View
500
Download
0
Category
Preview:
Citation preview
To CAS 3 and Beyond:
The Story of a CAS Upgrade
Nubli Kasa
mmohdkas@iu.edu
Misagh Moayyed
mmoayyed@unicon.net
Agenda
Introduction
Environment Overview
Functional Requirements
Features Overview
Demo
Development Workflow
Discussion & Questions
Open Apereo - June 1-4 2014
Introduction: Nubli Kasa
Lead Systems Analyst Programmer at
Identity Management Systems
With Indiana University for 6 years
Technical lead for the project; Responsible
for managing CAS and Shibboleth
deployments
Introduction: Misagh Moayyed
IAM Consultant @ Unicon
3 years with Unicon; 5 years with
JasigApereo
Unicon’s technical lead for the project
Current Environment
Current CAS based on Yale CAS v2
Diverged from Apereo CAS in many ways
Utilizes large set of AppCodes
◦ Authentication request type, authorization, …
StepUp Authentication; Staff @ admin
permissions
Challenges to meet business need have led to
many large and small CAS changes.
Functional Requirements
Upgrade to CAS 3.5.2
Design and Implementation of AppCodes
◦ Dynamic UI Rendering
◦ AppCode Validation vs. StepUp AuthN
Primary AuthN via Jaas & KB
StepUp AuthN via RADIUS
Protocol extension; Support for IUCAS
Active-Active HA Deployment with EhCache
What is an AppCode?
Token to describe the requesting app
◦ What theme to use?
◦ What authentication methods to allow?
Analogous yet parallel to service registry
Grouped by 4 primary AppCodes
◦ IU, GUEST, SAFEWORD, ANY
Recognize changes automatically
AppCodeRegistry
Dynamic Theme Selection
AppCode groups can specify themes
AppCodeResourceViewResolver
Primary AuthN: Jaas & Krb
Jaas.conf:
Krb5.conf:
Problem: how do we tie realms to KDCs?!
New JaasAuthenticationHandler
No Krb5.conf; System Props instead:
◦ java.security.krb5.realm
◦ java.security.krb5.kdc
Let CAS pick Realms and KDCs!
StepUp RADIUS AuthN Config
Additional properties for NAS settings
StepUp AuthN via RADIUS
Primary based on @cas-mfa codebase:
◦ https://github.com/Unicon/cas-mfa
Initiated by SAFEWORD AppCode
CAS remembers a single AppCode; knows
its relationship to other AppCodes
StepUp AuthN Rules
Depending on credentials, ANY can both be
IU or GUEST!
CAS Protocol Extensions
IU CAS Protocol CAS Protocol Equivalent
cassvc ${appcode:IU}
casurl service
casticket ticket
CAS Validation Response:
EhCacheTicketRegistry
Distributed cache across live nodes
Replication via Java RMI; Manual discovery
Two separate caches for STs and TGTs
No need for ticket registry cleaners!
Simple setup; No external process required
EhCache Replication
RMI replication & manual peer discovery
Specify “other” nodes in the cluster
Discoverable Host Names
Single cas.properties file for all nodes
Discover ${host.name} automatically
Demo
Development Workflow
BitBucket Git repository;
Code + Docs
Real-time issue tracking &
collaboration
Automated deployment via
Jenkins CI
bitbucket
Questions?
Open Apereo - June 1-4 2014
Nubli Kasa
mmohdkas@iu.edu
Misagh Moayyed
mmoayyed@unicon.net
Recommended