CAS 6.1.0 RC3 Feature Release


Collaborate
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 6.0.0 GA was released on December 28th, 2018. Since then, the project has been moving forward with the development of the next feature release that is tagged as 6.1.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the 6.1.0 series.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Overlay

In the gradle.properties of the overlay, adjust the following setting:

casVersion=6.1.0-RC3
System Requirements
There are no changes to the minimum system/platform requirements for this release.

Changes

New & Noteworthy

OAuth id_token Response Type

CAS acting as an OAuth identity provider gains support for id_token as a new response type.

OpenID Connect Response Mode

CAS acting as an OpenID Connect provider is now able to support the response_mode parameter.

Principal Attribute Repositories

Principal attribute repositories assigned to a service definition can now narrow down the collection of attribute repositories to fetch attributes at release time. The attribute resolution engine backed by Person Directory is also tweaked to allow for additional filtering mechanisms.

GNU libc crypt(3) Password Encoding

Support for password encoding using a crypt(3) compatible way has been added through a special GLIBC_CRYPT encoder type.

Duo Security Account Status Endpoint

A new actuator endpoint for Duo Security to fetch and report back on user account status.

SAML2 Attribute Friendly Names

Attribute friendly names put into the SAML2 response can now be defined globally first, and then overridden on a per-service basis.

Ticket Expiration Policy per Service

Service and proxy ticket expiration policies can optionally be decided on a per-service basis.

SAML2 Service Providers

The list of supported SAML2 Service Providers continues to grow with new additions such as ArmsSoftware, Academic HealthPlans, etc.

Google Analytics Cookies

Integration with Google Analytics is extracted into its own module which MUST be included in the overlay to activate the functionality. CAS also presents the ability to drop in a special cookie upon successful authentication events to be later process and consumed by Google Analytics. The value of this cookie is determined as a principal/authentication attribute.

Existing SSO Sessions & UI

Additional user interface work is done to detect existing a single sign-on session for a user and display modest warnings, in the event that re-authentication is being forced.

JavaMelody Monitoring

Integration with JavaMelody Monitoring is now provided out of the box.

SSO Participation per Service

SSO Participation of applications can now be controlled conditionally on a per-service basis.

Google Authenticator w/ Redis

Multifactor authentication with Google Authenticator gains support for Redis as a storage option to manage tokens and accounts/devices.

OAuth & OpenID Connect Sessions

OAuth and/or OpenID Connect features in CAS should no longer have to rely on HTTP sessions and container session replication in clustered deployments.

Other Stuff

  • Allow the OAuth profile endpoint to accept and produce claims and attributes with non-primitive complex object types.
  • Additional options to let CAS URL-decode authentication requests for relevant SAML2 profiles when running as a SAML2 identity provider.
  • A collection of new object types (i.e. attribute release policies, etc) are now registered with Kryo to prevent serialization issues with Memcached.
  • Additional logging and instrumentation for throttled authentication attempts and expiration policies.
  • Preserve parameters in the CAS authentication flow, if the initial request to the /login endpoint is done via a POST.
  • Ensure all ticket types are recognized during object serialization for MongoDb and CouchDB ticket registries.
  • The caching strategy for principal attribute repositories is redesigned as a standalone Spring bean.
  • Registration of CAS views rendered upon service validation is redesigned and refactored internally.
  • Incremental improvements to delegated authentication to remove reliance on HTTP sessions.
  • Minor adjustments to ticket-granting ticket expiration policy based on throttled timeouts.
  • Dynamic construction of Hazelcast-backed maps can now specify their merging strategy when dealing with duplication.
  • Registration of CAS SSO participation strategies is redesigned and refactored internally.
  • Core components from the WS-Federation STS module are broken down and extracted into an api module for better extensibility.
  • Core components from the reports module are broken down and extracted into an api module for better extensibility.
  • Fetching dynamic metadata via MDQ should no longer require explicit entity ids in the SAML service definition.
  • Incremental improvements to delegated authentication so it can work correctly in concert with multifactor authentication.

Library Upgrades

  • SpotBugs
  • Hazelcast AWS
  • Hazelcast
  • Couchbase Driver
  • Cassandra Driver
  • SnakeYAML
  • Twilio
  • Google Maps
  • Apache Tomcat
  • Amazon SDK
  • Nimbus OIDC
  • Commons Lang
  • Guava
  • Ribbon
  • Nexmo
  • Spring Boot
  • Spring Security
  • Spring
  • Gradle

Resources

Get Involved

Credits

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.