CAS 6.0.0 RC3 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.3.0 GA was released on June 29th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as 6.0.0. Note that this is a major release of the CAS software which may present significant changes in architecture, configuration or behavior. Please review the release policy to learn more about the scope of the release.

This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the 6.0.0 series.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.


In the of the overlay, adjust the following setting:



New & Noteworthy

JDK 11

Starting with this version and continuing the effort from previous releases, CAS requires and builds against JDK 11. Travis CI has switched over to use OpenJDK 11 to build and publish CAS server SNAPSHOT releases, and the entire distribution has also been tested using Oracle JDK 11.

Important changes in Oracle JDK 11 License
With JDK 11 Oracle has updated the license terms on which Oracle JDK is offered. The new Oracle Technology Network License Agreement for Oracle Java SE is substantially different from the licenses under which previous versions of the JDK were offered. Please review the new terms carefully before downloading and using this product. Oracle also offers this software under the GPL License on

The key part of the license is as follows:

You may not: use the Programs for any data processing or any commercial, production, or internal business purposes other than developing, testing, prototyping, and demonstrating your Application.

So, do NOT download or use the Oracle JDK unless you intend to pay for it. Use an OpenJDK build instead.

CouchDb Support

Extensive CouchDb support is now provided by CAS to handle storage concerns when it comes to ticketing, authentication, audit and throttling, multifactor authentication, and more.

SAML2 IdP Single Logout

Basic functionality is now included to have CAS submit SAML2 logout requests to SAML2 service providers, who currently have a registered a session with CAS. This will continue to be a work-in-progress item, to be improved and finalized prior to the final GA release.

Delegated AuthN via HiOrg-Server

Delegated authentication is now able to support HiOrg-Server.

SAML2 Encryptable Attributes

Configuration for SAML2 registered services can now specify attributes that should be optionally included in or excluded from encryption in the final SAML2 response.

Multifactor Authentication & Duo Security

Significant changes in the multifactor authentication API and modules are incorporated in this release to better handle failure modes across all providers. The integration with Duo Security is also greatly improved internally to reduce API noise when it comes to registering multiple Duo configurations with CAS.

RADIUS Multifactor Authentication

RADIUS authentication is now able to honor the AccessChallenge response from the radius server, and properly prompt for multifactor authentication. This capability was best tested against CensorNet’s RADIUS server functionality.

Spring Boot Administration Server

The CAS integration with the Spring Boot Administration Server is now brought up to speed to be compatible with the latest Spring Boot release.

SAML2 IdP Metadata via Amazon S3

Metadata artifacts that belong to CAS as a SAML2 identity provider may also be managed and stored via Amazon S3 buckets.

Smaller Stuff

  • Additional settings to support fallback principal attributes when dealing with X.509 principal resolution.
  • Delegated authentication is improved to execute the authentication step only once.
  • SAML2 delegated authentication is now capable of virtually renaming SAML2 attributes.
  • Service access strategy for SAML2 service providers and other service types can now handle the unauthorizedRedirectUrl setting.
  • Radius authentication now attempts to also submit the client IP address to the radius server.
  • Small fixes to the SAML2 callback url pattern construction.
  • New attribute renderer components are introduced to enhance the CAS v1 validation response, if needed.
  • CAS internal Gradle build should continue to work against IDEA 2018.3 EAP.
  • SAML2 responses can optionally include a NameID for SubjectConfirmation blocks, on a per-service basis.
  • SAML2 responses can populate the Destination field.
  • The background job responsible for cleaning trusted expired MFA records is now scheduled correctly on startup.
  • Attribute resolution via external groovy scripts, handled by PersonDirectory, can now properly recognize the engine name.
  • Hazelcast health monitoring imports its reporting of memory statistics.
  • Registration of PrincipalResolver and AuditPrincipalIdProvider is now refactored to use *Configurer type of strategies as callbacks.
  • Loading CAS configuration files is modified to better match Spring Boot behavior.
  • Performance improvements to HTTP calls and caching of responses.
  • Small number of dependency fixes that deal with auto configuration of Spring Cloud Config, Spring Cloud Config Bus and Spring Cloud Config Watch.
  • Detection of the SAML2 SLO url location in metadata is now changed to locate the right binding (See SAML2 SLO support above).
  • A new setting is now introduced to force CAS to restrict the authentication handler selection via source attached to the credential and provided via the login form.
  • A new authentication policy is now included to force all authentication handlers to validate the given credential.
  • The default RADIUS authentication strategy is switched to use the send-and-receive asynchronous model in anticipation of AccessChallenge RADIUS server responses.

Library Upgrades

  • Spring
  • Spring Boot
  • Spring Boot Admin
  • Hazelcast
  • OpenSAML
  • Jackson
  • Mockito
  • Spotbugs
  • Person Directory
  • Pac4j
  • Spring Data
  • Spring Cloud
  • Amazon SDK
  • Micrometer
  • UnboundID
  • Twilio
  • Nexmo
  • Spring Security
  • Google Maps
  • Apache Groovy


Get Involved


Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Log4J Vulnerability Disclosure

Disclosure of a security issue with the CAS software as a consumer of the Log4j logging framework.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Publish Private CAS Releases

GitHub Actions workflows allow publishing to private repositories.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Multifactor Authentication with U2F and Bypass

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using U2F and default bypass rule.