JA-SIG Day2 - CAS 3.1 .. what's new?

This is my notes. The official presentation slides will be at:

http://www.ja-sig.org/wiki/display/JCON/Denver+2007+presentations
presented by Scott Battaglia, Rutgers University

---

CAS 3.1 -- Current Release 3.1 RC2

• CAS 3 continues to support CAS 1 and CAS2 protocol
• Functional Improvements:

1. Only way to get proxied authentication
2. SAML1.1 -- 2.0, see Google Applications
   
1. OASIS stanbdard
2. XML based
3. Communicates: Authentication/ Entitlement/ Attribute
3. OpenID
   I got my free one from https://pip.verisignlabs.com/account/welcome
   
1. Decentralized framework for user-center digital identify
2. User name is URI
3. Support "dumb" mode
4. Allows CAS clients -> OpenID clients
   
4. Single Sign Out
1. Global CAS session / Individual Applciation sessions
2. CAS 1/2/3 Logout ends global session
3. CAS 3.1 "suggests" that a;; sessions end
5. Google Accounts Integration
1. Minimal SAML 2
2. Key sharing b/e Google Accounts
3. Allow Google Accounts to participate in existing SSO solution
6. Services Management
1. Optional Feature
2. Control what services access CAS
3. Control what features they have access to, i.e. proxy ..
4. Customize Skin - Theme
5. Selective attribute(s) to be sent back --> SAML2
   
7. Attributes
1. AttributeRepository defines "interesting" attributes
2. Services Management dictates who sees what
3. CAS sends those attributes to services
4. Chaining Attributes - securitycontext
8. Pseudo anonymous Support --> Shibboleth
   
   ref. Authentication and Authorization
   * http://webjunction.org/do/DisplayContent?id=10858
   
   
1. send a persistent random identifier
   
2. only identifies user with respect to service
   
9. Authentication Support
1. Add support for: NTLM/SPNEGO/RADIUS
2. On top of: LDAP; DATABASE; X.509; JASS; FILE ...

• Performance improvements

• Building & Implementation

1. Maven 2 - POM
   
2. Ticket Registry
   
1. BerkeleyDBTicketRegistry - Long Term
   
2. JBossCacheTicketRegistry - Distributed
   -> multicast
   
3. DefaultTicketRegistru - Simple, in-memory, single-instance CAS
3. Java 5 requried
4. Content Switch / Load Balancer is still recommended
   

---

SAML2
http://www.xml.com/pub/a/2005/01/12/saml2.html

What Is SAML? SAML defines an XML-based framework for communicating security and identity (e.g., authentication, entitlements, and attribute) information between computing entities. SAML promotes interoperability between disparate security systems, providing the framework for secure e-business transactions across company boundaries. By abstracting away from the particulars of different security infrastructures (e.g., PKI, Kerberos, LDAP, etc), SAML makes possible the dynamic integration necessary in today's constantly changing business environments.

What Isn't SAML? SAML does not standardize all aspects of identity management. SAML addresses one key aspect of identity management, namely that of how identity information can be communicated from one domain to another. A full identity management solution will also define mechanisms for, amongst other aspects, provisioning (the establishment and subsequent management of accounts and associated privileges), authentication (how an entity proves their right to lay claim to a particular identity), or access control (how the rules for specifying what individual identities are allowed to do are captured). SAML has been designed to be compatible with existing and emerging standards that address these other aspects