2016 09-15 unicon-iam-update
Download as pptx, pdf0 likes642 views
This document provides information about an upcoming webinar on September 15, 2016 at 11am PT hosted by Unicon on CAS, Shibboleth, and Grouper. The webinar will include presentations from Mike Grady on Shibboleth, Dmitriy Kopylenko on CAS, and John Gasper on Grouper, with questions to follow. Details are provided on joining the webinar via Zoom or telephone. Information is also given on recent and upcoming identity and access management events, trends in the field, and Unicon's contributions to various open source identity projects.
2016 09-15 unicon-iam-update
- 1. Unicon IAM Webinar CAS, Shibboleth, Grouper 15 September 2016 - 11am Pacific Time (PT) Mike Grady Dmitriy Kopylenko John Gasper Join from PC, Mac, Linux, iOS or Android: https://unicon.zoom.us/j/588322739 Or iPhone one-tap (US Toll): +16465588656,588322739# or +14086380968,588322739# Or Telephone: Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll) Meeting ID: 588 322 739
- 2. Welcome Community updates Unicon contributions Q&A
- 3. Presenters Mike Grady Shibboleth IDP | Shibboleth SP Dmitriy Kopylenko CAS John Gasper Grouper Charise Arrowood MC
- 5. OpenID Connect Workshop: 22-23, 24-25 Feb 2016 in Denver, CO Open Apereo Conference: 22-25 May 2016 in NYC 2016 Internet2 Global Summit: 1518 May, Chicago, IL Past Events
- 6. Internet2 2016 Technology Exchange: 25-29 Sept, Miami, FL EDUCAUSE 2016 Annual Conference: 25-28 Oct, Anaheim, CA InCommon Shibboleth Workshop: 27-28 Oct, Long Beach, CA 2017 Internet2 Global Summit: 2326 Apr, Washington, DC 2017 Open Apereo: 4-8 June, Philadelphia, PA Upcoming Events
- 7. IAM Trends MFA for Shibboleth, CAS Risk-based Adaptive AuthN OpenID Connect TIER: Packaging, APIs, Person Registry, ... SAML Integrations w/ O365 & ADFS Metadata Query (MDQ) Protocol
- 8. IAM Trends IAM in the Cloud Hosted SSO services and more Unicons offering: https://www.unicon.net/solutions/IAM-cloud
- 9. IDP | SP Mike Grady Unicon Contributions
- 10. News Identity Provider V2.4.5, OpenSAML 2.6.6 EOL !!!! V2 full End-Of-Life date was July 31, 2016 2.4.4 was last 2.x minimum safe release Service Provider V2.6.0 Now Available Includes a new version of the Xerces XML parser that addresses Apache Xerces-C XML Parser library versions prior to V3.1.4 security vulnerability
- 11. Shibboleth Versions Latest versions: IdP v3.2.1 (19 Dec 2015) V3.1.1 considered minimum safe release SP v2.6.0 (27 June 2016) v3.2.0 and v3.2.1 released HTML5 local storage SLO: Front channel SAML and CAS SPNEGO authentication Bug fixes
- 12. Now Past End-Of-Life .. How soon that is a significant problem is unknown, could be tomorrow, could be months, but you need to have a plan to upgrade. Shibboleth 2.x Lifetime
- 13. IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc Authorization/Implicit Flow Dynamic Discovery Standard/Custom claims Certified by OpenID foundation for University of Chicago
- 14. Shib-CAS AuthN v3 https://github.com/Unicon/shib-cas-authn3 v3.1.0 Shibboleth IdP v3.X support Fixed encoding on entityId/service parameters. Plan to produce a version where attributes returned from CAS are available to the IdP, and the AuthN Context Class w.r.t MFA. Info from CAS coming back is done, now need a data connector to expose it for use within the IdP
- 15. Other/Ongoing work Hazelcast Storage Service https://github.com/UniconLabs/shibboleth-hazelcast-storage-service Duo Support for IdP v3 https://github.com/Unicon/shib-mfa-duo-auth Shib IdP as a Gradle Overlay https://github.com/UniconLabs/shibboleth-idp-gradle-overlay IdP v3 powered by Docker https://github.com/unicon/shibboleth-idp-dockerized
- 16. Other/Ongoing work Split Authn Support for users coming from 2 different Authentication/Attribute sources in distinct config files, only one or the other used for Authn and Resolver for any given authentication. Easy to hard code attributes based on source (role) chosen. Role choice on Login page. Demo with 2 LDAP servers, but should work with any 2 sources https://github.com/Unicon/ccc-shib-split-authn
