The official CAS
5.0.0 GA was released on November 7th 2016. Since then,
the project has been moving forward with development of the next feature release
that is tagged as
5.1.0. This post intends to highlight some of the improvements
and enhancements packed into the second release candidate in the
If you are looking for additional info on the previous release candidate, please see this post.
- Authentication Sequence
- Monitoring/Status Protection with Spring Security
- SAML IdP Metadata Generation
- Code Cleanup and Optimization
- XML Test Configuration
- MongoDb Ticket Registry
- CAS Documentation Improvements
- Custom Password Encoders
- Management Webapp Authorization
- FIDO U2F MFA
- Microsoft Azure MFA
- Principal SCIM Provisioning
- Internal Support for Kotlin
- Clearpass Internal Encryption
- Database Audit Default Catalog/Schema
- OpenID Connect JWKS Caching
- OpenID Connect Scope-based Claim Release
- Grouper Groups as Principal Attributes
- OpenID Connect Encrypted ID Tokens
- Native Configuration Monitoring
- OpenID Connect Implicit Profile
- Dynamic Acceptable Usage Policy
- X509 Authentication: LDAP CRL Fetching
- Google Authenticator Token Tracking
- Delegated Authentication Providers
- Google Authenticator JSON Storage
- CAS Banner & Git Commit Id
- Multifactor Authentication Trigger via Authentication Attribute
- LDAP Authentication Search Entry Resolvers
- Domain Services Manager
- SAML SP Integrations
- Graphical User Authentication
- SAML InCommon R&S Attribute Release
- Database Password Policy Enforcement
- REST Password Management
- Management Webapp
- Minor Bug Fixes
- Library Upgrades
- What’s Next?
- Get Involved
- Das Ende
At runtime, CAS maintains a collection of authentication handlers/strategies that typically execute one after another. Each CAS module that presents a form of authentication strategy will simply insert itself into this collection at bootstrap time. This means the sequence of authentication execution is very much non-deterministic upon server restarts. At the end of the process, the result of all authentication transactions is collected and optionally processed by an authentication policy where success/failure of certain strategies/sources may be taken into account to fully satisfy the authentication requirements.
Starting with this feature release, the collection of authentication handlers tries to preserve order in a rather more deterministic way. Authentication handlers can be assigned a weight/order value thereby explicitly positioning themselves in the collection and controlling executionsequence.
At this time, the LDAP and JDBC authentication handlers are the only ones that have qualified for an
order setting via the usual CAS properties.
Monitoring/Status Protection with Spring Security
CAS endpoints that provide monitoring and diagnostics features are now able to support various modes of authorization/authentication backed by Spring Security. Additional modes now include backend authentication support via LDAP or JDBC storage facilities.
SAML IdP Metadata Generation
The process of generating SAML2 metadata has been smoothened much better to ensure endpoints, ports and url in the metadata correctly match pre-defined CAS settings in order to reduce/remove manual work.
Code Cleanup and Optimization
Thanks to community contributions, the CAS codebase is revitalized ever more to make sure most if not all underlying components adhere to proper coding standards and design practices. Changes in this area include adjustments to style guidelines, constructor-based dependency injections and navigating to the native Java 8 lambda APIs.
XML Test Configuration
CAS test infrastructure continues to move away from XML configuration files and towards the facilities provided by Spring Boot. This will allow the project to mirror the deployment runtime configuration as much as possible while troubleshooting and fixing regressions, if any. A number of small enhancements have also gone into the core build system to ensure tests can be built and run in parallel modes via Gradle, which would cut down a full build/release cycle in half (i.e. close to 20 minutes).
This is rather helpful when adopters wish to be quick enough to try out
SNAPSHOT releases during defect trials.
MongoDb Ticket Registry
CAS gains support for MongoDb as a storage mechanism for its ticket registry backend. You can learn more about the registry behavior via this guide.
CAS Documentation Improvements
Most if not all CAS documentation is reviewed to make sure various features properly point to their respective settings/properties via relevant anchor links. Additional work will be done on the settings as well to ensure all properties are properly explained as much as possible.
Custom Password Encoders
The collection of supported authentication password encoders now allows for the specification of a
com.example.MyPasswordEncoder implementation class to handle custom encoding use cases.
Management Webapp Authorization
Authorized access to the management webapp via LDAP now allows for groups and roles in addition to a single search for the user and attributes.
FIDO U2F MFA
Another multifactor authentication option; basic support is added to provide FIDO U2F.
Microsoft Azure MFA
As an extra multifactor authentication provider, CAS adds support for Microsoft Azure. A limited number of options are available to verify credentials with Azure that today include:
- A phone call to a predefined phone number, as an attribute, where user has to press
- A phone call to a predefined phone number, as an attribute, where user has to provide a CAS-generated token that is presented on the page.
Integration with Azure mobile applications may be worked out in future releases based on interest and demand.
Principal SCIM Provisioning
CAS gains the ability to provision the authenticated principal via SCIM.
Internal Support for Kotlin
The internal gradle build for the CAS codebase is adjusted to allow compilation of Kotlin’s
.kt files, if any.
Clearpass Internal Encryption
Captures of credential password via Clearpass gain the option to encrypt the password internally via pre-defined keys. The credential upon release in decoded internally in memory and then encrypted with the service’s public key defined in the registry.
Database Audit Default Catalog/Schema
Database audits are now able to take advantage of new settings that control the default catalog and schema.
OpenID Connect JWKS Caching
Small improvements have been put in to ensure JWKS resource fetching can go through caching channels to help with processing keystores and performance.
