CAS 5.1.0 RC4 Feature Release

The official CAS 5.0.0 GA was released on November 7th 2016. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.1.0. This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 5.1.0 series.

The in-development documentation of CAS 5.1.0 is available here. The release schedule is also available here. The release policy is available here.

If you are looking for additional info on the previous release candidate, please see this post.

SAML2 Service Providers

A few more SAML2 service providers are added to this release namely Adobe Cloud, AcademicWorks, Infinite Campus, Slack, Gartner, Zendesk and more.

CAS Demos

CAS demos are neatly organized and deployed on Heroku.

Surrogate Authentiction

The ability to authenticate on behalf of another user, so called Surrogate Authentication, is now included in this release.

SAML2 NameID Qualifiers

SAML2 service definitions are now allowed the option to override the name qualifiers for a given subject’s name id.

Scripted Attribute Release

Scripted attribute release policies are now able to accept an inlined groovy script as well.

Distributed Tracing

CAS embraces Spring Cloud Sleuth which implements a distributed tracing solution for Spring Cloud.

Encrypted Service Usernames

CAS username providers are now able to encrypt the resolved username using the service public key. Applications are expected to decrypt of course using their paired private key.

Automated Docker Cloud Builds

CAS is now taking advantage of Docker Cloud’s automated builds to auto-publish CAS images for the latest and all other relevant tagged releases.

Eureka Service Discovery

Thanks to Spring Cloud, CAS provides integration support for Eureka Service Discovery.

Spring Cloud w/ Apache ZooKeeper

More of a documentation enhancement and thanks to community contributions and expertise, the CAS Spring Cloud configuration server is now able to use Apache ZooKeeper as the backend storage service to house CAS settings.

Logging Enhancements

Another documentation improvement, the CAS logging guide introduces a few new sections to explain logging layouts. There is also some verbiage that describes how to integrate CAS logs with Papertrail.

Spring Boot Administration Server

Starting with this release, the actuator endpoints provided by Spring Boot can be managed remotely via the Spring Boot Admin server dashboard.

Multifactor EntityID Trigger

In cases where authentication is delegated to CAS most commonly from a Shibboleth Identity Provider, the entityId is passed to CAS as an extra request parameter to indicate the service provider. In this release, CAS begins to recognize the entityId parameter and treat it as a normal service that is linked to the CAS service registry which can then be assigned different access strategy and multifactor authentication policies.

Principal ID As Attribute

A small enhancement to CAS attribute release policies where now, the principal id itself can be released as a custom attribute of your own choosing on a per-service basis.

Groovy Attribute Value Filters

Attribute values for release policies can now take advantage of Groovy scripts to weed through the released collection dynamically.


Additional docs are now available to explain:

Additionally, common CAS configuration settings that apply to more than one module are given their own dedicated space.

Minor Changes

A number of small bug fixes and improvements have been incorporated into this feature release:

Community Contributions

  • Acceptable Usage Policy is now able to correctly accept and store user decisions.
  • Hazelcast ticket registry is now able to properly decode and find encrypted tickets.
  • Minor updates to CAS messages bundles for non-english languages.
  • Support for configuration of container-managed JDBC connections is added to this release candidate.
  • Minor fixes to how OAuth/OpenID Connect tickets are deserialized and stored in JSON-based ticket registries.
  • Google Apps integration correctly should handle the inResponseTo attribute.
  • X509 authentication should correctly route the user back to the login form in cases of authentication failures.
  • Google authenticator backed by JDBC should properly create and name databasse tables.
  • Minor fixes to OpenID module to ensure views can proper render for ticket validation and other requests.
  • Minor fixes to OpenID Connect module to ensure scopes can properly be filtered, and that clients are fully loaded and management via the services management web application.


  • MDC logging is now respecting nullable properties of the HTTP request.
  • Authy as a multifactor authentication provider gains the ability to specify the country code for the user phone number.
  • MFA flows are now able to correctly handle scenarios where authentication produces warnings.
  • OAuth2 password grant type is now correctly able to issue user profiles.
  • Ticket registry cleaner is no longer scheduled as a no-op if it’s disabled in the configuration.
  • A regression; CAS should resume supporting the duration syntax (i.e PT20S) for settings.
  • Documentation additions to explain how to generate various signing and encryption keys for CAS manually.

Library Upgrades

  • Apache Tomcat
  • Spring Cloud
  • Hazelcast
  • Thymeleaf
  • Log4j
  • Spring
  • Hibernate
  • Spring Boot

What’s Next?

The development team is working to make sure the CAS 5.1.0 release is on schedule. This is the last release candidate in the 5.1.x release and the project will gear up to perform a few more rounds of testing and validation before the official GA release is tagged and made available.

Get Involved

  • Start your CAS deployment today. Try out features and share feedback.
  • Better yet, contribute patches.
  • Review and suggest documentation improvements.
  • Review the release schedule and make sure you report your desired feature requests on the project’s issue tracker.

Das Ende

A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Log4J Vulnerability Disclosure

Disclosure of a security issue with the CAS software as a consumer of the Log4j logging framework.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Publish Private CAS Releases

GitHub Actions workflows allow publishing to private repositories.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Multifactor Authentication with U2F and Bypass

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using U2F and default bypass rule.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.