- 17. Other/Ongoing work Coming Soon: Symantec VIP MFA Token Authentication OTP Authentication Push Authentication Risk based Authentication Sponsored by the University of Wisconsin - Whitewater Work done, but not yet fully generalized for open source
- 18. Shib IdP v3.3 Next version of Shib IdP due by late 2016 Improvements to logout options and accessibility aspects of such Adding in more built-in support for metadata filtering, more conditionals, etc. New login flow(s) allowing combining factors in what the Shib Dev core team believes will be a more manageable/predictable way
- 19. Shib IdP v3.3 Looks like an out-of-the-box Duo flow will be part of it Unicon will need to determine if our current Duo plugin should be retired or updated for the new version. Or if there are updates to the supplied one that make sense to add Unicon will need to verify and/or modify our other current authentication flow add-ons
- 21. CAS v4.2 v4.2.5 is the current version Dynamic Plug-N-Play module configuration ADFS/WS-FED delegated authN UIs to manage SSO sessions/statistics BASIC, JWT, Shiro, MongoDB, Stormpath authN Couchbase, Ignite, Infinispan ticket registries ABAC via attributes, time, or Grouper See http://jasig.github.io/cas/4.2.x/index.html
- 22. CAS v5.0.0 Tentative release date: October 2016 Current release: 5.0.0.RC1 Major features: MFA via DuoSecurity, RADIUS, YubiKey Risk-based adaptive authN SAML2 Web SSO support OAuth/OIDC support Full internal config re-architecture via Spring Boot Java 8
- 23. Other/Ongoing work Auto config for CAS Java clients https://github.com/Unicon/cas-client-autoconfig-support Delegated SAML authN for CAS 3.5.x https://github.com/UniconLabs/cas-saml-auth Bootstrap CAS via a Gradle overlay: https://github.com/UniconLabs/cas-strap
- 24. Further CAS Resources CAS maintenance policy: https://apereo.github.io/cas/developer/Maintenance- Policy.html Apereo Blog: https://apereo.github.io/
- 26. Grouper v2.3.0 Can run multiple simultaneous Loader/Daemon instances WS: Manage attribute/permission defs; TIER authorization PSP-NG: New Grouper provisioner LDAP and AD connectors built-in Exporting tree to GSH script. Lots of patches: API: 24, UI: 8, WS: 5, PSP-NG: 2
- 27. Other/Ongoing work Internet2 Grouper Dockerized: Composable images/containers https://github.com/Unicon/grouper-dockerized Grouper-Demo for Docker https://hub.docker.com/r/unicon/grouper-demo/ Custom Provisioning Target Form https://github.com/Unicon/grouper-provisioning-target-ui Azure AD (Office 365) Provisioner https://github.com/Unicon/office365-and-azure-ad-grouper- provisioner
- 28. Docker Demo Grouper environment based on the composable images/container
- 29. Questions / Discussion Mike Grady mgrady@unicon.net Dmitry Kopylenko dkopylenko@unicon.net John Gasper jgasper@unicon.net
Editor's Notes
- #3: Unicon's CAS strategy* Participate directly in CAS* Develop open source software on behalf of clients* Inform maintenance development through support. You have to source your support somewhere* In-house staff* Goodwill and engagement of the community* Commercial partner (e.g., Unicon)* (Reality Often combination of these)Unicon's "Cooperative" Support* Cooperates with you, your staff, the community* Support experiences yield improved public documentation* Support-inspired and subscriber-needs-guided open source maintenance development** Directly in and available for adoption with the Jasig CAS softwareThank you to our support subscribers!* Support subscriptions make Unicon maintenance development possible* Support experiences and subscriber input guide Unicon maintenance development towards the worthwhile
- #7: https://www.incommon.org/shibtraining/
- #27: https://spaces.internet2.edu/display/Grouper/Grouper+2.3+Release+Announcement https://spaces.internet2.edu/display/Grouper/v2.3+Release+Notes