CAS 5.1.0 RC2 Feature Release

The official CAS 5.0.0 GA was released on November 7th 2016. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.1.0. This post intends to highlight some of the improvements and enhancements packed into the second release candidate in the 5.1.0 series.

The in-development documentation of CAS 5.1.0 is available here. The release schedule is also available here. The release policy is available here.

If you are looking for additional info on the previous release candidate, please see this post.

Authentication Sequence

At runtime, CAS maintains a collection of authentication handlers/strategies that typically execute one after another. Each CAS module that presents a form of authentication strategy will simply insert itself into this collection at bootstrap time. This means the sequence of authentication execution is very much non-deterministic upon server restarts. At the end of the process, the result of all authentication transactions is collected and optionally processed by an authentication policy where success/failure of certain strategies/sources may be taken into account to fully satisfy the authentication requirements.

Starting with this feature release, the collection of authentication handlers tries to preserve order in a rather more deterministic way. Authentication handlers can be assigned a weight/order value thereby explicitly positioning themselves in the collection and controlling executionsequence.

At this time, the LDAP and JDBC authentication handlers are the only ones that have qualified for an order setting via the usual CAS properties.

Monitoring/Status Protection with Spring Security

CAS endpoints that provide monitoring and diagnostics features are now able to support various modes of authorization/authentication backed by Spring Security. Additional modes now include backend authentication support via LDAP or JDBC storage facilities.

SAML IdP Metadata Generation

The process of generating SAML2 metadata has been smoothened much better to ensure endpoints, ports and url in the metadata correctly match pre-defined CAS settings in order to reduce/remove manual work.

Code Cleanup and Optimization

Thanks to community contributions, the CAS codebase is revitalized ever more to make sure most if not all underlying components adhere to proper coding standards and design practices. Changes in this area include adjustments to style guidelines, constructor-based dependency injections and navigating to the native Java 8 lambda APIs.

XML Test Configuration

CAS test infrastructure continues to move away from XML configuration files and towards the facilities provided by Spring Boot. This will allow the project to mirror the deployment runtime configuration as much as possible while troubleshooting and fixing regressions, if any. A number of small enhancements have also gone into the core build system to ensure tests can be built and run in parallel modes via Gradle, which would cut down a full build/release cycle in half (i.e. close to 20 minutes).

This is rather helpful when adopters wish to be quick enough to try out SNAPSHOT releases during defect trials.

MongoDb Ticket Registry

CAS gains support for MongoDb as a storage mechanism for its ticket registry backend. You can learn more about the registry behavior via this guide.

CAS Documentation Improvements

Most if not all CAS documentation is reviewed to make sure various features properly point to their respective settings/properties via relevant anchor links. Additional work will be done on the settings as well to ensure all properties are properly explained as much as possible.

Custom Password Encoders

The collection of supported authentication password encoders now allows for the specification of a fully qualified com.example.MyPasswordEncoder implementation class to handle custom encoding use cases.

Management Webapp Authorization

Authorized access to the management webapp via LDAP now allows for groups and roles in addition to a single search for the user and attributes.


Another multifactor authentication option; basic support is added to provide FIDO U2F.

Microsoft Azure MFA

As an extra multifactor authentication provider, CAS adds support for Microsoft Azure. A limited number of options are available to verify credentials with Azure that today include:

  • A phone call to a predefined phone number, as an attribute, where user has to press # only.
  • A phone call to a predefined phone number, as an attribute, where user has to provide a CAS-generated token that is presented on the page.

Integration with Azure mobile applications may be worked out in future releases based on interest and demand.

Principal SCIM Provisioning

CAS gains the ability to provision the authenticated principal via SCIM.

Internal Support for Kotlin

The internal gradle build for the CAS codebase is adjusted to allow compilation of Kotlin’s .kt files, if any.

Clearpass Internal Encryption

Captures of credential password via Clearpass gain the option to encrypt the password internally via pre-defined keys. The credential upon release in decoded internally in memory and then encrypted with the service’s public key defined in the registry.

Database Audit Default Catalog/Schema

Database audits are now able to take advantage of new settings that control the default catalog and schema.

OpenID Connect JWKS Caching

Small improvements have been put in to ensure JWKS resource fetching can go through caching channels to help with processing keystores and performance.

OpenID Connect Scope-based Claim Release

Additional attribute and claim release policies are now provided to ensure a given OpenID Connect service can release attributes based on pre-defined scope bundles.

Grouper Groups as Principal Attributes

Thanks to Person Directory’s built-in support of Internet2’s Grouper, CAS is now able to collect a Grouper subject’s groups as principal attributes and perhaps further use them in authorization decisions.

OpenID Connect Encrypted ID Tokens

ID tokens generated by CAS are now able to be encrypted, provided the client/service is configured appropriately in the registry.

Native Configuration Monitoring

In the event that the native configuration profile is enabled, CAS is able to automatically monitor the relevant configuration directories and refresh the context upon change. Note that not all CAS components that process settings can be auto-reloaded. YMMV.

OpenID Connect Implicit Profile

Support for OpenID Connect’s implicit workflow is worked into this release.

