update:

•
•

Thursday June 19th 2014
12 PM MST

Questions / Discussion
via Adobe Connect chat?
• Mike Grady,

Support for Shibboleth Technical Lead
mgrady@unicon.net

• Misagh Moayyed,

Support for CAS Technical Lead
mmoayyed@unicon.net

(License)
This work is licensed under the Creative
Commons Attribution-NonCommercial 3.0
United States License. To view a copy of this
license, visit
http://creativecommons.org/licenses/bync/3.0/us/.

�ݺ�ߣ

2014 Q4 IAM Open Source Support Program Update

More Related Content

2014 Q4 IAM Open Source Support Program Update

Editor's Notes