CAS 5.1.0 RC4 Feature Release


The official CAS 5.0.0 GA was released on November 7th 2016. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.1.0. This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 5.1.0 series.

The in-development documentation of CAS 5.1.0 is available here. The release schedule is also available here. The release policy is available here.

If you are looking for additional info on the previous release candidate, please see this post.

SAML2 Service Providers

A few more SAML2 service providers are added to this release namely Adobe Cloud, AcademicWorks, Infinite Campus, Slack, Gartner, Zendesk and more.

CAS Demos

CAS demos are neatly organized and deployed on Heroku.

Surrogate Authentiction

The ability to authenticate on behalf of another user, so called Surrogate Authentication, is now included in this release.

SAML2 NameID Qualifiers

SAML2 service definitions are now allowed the option to override the name qualifiers for a given subject’s name id.

Scripted Attribute Release

Scripted attribute release policies are now able to accept an inlined groovy script as well.

Distributed Tracing

CAS embraces Spring Cloud Sleuth which implements a distributed tracing solution for Spring Cloud.

Encrypted Service Usernames

CAS username providers are now able to encrypt the resolved username using the service public key. Applications are expected to decrypt of course using their paired private key.

Automated Docker Cloud Builds

CAS is now taking advantage of Docker Cloud’s automated builds to auto-publish CAS images for the latest and all other relevant tagged releases.

Eureka Service Discovery

Thanks to Spring Cloud, CAS provides integration support for Eureka Service Discovery.

Spring Cloud w/ Apache ZooKeeper

More of a documentation enhancement and thanks to community contributions and expertise, the CAS Spring Cloud configuration server is now able to use Apache ZooKeeper as the backend storage service to house CAS settings.

Logging Enhancements

Another documentation improvement, the CAS logging guide introduces a few new sections to explain logging layouts. There is also some verbiage that describes how to integrate CAS logs with Papertrail.

Spring Boot Administration Server

Starting with this release, the actuator endpoints provided by Spring Boot can be managed remotely via the Spring Boot Admin server dashboard.

Multifactor EntityID Trigger

In cases where authentication is delegated to CAS most commonly from a Shibboleth Identity Provider, the entityId is passed to CAS as an extra request parameter to indicate the service provider. In this release, CAS begins to recognize the entityId parameter and treat it as a normal service that is linked to the CAS service registry which can then be assigned different access strategy and multifactor authentication policies.

Principal ID As Attribute

A small enhancement to CAS attribute release policies where now, the principal id itself can be released as a custom attribute of your own choosing on a per-service basis.

Groovy Attribute Value Filters

Attribute values for release policies can now take advantage of Groovy scripts to weed through the released collection dynamically.

Documentation

Additional docs are now available to explain:

Additionally, common CAS configuration settings that apply to more than one module are given their own dedicated space.

Minor Changes

A number of small bug fixes and improvements have been incorporated into this feature release:

Community Contributions

  • Acceptable Usage Policy is now able to correctly accept and store user decisions.
  • Hazelcast ticket registry is now able to properly decode and find encrypted tickets.
  • Minor updates to CAS messages bundles for non-english languages.
  • Support for configuration of container-managed JDBC connections is added to this release candidate.
  • Minor fixes to how OAuth/OpenID Connect tickets are deserialized and stored in JSON-based ticket registries.
  • Google Apps integration correctly should handle the inResponseTo attribute.
  • X509 authentication should correctly route the user back to the login form in cases of authentication failures.
  • Google authenticator backed by JDBC should properly create and name databasse tables.
  • Minor fixes to OpenID module to ensure views can proper render for ticket validation and other requests.
  • Minor fixes to OpenID Connect module to ensure scopes can properly be filtered, and that clients are fully loaded and management via the services management web application.

Others

  • MDC logging is now respecting nullable properties of the HTTP request.
  • Authy as a multifactor authentication provider gains the ability to specify the country code for the user phone number.
  • MFA flows are now able to correctly handle scenarios where authentication produces warnings.
  • OAuth2 password grant type is now correctly able to issue user profiles.
  • Ticket registry cleaner is no longer scheduled as a no-op if it’s disabled in the configuration.
  • A regression; CAS should resume supporting the duration syntax (i.e PT20S) for settings.
  • Documentation additions to explain how to generate various signing and encryption keys for CAS manually.

Library Upgrades

  • Apache Tomcat
  • Spring Cloud
  • Hazelcast
  • Thymeleaf
  • Log4j
  • Spring
  • Hibernate
  • HSQLDB
  • AWS SDK
  • Spring Boot

What’s Next?

The development team is working to make sure the CAS 5.1.0 release is on schedule. This is the last release candidate in the 5.1.x release and the project will gear up to perform a few more rounds of testing and validation before the official GA release is tagged and made available.

Get Involved

  • Start your CAS deployment today. Try out features and share feedback.
  • Better yet, contribute patches.
  • Review and suggest documentation improvements.
  • Review the release schedule and make sure you report your desired feature requests on the project’s issue tracker.

Das Ende

A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!

Misagh Moayyed

Related Posts

JWT Of All Things With CAS

A short tutorial on how to let Apereo CAS handle authentication events accompanied by JWTs.

CAS 5.2.0 RC4 Feature Release

...in which I present an overview of CAS 5.2.0 RC4 release.

August 2017 uPortal Slack summary

Summarizing Slack traffic about uPortal in August 2017.

CAS 5.1.x Load Tests by Lafayette College

Lafayette College shares the results of stress tests executed against a recent CAS 5.1.x deployment.

CAS 5.2.0 RC3 Feature Release

...in which I present an overview of CAS 5.2.0 RC3 release.

Do State The Obvious

A short and sweet reminder and explanation of how marketing in tech works.

Stop Writing Code

A legitimate, comprehensive and inescapably detailed account of the spiderweb of deceit in today’s technology scene; The open-source software ecosystem where victims fall prey to the Goldilocks Syndrome of software customizations and home-grown functionality. This guide aims to uncover the deepest darkest secrets of this treacherous path and yet intentionally offers no hopes or viable solutions at all…except one.

CAS 5.1.x User Swap - Cause and Analysis

Travis Schmidt shares an analysis of chasing down a bug in CAS 5.1.x where user identities were swapped.

Summer 2017 uPortal Roadmap Update

Primarily summarizing the Open Apereo 2017 uPortal Roadmap BOF.

Interrupt CAS With Class

An overview of a recent CAS 5.2.x feature that allows one to interrupt the authentication flow with notifications and advertisements, dictating CAS should treat the authenticated session with configuration and compassion.