OpenID Connect Scope-based Claim Release
Additional attribute and claim release policies are now provided to ensure a given OpenID Connect service can release attributes based on pre-defined scope bundles.
Grouper Groups as Principal Attributes
Thanks to Person Directory’s built-in support of Internet2’s Grouper, CAS is now able to collect a Grouper subject’s groups as principal attributes and perhaps further use them in authorization decisions.
OpenID Connect Encrypted ID Tokens
ID tokens generated by CAS are now able to be encrypted, provided the client/service is configured appropriately in the registry.
Native Configuration Monitoring
In the event that the
native configuration profile is enabled, CAS is able to automatically
monitor the relevant configuration directories and refresh the context upon change.
Note that not all CAS components that process settings can be auto-reloaded. YMMV.
OpenID Connect Implicit Profile
Support for OpenID Connect’s implicit workflow is worked into this release.
Dynamic Acceptable Usage Policy
Sometimes deployments of CAS’ Acceptable Usage Policy consist of several policies
that may be shown to the user depending on membership, affiliation and even perhaps
objectclass. In this release, CAS makes the fully resolved
Principal available to AUP-related views and pages such that different views housing appropriate policies may be displayed depending on the resolved principal attributes.
X509 Authentication: LDAP CRL Fetching
A small improvement; an additional property is exposed to allow adopters the specification of the LDAP binary attribute that holds the certificate revocation list.
Google Authenticator Token Tracking
To prevent immediate OTP reuse while using Google Authenticator as the second authentication factor, CAS starts to track issued tokens that successfully were able to authenticate users. There are also built-in facilities that allow the underlying token-tracking repository to clean up after itself once the token’s expiration tag is removed.
Delegated Authentication Providers
Delegated authentication in CAS adds support for Bitbucket, Paypal, Wordpress and generic OAuth20 providers. Likewise, CAS should now allow delegating authentication to multiple CAS, SAML, OIDC and OAuth2 servers where before only single instances were supported.
Google Authenticator JSON Storage
To assist smaller deployments and to also allow for quicker testing and development, Google Authenticator gains support for a JSON storage facility that is able to quickly keep track of user registration records.
CAS Banner & Git Commit Id
To facilitate testing of
SNAPSHOT versions, the CAS banner on startup attempts to demonstrate the Git commit id of the release so adopters and developers may exactly determine the version of the source code deployed.
CAS Version: 5.1.0-RC2-SNAPSHOT CAS Commit Id: 0b75fabbb0f865c497327695e30ecf08b6f15e63 CAS Build Date/Time: 2017-01-09T21:27:28Z Spring Boot Version: 1.4.3.RELEASE Apache Tomcat Version: Apache Tomcat/8.5.9
Additionally, the set of diagnostics messages are also printed when one deploys the CAS Management web application.
Multifactor Authentication Trigger via Authentication Attribute
Title says it all.
CAS has had a number of options for triggering multifactor authentication based on a principal attribute.
This release adds an additional trigger that allows CAS to directly look into the authentication object to find metadata/attributes captured during the authentication event. This metadata in form of authentication attribute can be used to trigger multifactor authentication events. This is useful in scenarios where the underlying authentication machinery may signal back additional requirements in order for the authentication to fully succeed or, as another example, you may wish to trigger multifactor authentication if the captured
authenticationDate matches a certain pattern of your own choosing, etc.
LDAP Authentication Search Entry Resolvers
CAS adds support for configuring search entry resolvers for LDAP authentication. Additional properties are exposed to support the full range of resolvers that are made available to CAS.
Domain Services Manager
Thanks to @tsschmidt, the default services manager implementation in CAS that acts as the orchestrator on top of the service registry has been switched out to group service definitions by domain. This is the first step in allowing not only making a more performant CAS when dealing with large collections of service definitions, but also presents a nice opportunity for the management webapp and its UIs to organize definitions in a more sane way.
SAML SP Integrations
CAS adds support for a few additional built-in SAML SP integrations: Zoom, Asana, Tableau and Evernote.
Graphical User Authentication
There now exists basic/modest support for GUA.
SAML InCommon R&S Attribute Release
There are dedicated attribute release policies now in CAS that allow one to release the required attribute bundle to InCommon’s R&S service providers.
Database Password Policy Enforcement
Thanks to community contributions, database authentication gains modest support for enforcing password policy rules.
REST Password Management
Password Management capabilities of CAS begin to support REST APIs and endpoints that wish to take over the maintenance of the user account and updates to the password.
The service management web application is enhanced to support a few more additional settings added to the CAS service model for SAML2 and OpenID Connect services. Settings are also organized and grouped by categories that should be easier to find:
Minor Bug Fixes
A number of small bug fixes have been incorporated into this feature release:
- Database schema update/generation accounts for more accurate column types and lengths.
- Google Authenticator QR code generation is remapped in the Spring Boot configuration.
- Expiration policy of OAuth refresh tokens is now taking into account the correct time unit of measure.
- Credential validation failures in multifactor authentication scenarios prompt error messages back to the user.
- Password change actions are now recorded in the CAS audit log.
- Service ticket creation based on authentication sessions established via
reneware now correctly honored.
- Removed the need to re-create LDAP connection pools during LDAP authentication for entry resolution, etc.
- SAML assertion encryption is now able to properly locate the encryption credential.
- Added missing view for CAS responses that require
- MongoDb Driver
- Spring Boot
- Apache Tomcat
The development team is working to make sure the CAS
5.1.0 release is
on schedule. Additional release candidates
and more updates will likely be released prior to the official GA release.
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Review and suggest documentation improvements.
- Review the release schedule and make sure you report your desired feature requests on the project’s issue tracker.
A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!