CAS 5.1.0 RC4 Feature Release

The official CAS 5.0.0 GA was released on November 7th 2016. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.1.0. This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 5.1.0 series.

The in-development documentation of CAS 5.1.0 is available here. The release schedule is also available here. The release policy is available here.

If you are looking for additional info on the previous release candidate, please see this post.

SAML2 Service Providers

A few more SAML2 service providers are added to this release namely Adobe Cloud, AcademicWorks, Infinite Campus, Slack, Gartner, Zendesk and more.

CAS Demos

CAS demos are neatly organized and deployed on Heroku.

Surrogate Authentiction

The ability to authenticate on behalf of another user, so called Surrogate Authentication, is now included in this release.

SAML2 NameID Qualifiers

SAML2 service definitions are now allowed the option to override the name qualifiers for a given subject’s name id.

Scripted Attribute Release

Scripted attribute release policies are now able to accept an inlined groovy script as well.

Distributed Tracing

CAS embraces Spring Cloud Sleuth which implements a distributed tracing solution for Spring Cloud.

Encrypted Service Usernames

CAS username providers are now able to encrypt the resolved username using the service public key. Applications are expected to decrypt of course using their paired private key.

Automated Docker Cloud Builds

CAS is now taking advantage of Docker Cloud’s automated builds to auto-publish CAS images for the latest and all other relevant tagged releases.

Eureka Service Discovery

Thanks to Spring Cloud, CAS provides integration support for Eureka Service Discovery.

Spring Cloud w/ Apache ZooKeeper

More of a documentation enhancement and thanks to community contributions and expertise, the CAS Spring Cloud configuration server is now able to use Apache ZooKeeper as the backend storage service to house CAS settings.

Logging Enhancements

Another documentation improvement, the CAS logging guide introduces a few new sections to explain logging layouts. There is also some verbiage that describes how to integrate CAS logs with Papertrail.

Spring Boot Administration Server

Starting with this release, the actuator endpoints provided by Spring Boot can be managed remotely via the Spring Boot Admin server dashboard.

Multifactor EntityID Trigger

In cases where authentication is delegated to CAS most commonly from a Shibboleth Identity Provider, the entityId is passed to CAS as an extra request parameter to indicate the service provider. In this release, CAS begins to recognize the entityId parameter and treat it as a normal service that is linked to the CAS service registry which can then be assigned different access strategy and multifactor authentication policies.

Principal ID As Attribute

A small enhancement to CAS attribute release policies where now, the principal id itself can be released as a custom attribute of your own choosing on a per-service basis.

Groovy Attribute Value Filters

Attribute values for release policies can now take advantage of Groovy scripts to weed through the released collection dynamically.


Additional docs are now available to explain:

Additionally, common CAS configuration settings that apply to more than one module are given their own dedicated space.

Minor Changes

A number of small bug fixes and improvements have been incorporated into this feature release:

Community Contributions

  • Acceptable Usage Policy is now able to correctly accept and store user decisions.
  • Hazelcast ticket registry is now able to properly decode and find encrypted tickets.
  • Minor updates to CAS messages bundles for non-english languages.
  • Support for configuration of container-managed JDBC connections is added to this release candidate.
  • Minor fixes to how OAuth/OpenID Connect tickets are deserialized and stored in JSON-based ticket registries.
  • Google Apps integration correctly should handle the inResponseTo attribute.
  • X509 authentication should correctly route the user back to the login form in cases of authentication failures.
  • Google authenticator backed by JDBC should properly create and name databasse tables.
  • Minor fixes to OpenID module to ensure views can proper render for ticket validation and other requests.
  • Minor fixes to OpenID Connect module to ensure scopes can properly be filtered, and that clients are fully loaded and management via the services management web application.


  • MDC logging is now respecting nullable properties of the HTTP request.
  • Authy as a multifactor authentication provider gains the ability to specify the country code for the user phone number.
  • MFA flows are now able to correctly handle scenarios where authentication produces warnings.
  • OAuth2 password grant type is now correctly able to issue user profiles.
  • Ticket registry cleaner is no longer scheduled as a no-op if it’s disabled in the configuration.
  • A regression; CAS should resume supporting the duration syntax (i.e PT20S) for settings.
  • Documentation additions to explain how to generate various signing and encryption keys for CAS manually.

Library Upgrades

  • Apache Tomcat
  • Spring Cloud
  • Hazelcast
  • Thymeleaf
  • Log4j
  • Spring
  • Hibernate
  • Spring Boot

What’s Next?

The development team is working to make sure the CAS 5.1.0 release is on schedule. This is the last release candidate in the 5.1.x release and the project will gear up to perform a few more rounds of testing and validation before the official GA release is tagged and made available.

Get Involved

  • Start your CAS deployment today. Try out features and share feedback.
  • Better yet, contribute patches.
  • Review and suggest documentation improvements.
  • Review the release schedule and make sure you report your desired feature requests on the project’s issue tracker.

Das Ende

A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS 5.3.0 RC3 Feature Release which I present an overview of CAS 5.3.0 RC3 release.

Apereo CAS - REFEDS MFA Profile with shib-cas-authn3

An overview of the shib-cas-authn3 project and its support for the REFEDS MFA profile with both the Shibboleth Identity Provider and Apereo CAS lending a hand.

Forced Authentication with Apereo CAS

Discourse on supporting forced authentication with the Apereo CAS server from the perspective of an application protected with mod-auth-cas, the Apache httpd module for CAS.

Apereo CAS - Dances with Protocols

A short overview of how Apereo CAS may support multiple authentication protocols simultaneously while acting as both the primary identity provider or proxying another. Two Socks could not be reached for comments.

Why does uPortal use Apache 2 license?

Apache2 chose uPortal.

Apereo CAS - Attribute-based Application Authorization

A walkthrough to demonstrate how one might fetch attributes from a number of data sources, turning them into roles that could then be used to enforce application access and authorization.

CAS 5.3.0 RC2 Feature Release which I present an overview of CAS 5.3.0 RC2 release.

CAS 5.2.x Deployment - WAR Overlays

Learn how to configure and build your own CAS deployment via the WAR overlay method, get rich quickly, stay healthy indefinitely and respect family and friends in a few very easy steps.

Link CAS OIDC user to existing Database user

In which we show to link OIDC id to LDAP database user.

CAS Multifactor Authentication with Duo Security

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using Duo Security, leveraging a variety of triggers.