CAS 6.1.0 RC1 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 6.0.0 GA was released on December 28th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as 6.1.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the first release candidate in the 6.1.0 series.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.


In the of the overlay, adjust the following setting:

System Requirements
There are no changes to the minimum system/platform requirements for this release.


New & Noteworthy

Hazelcast WAN Replication

Hazelcast WAN replication using static discovery is now supported by CAS.

SAML2 Metadata Management via JSON

SAML2 service provider integrations that do not necessarily provide metadata may be managed dynamically inside a standalone JSON file.

SAML2 Signing Credential Fingerprint

SAML services are given the ability to filter the signing credential used in the metadata by its SHA-1 fingerprint.

SAML2 Attribute Release

SAML2 Attribute Release policies are reorganized to provide distinct policies for both InCommon and REFEDS Research and Scholarship entity categories.

SAML2 Metadata Management

A new endpoint is now exposed that allows one to administer the service provider metadata cache. Minor improvements to the metadata resolution are also in place to ensure metadata cached copies and backup files are maintained correctly.

Git Service Registry

Service registry files can now be managed via Git-backed repositories.

Password Synchronization

Support for password synchronization is now available.

TLS for REST Protocol

REST Protocol is now able to support TLS for client authentication.

SAML1 Validation Actuator Endpoint

SAML1 support presents a new actuator endpoint to output a SAML1 validation payload for a given authentication transaction, allowing one to examine what CAS would produce in such attempts.

SAML2 Response Actuator Endpoint

SAML2 support presents a new actuator endpoint to output a SAML2 response payloads for a given authentication transaction, allowing one to examine what CAS would produce in such attempts.

Delegated Authentication Provisioning

Delegated Authentication gains small measures to handle provisioning tasks for profiles obtained from external identity providers.

Other Stuff

  • A significant migration effort to ensure CAS unit/integration tests are upgraded to use the JUnit 5 framework.
  • The com.unboundid:unboundid-ldapsdk is now included by default when using CAS with LDAP to allow for confirmation of the UnboundIDProvider class as the LDAP connection provider and an alternative to JNDI.
  • REST Authentication can now display warnings as part of the authentication flow.
  • REST Password Management may now support endpoints protected via Basic AuthN.
  • Security of actuator/admin endpoints protected by an IP address can now support regular expressions.
  • A number of Groovy-based components are internally improved to cache and monitor the Groovy script prior to execution.
  • Reduced LOC in favor of Lombok’s annotations such as @Getter, @Setter, etc.
  • Authentication pre/post processing can now be augmented via Groovy scripts.
  • Minor updates to CAS language bundles.
  • The internal Gradle build for the CAS codebase is set to enforce and validate the required Java version automatically before building modules.
  • Acceptable Usage Policy backed by JDBC gains a number of improvements to allow flexible controls over the construction of SQL queries and columns.
  • Internal reorganization of bypass components for multifactor authentication to ensure extensibility.
  • WSFED Protocol is now able to release claims under custom namespaces.
  • Many broken links in the CAS documentation are fixed and automated processes for checking links is now included as part of the CAS build.
  • Delegated authentication for OIDC allows for specifying the response mode and type via CAS settings.
  • Chaining attribute release policies can now control the order and the merging behavior of attributes.

Library Upgrades

  • Hibernate
  • Gradle
  • Azure KeyVault
  • OpenSAML
  • Spring Boot
  • HikariCP
  • Amazon SDK
  • Pac4j
  • JUnit


Get Involved


Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS 6.1.0 RC3 Feature Release which I present an overview of CAS 6.1.0 RC3 release.

Apereo CAS 6.1.x - Credential Caching & Proxy AuthN

Learn how you may configure Apereo CAS to capture and cache the credential's password and the proxy-granting ticket in proxy authentication scenarios, pass them along to applications as regular attributes/claims. We will also be reviewing a handful of attribute release strategies that specifically affect authentication attributes, conveying metadata about the authentication event itself.

Apereo CAS 6.1.x - Attribute Repositories w/ Person Directory

An overview of CAS attribute repositories and strategies on how to fetch attributes from a variety of sources in addition to the authentication source, merge and combine attributes from said sources to ultimately release them to applications with a fair bit of caching.

Apereo CAS 6.1.x - Building CAS Feature Modules

An overview of how various CAS features modules today can be changed and tested from the perspective of a CAS contributor working on the codebase itself to handle a feature request, bug fix, etc.

CAS 6.1.0 RC2 Feature Release which I present an overview of CAS 6.1.0 RC2 release.

Apereo CAS - Riffing on Attribute Release Policies

Learn how to release the kraken of attributes to CAS clients, relying parties and service providers using a variety of attribute release policies and authentication protocols, sampled and collected here to fun and profit.

Apereo CAS - Delegated Authentication to SAML2 Identity Providers

Learn how your Apereo CAS deployment may be configured to delegate authentication to an external SAML2 identity provider.

Apereo CAS - Custom Login Fields w/ Dynamic Bindings

Learn how to extend the Spring Webflow model to add custom fields to the CAS login form and the authentication process and take advantage of the additional user-provided data in customized authentication handlers.

Apereo CAS as an OAuth2 Authorization Server

Learn how to configure CAS as an OAuth2 Authorization Server and configure Spring Boot client app to work with it

Apereo CAS - SAML2 Identity Provider Integration w/ Gitlab (also staring HAProxy and LDAP)

Learn how Apereo CAS may act as a SAML2 identity provider for Gitlab and run everything locally on a workstation with Docker and Java.