The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS
6.0.0 GA was released on December 28th, 2018. Since then, the project has been moving forward with the development of the next feature release that is tagged as
6.1.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the
You can read about the previous release candidate here.
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
In order to start experimenting with release candidates, at any given time, you should be able to append
-SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
gradle.properties of the overlay, adjust the following setting:
There are no changes to the minimum system/platform requirements for this release.
- New & Noteworthy
- OpenID Connect Response Mode
- Principal Attribute Repositories
libc crypt(3)Password Encoding
- Duo Security Account Status Endpoint
- SAML2 Attribute Friendly Names
- Ticket Expiration Policy per Service
- SAML2 Service Providers
- Google Analytics Cookies
- Existing SSO Sessions & UI
- JavaMelody Monitoring
- SSO Participation per Service
- Google Authenticator w/ Redis
- OAuth & OpenID Connect Sessions
- Other Stuff
- Library Upgrades
- Get Involved
New & Noteworthy
id_token Response Type
CAS acting as an OAuth identity provider gains support for
id_token as a new response type.
OpenID Connect Response Mode
CAS acting as an OpenID Connect provider is now able to support the
Principal Attribute Repositories
Principal attribute repositories assigned to a service definition can now narrow down the collection of attribute repositories to fetch attributes at release time. The attribute resolution engine backed by Person Directory is also tweaked to allow for additional filtering mechanisms.
libc crypt(3) Password Encoding
Support for password encoding using a
crypt(3) compatible way has been added through a special
GLIBC_CRYPT encoder type.
Duo Security Account Status Endpoint
A new actuator endpoint for Duo Security to fetch and report back on user account status.
SAML2 Attribute Friendly Names
Attribute friendly names put into the SAML2 response can now be defined globally first, and then overridden on a per-service basis.
Ticket Expiration Policy per Service
Service and proxy ticket expiration policies can optionally be decided on a per-service basis.
SAML2 Service Providers
The list of supported SAML2 Service Providers continues to grow with new additions such as ArmsSoftware, Academic HealthPlans, etc.
Google Analytics Cookies
Integration with Google Analytics is extracted into its own module which MUST be included in the overlay to activate the functionality. CAS also presents the ability to drop in a special cookie upon successful authentication events to be later process and consumed by Google Analytics. The value of this cookie is determined as a principal/authentication attribute.
Existing SSO Sessions & UI
Additional user interface work is done to detect existing a single sign-on session for a user and display modest warnings, in the event that re-authentication is being forced.
Integration with JavaMelody Monitoring is now provided out of the box.
SSO Participation per Service
SSO Participation of applications can now be controlled conditionally on a per-service basis.
Google Authenticator w/ Redis
Multifactor authentication with Google Authenticator gains support for Redis as a storage option to manage tokens and accounts/devices.
OAuth & OpenID Connect Sessions
- Allow the OAuth
profileendpoint to accept and produce claims and attributes with non-primitive complex object types.
- Additional options to let CAS URL-decode authentication requests for relevant SAML2 profiles when running as a SAML2 identity provider.
- A collection of new object types (i.e. attribute release policies, etc) are now registered with Kryo to prevent serialization issues with Memcached.
- Additional logging and instrumentation for throttled authentication attempts and expiration policies.
- Preserve parameters in the CAS authentication flow, if the initial request to the
/loginendpoint is done via a
- Ensure all ticket types are recognized during object serialization for MongoDb and CouchDB ticket registries.
- The caching strategy for principal attribute repositories is redesigned as a standalone Spring bean.
- Registration of CAS views rendered upon service validation is redesigned and refactored internally.
- Incremental improvements to delegated authentication to remove reliance on HTTP sessions.
- Minor adjustments to ticket-granting ticket expiration policy based on throttled timeouts.
- Dynamic construction of Hazelcast-backed maps can now specify their merging strategy when dealing with duplication.
- Registration of CAS SSO participation strategies is redesigned and refactored internally.
- Core components from the WS-Federation STS module are broken down and extracted into an
apimodule for better extensibility.
- Core components from the reports module are broken down and extracted into an
apimodule for better extensibility.
- Fetching dynamic metadata via MDQ should no longer require explicit entity ids in the SAML service definition.
- Incremental improvements to delegated authentication so it can work correctly in concert with multifactor authentication.
- Hazelcast AWS
- Couchbase Driver
- Cassandra Driver
- Google Maps
- Apache Tomcat
- Amazon SDK
- Nimbus OIDC
- Commons Lang
- Spring Boot
- Spring Security
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!