The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS 5.3.0 GA was released on June 29th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as 6.0.0. Note that this is a major release of the CAS software which may present significant changes in architecture, configuration or behavior. Please review the release policy to learn more about the scope of the release.
This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the 6.0.0 series.
You can read about the previous release candidate here.
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
Overlay
In the gradle.properties of the overlay, adjust the following setting:
casVersion=6.0.0-RC3
Changes
New & Noteworthy
JDK 11
Starting with this version and continuing the effort from previous releases, CAS requires and builds against JDK 11. Travis CI has switched over to use OpenJDK 11 to build and publish CAS server SNAPSHOT releases, and the entire distribution has also been tested using Oracle JDK 11.
With JDK 11 Oracle has updated the license terms on which Oracle JDK is offered. The new Oracle Technology Network License Agreement for Oracle Java SE is substantially different from the licenses under which previous versions of the JDK were offered. Please review the new terms carefully before downloading and using this product. Oracle also offers this software under the GPL License on jdk.java.net/11.
The key part of the license is as follows:
You may not: use the Programs for any data processing or any commercial, production, or internal business purposes other than developing, testing, prototyping, and demonstrating your Application.
So, do NOT download or use the Oracle JDK unless you intend to pay for it. Use an OpenJDK build instead.
CouchDb Support
Extensive CouchDb support is now provided by CAS to handle storage concerns when it comes to ticketing, authentication, audit and throttling, multifactor authentication, and more.
SAML2 IdP Single Logout
Basic functionality is now included to have CAS submit SAML2 logout requests to SAML2 service providers, who currently have a registered a session with CAS. This will continue to be a work-in-progress item, to be improved and finalized prior to the final GA release.
Delegated AuthN via HiOrg-Server
Delegated authentication is now able to support HiOrg-Server.
SAML2 Encryptable Attributes
Configuration for SAML2 registered services can now specify attributes that should be optionally included in or excluded from encryption in the final SAML2 response.
Multifactor Authentication & Duo Security
Significant changes in the multifactor authentication API and modules are incorporated in this release to better handle failure modes across all providers. The integration with Duo Security is also greatly improved internally to reduce API noise when it comes to registering multiple Duo configurations with CAS.
RADIUS Multifactor Authentication
RADIUS authentication is now able to honor the AccessChallenge response from the radius server, and properly prompt for multifactor authentication. This capability was best tested against CensorNet’s RADIUS server functionality.
Spring Boot Administration Server
The CAS integration with the Spring Boot Administration Server is now brought up to speed to be compatible with the latest Spring Boot release.
SAML2 IdP Metadata via Amazon S3
Metadata artifacts that belong to CAS as a SAML2 identity provider may also be managed and stored via Amazon S3 buckets.
Smaller Stuff
- Additional settings to support fallback principal attributes when dealing with X.509 principal resolution.
- Delegated authentication is improved to execute the authentication step only once.
- SAML2 delegated authentication is now capable of virtually renaming SAML2 attributes.
- Service access strategy for SAML2 service providers and other service types can now handle the
unauthorizedRedirectUrlsetting. - Radius authentication now attempts to also submit the client IP address to the radius server.
- Small fixes to the SAML2 callback url pattern construction.
- New attribute renderer components are introduced to enhance the CAS v1 validation response, if needed.
- CAS internal Gradle build should continue to work against IDEA
2018.3 EAP. - SAML2 responses can optionally include a
NameIDforSubjectConfirmationblocks, on a per-service basis. - SAML2 responses can populate the
Destinationfield. - The background job responsible for cleaning trusted expired MFA records is now scheduled correctly on startup.
- Attribute resolution via external groovy scripts, handled by PersonDirectory, can now properly recognize the engine name.
- Hazelcast health monitoring imports its reporting of memory statistics.
- Registration of
PrincipalResolverandAuditPrincipalIdProvideris now refactored to use*Configurertype of strategies as callbacks. - Loading CAS configuration files is modified to better match Spring Boot behavior.
- Performance improvements to HTTP calls and caching of responses.
- Small number of dependency fixes that deal with auto configuration of Spring Cloud Config, Spring Cloud Config Bus and Spring Cloud Config Watch.
- Detection of the SAML2 SLO url location in metadata is now changed to locate the right binding (See SAML2 SLO support above).
- A new setting is now introduced to force CAS to restrict the authentication handler selection via source attached to the credential and provided via the login form.
- A new authentication policy is now included to force all authentication handlers to validate the given credential.
- The default RADIUS authentication strategy is switched to use the send-and-receive asynchronous model in anticipation of
AccessChallengeRADIUS server responses.
Library Upgrades
- Spring
- Spring Boot
- Spring Boot Admin
- Hazelcast
- OpenSAML
- Jackson
- Mockito
- Spotbugs
- Person Directory
- Pac4j
- Spring Data
- Spring Cloud
- Amazon SDK
- Micrometer
- UnboundID
- Twilio
- Nexmo
- Spring Security
- Google Maps
- Apache Groovy
Resources
Get Involved
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Credits
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!