The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS
5.2.0 GA was released on November 27th, 2017. Since then,
the project has been moving forward with development of the next feature release
that is tagged as
5.3.0. This post intends to highlight some of the improvements
and enhancements packed into the third release candidate in the
You can read about the previous release candidate here.
- Shake Well Before Use
- SAML Service Provider Metadata via REST
- OAuth2 Audits
- SAML2 Service Providers
- Couchbase 5 Compatibility
- Couchbase Authentication Attributes
- Registered Service Access Strategy Audits
- Impersonation Audits
- Delegated Authentication Access Strategy Audits
- Audit API Improvements
- Impersonation Groovy Access Strategy
- X.509 Authentication via Request Headers
- CAS Protocol Behavior
- Bootstrap 4
- Google Authenticator Multifactor Account Registration
- Multifactor Trusted Devices
- YubiKey Account Public ID Encryption
- Service Registry Multiplicity
- Embedded Apache Tomcat Session Clustering
- Delegated Authentication Non-Sticky Sessions
- Library Upgrades
- Get Involved
- Das Ende
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. In order to start experimenting with release candidates, use the following strategies.
At any given time, you should be able to append
-SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
pom.xml of the overlay, adjust the following tag to match below:
gradle.properties of the overlay, adjust the following setting to match below:
- CAS integration tests for Couchbase, DynamoDb and InfluxDb are now automated/enabled via relevant Docker images running as part of Travis CI.
- Thanks to @frett, TGC domain names are once more sanitized; an oversight that snuck into CAS after adopting Project Lombok.
- Thanks to @luis100, delegating authentication to SAML IdPs now is able to handle
- Thanks to @tsschmidt, loading CAS configuration properties is now made conditional.
- Thanks to @sbearcsiro, overflows when calculating ticket expirations in MongoDb are now prevented.
- Thanks to @frett, multifactor authentication triggers based on principal/authentication attributes are now allowed to proceed in the absence of a
- CAS builds managed by Travis CI are now broken into multiple jobs using a matrix to account for faster execution times.
SNAPSHOTreleases tend to publish around the 30 minute mark!
- Thanks to @dodok1, multiple RADIUS servers can now be specified in CAS properties, separated by comma.
- Thanks to @fmartelli, delegated SAML2 authentication gains a new settings to allow for the specification of the
AttributeConsumingServiceIndexexposed by Pac4j.
- CAS proxy-granting ticket definitions are now correctly registered in the ticket catalog.
- Thanks to @sbearcsiro, a number of time units in CAS are now corrected to properly recognize seconds instead of milli-seconds.
- CAS configuration metadata is corrected to properly generate the needed JSON metadata based on configuration settings.
- Thanks to @sbearcsiro, the embedded Apache Tomcat instance is tweaked using a Customizer component provided by Spring Boot so that CAS implementations can override the factory themselves (eg to enable JNDI) whilst also benefitting from the CAS tomcat configuration properties.
- Specification of required authentication handlers for a service now does not intefere with the execution of multifactor authentication.
- Thanks to @hdeadman, the OpenID Connect discovery profile is now able to properly render all settings, and should be able to list all grant types supported by CAS.
- Thanks to @frett, the REST API responsible for generating service tickets can now correctly audit the authentication object.
- Thanks to @sbearcsiro, the embedded tomcat configuration is refactored and moved into its own component.
- OAuth codes issued by CAS running as an OpenID Connect provider are now strictly scoped to the requesting service when exchanged for access tokens.
- Thanks to @swlyons, the table names for the DynamoDb Ticket Registry can now be customized in CAS settings.
SAML Service Provider Metadata via REST
SAML2 service provider metadata can now be fetched from more traditional REST endpoints, as an alternative to deploying an MDQ server. See this guide for more info.
Thanks to @dima767, OAuth2 and OpenID Connect interactions (authentication requests and user profile responses) with CAS are now sent to the audit log.
SAML2 Service Providers
The following new SAML2 service providers are now supported by CAS out of the box:
- Concur Solutions
Couchbase 5 Compatibility
Thanks to @dima767, CAS integration tests for service/ticket registries are now verified and made functional against Couchbase 5. Additional test cases are also added to verify Couchbase authentication.
Couchbase Authentication Attributes
Similar to above, authenticating credentials against a Couchbase data store in CAS now gains the ability to also fetch attributes as part of the returned data row.
Registered Service Access Strategy Audits
Delegated Authentication Access Strategy Audits
While delegating authentication to an external identity provider, access strategy events that enforce the usage of the external identity provider are now sent to the audit log.
Audit API Improvements
In collaboration with @dima767, CAS components that are typically not managed as Spring
@Beans are now put through a mini framework so that can become eligible for auditing purposes. The API changes in this area, while non-intrusive, allow CAS to audit the likes of the services access strategy events noted above.
Impersonation Groovy Access Strategy
Impersonation features of CAS gain access to a Groovy option to execute authorization rules for surrogate authentication.
X.509 Authentication via Request Headers
Thanks to @hdeadman, X509 authentication now optionally gains the ability to extract the certificate from a request header.
CAS Protocol Behavior
Certain aspects of the CAS protocol such as proxy or renewed authentication can be controlled via CAS settings.
Thanks to @mindblender, CAS user interfaces begin to take advantage of Bootstrap v4 and FontAwesome v5. The thymeleaf templates are also transformed to be easier to maintain as natural/native views.
Google Authenticator Multifactor Account Registration
Multifactor athentication provided by Google Authenticator in CAS has the ability to register users and devices as part of the authentication flow. In this release candidate, device registration records are by default signed/encrypted before they are stored in the registration store.
This may be a breaking change. While the setting is on by default, you can certainly disable the signing/encryption operations of CAS that deal with device registration.
Multifactor Trusted Devices
This may be a breaking change. Adding custom device fingerprint support necessitated a schema update for trust records.
Furthermore, this feature gains the ability to determine device fingerprints in order to distinguish trusted devices from each other.
YubiKey Account Public ID Encryption
Service Registry Multiplicity
Interal improvements are in place to allow each module the capablity of hosting its own service registry, making CAS effectively able to work with more one service registry at the same time. In theory, this provides the option of having, for instance, both JSON and YAML service registries work together. The real motivation for this change is to allow the introduction of internal immutable service registries that may be ephemeral, specially in view of how CAS handles multiple protocol support with callback services that were, before this change, expected to be inserted and found in the service registry.
Embedded Apache Tomcat Session Clustering
The embedded Apache Tomcat is now altered slightly using options to allow for session clustering and replication.
Delegated Authentication Non-Sticky Sessions
Delegated authentication in CAS has been re-designed in certain areas to remove the requirement of sticky sessions specially in clustered deployments. The internal changes to accomodate this behavior are rather significant, so please be sure to test and contribute back lest issues are discovered. This behavior is also extended to include and support delegating authentication to ADFS instances.
- Couchbase Java Client
- Amazon Java SDK
- Apache CXF
- Azure KeyVault
- Google Zxing
- Yubico U2F
- Google Maps
- Postgresql Driver
- MariaDb Driver
- Bootstrap & FontAwesome
- Apache Cassandra Driver
- Font Awesome
- Thymeleaf Dialect
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!