Dynamic Acceptable Usage Policy

Sometimes deployments of CAS’ Acceptable Usage Policy consist of several policies that may be shown to the user depending on membership, affiliation and even perhaps objectclass. In this release, CAS makes the fully resolved Principal available to AUP-related views and pages such that different views housing appropriate policies may be displayed depending on the resolved principal attributes.

X509 Authentication: LDAP CRL Fetching

A small improvement; an additional property is exposed to allow adopters the specification of the LDAP binary attribute that holds the certificate revocation list.

Google Authenticator Token Tracking

To prevent immediate OTP reuse while using Google Authenticator as the second authentication factor, CAS starts to track issued tokens that successfully were able to authenticate users. There are also built-in facilities that allow the underlying token-tracking repository to clean up after itself once the token’s expiration tag is removed.

Delegated Authentication Providers

Delegated authentication in CAS adds support for Bitbucket, Paypal, Wordpress and generic OAuth20 providers. Likewise, CAS should now allow delegating authentication to multiple CAS, SAML, OIDC and OAuth2 servers where before only single instances were supported.

Google Authenticator JSON Storage

To assist smaller deployments and to also allow for quicker testing and development, Google Authenticator gains support for a JSON storage facility that is able to quickly keep track of user registration records.

CAS Banner & Git Commit Id

To facilitate testing of SNAPSHOT versions, the CAS banner on startup attempts to demonstrate the Git commit id of the release so adopters and developers may exactly determine the version of the source code deployed.

CAS Version: 5.1.0-RC2-SNAPSHOT
CAS Commit Id: 0b75fabbb0f865c497327695e30ecf08b6f15e63
CAS Build Date/Time: 2017-01-09T21:27:28Z
Spring Boot Version: 1.4.3.RELEASE
Apache Tomcat Version: Apache Tomcat/8.5.9

Additionally, the set of diagnostics messages are also printed when one deploys the CAS Management web application.

Multifactor Authentication Trigger via Authentication Attribute

Title says it all.

CAS has had a number of options for triggering multifactor authentication based on a principal attribute. This release adds an additional trigger that allows CAS to directly look into the authentication object to find metadata/attributes captured during the authentication event. This metadata in form of authentication attribute can be used to trigger multifactor authentication events. This is useful in scenarios where the underlying authentication machinery may signal back additional requirements in order for the authentication to fully succeed or, as another example, you may wish to trigger multifactor authentication if the captured authenticationDate matches a certain pattern of your own choosing, etc.

LDAP Authentication Search Entry Resolvers

CAS adds support for configuring search entry resolvers for LDAP authentication. Additional properties are exposed to support the full range of resolvers that are made available to CAS.

Domain Services Manager

Thanks to @tsschmidt, the default services manager implementation in CAS that acts as the orchestrator on top of the service registry has been switched out to group service definitions by domain. This is the first step in allowing not only making a more performant CAS when dealing with large collections of service definitions, but also presents a nice opportunity for the management webapp and its UIs to organize definitions in a more sane way.

SAML SP Integrations

CAS adds support for a few additional built-in SAML SP integrations: Zoom, Asana, Tableau and Evernote.

Python/Javascript Attribute Release Policies

Additional attribute release policies are worked into CAS that allow one to filter attributes for applications based on external python or javascript files.

Graphical User Authentication

There now exists basic/modest support for GUA.

SAML InCommon R&S Attribute Release

There are dedicated attribute release policies now in CAS that allow one to release the required attribute bundle to InCommon’s R&S service providers.

Database Password Policy Enforcement

Thanks to community contributions, database authentication gains modest support for enforcing password policy rules.

REST Password Management

Password Management capabilities of CAS begin to support REST APIs and endpoints that wish to take over the maintenance of the user account and updates to the password.

Management Webapp

The service management web application is enhanced to support a few more additional settings added to the CAS service model for SAML2 and OpenID Connect services. Settings are also organized and grouped by categories that should be easier to find:


Minor Bug Fixes

A number of small bug fixes have been incorporated into this feature release:

  • Database schema update/generation accounts for more accurate column types and lengths.
  • Google Authenticator QR code generation is remapped in the Spring Boot configuration.
  • Expiration policy of OAuth refresh tokens is now taking into account the correct time unit of measure.
  • Credential validation failures in multifactor authentication scenarios prompt error messages back to the user.
  • Password change actions are now recorded in the CAS audit log.
  • Service ticket creation based on authentication sessions established via renew are now correctly honored.
  • Removed the need to re-create LDAP connection pools during LDAP authentication for entry resolution, etc.
  • SAML assertion encryption is now able to properly locate the encryption credential.
  • Added missing view for CAS responses that require POST.

Library Upgrades

  • Cryptacular
  • JodaTime
  • MongoDb Driver
  • Spring Boot
  • Apache Tomcat
  • Log4j2

What’s Next?

The development team is working to make sure the CAS 5.1.0 release is on schedule. Additional release candidates and more updates will likely be released prior to the official GA release.

Get Involved

  • Start your CAS deployment today. Try out features and share feedback.
  • Better yet, contribute patches.
  • Review and suggest documentation improvements.
  • Review the release schedule and make sure you report your desired feature requests on the project’s issue tracker.

Das Ende

A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!

Misagh Moayyed

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.