The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS
6.1.0 GA was released in October 2019. Since then, the project has been moving forward with the development of the next feature release that is tagged as
6.2.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the
If you are looking for additional info on the previous release candidate, please see this post.
- Apereo Membership
- Get Involved
- New & Noteworthy
- CAS Overlay
- Passwordless Authentication
- WebAuthn Support
- Groovy Multifactor Authentication Trigger Per Service
- Google Apps Integration
- Open ID Protocol
- Not-So Passwordless Authentication
- Attribute Definitions Store
- Material Design
- Multifactor Authentication Bypass
- Hazelcast v4
- Passwordless Authentication Integrations
- Spring Cloud Configuration via REST
- Thymeleaf Views
- Other Stuff
- Library Upgrades
If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner. Funding will ensure support for the software you rely on and you gain an advantage and say in the way Apereo, and the CAS project at that, runs and operates. If you consider your CAS deployment to be a critical part of the identity and access management ecosystem, this is a viable option to consider.
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
In order to start experimenting with release candidates, at any given time, you should be able to append
-SNAPSHOT to the CAS version in order to take advantage of snapshot builds as changes are made and published.
gradle.properties of the overlay, adjust the following setting:
There are no changes to the minimum system/platform requirements for this release.
New & Noteworthy
bootRun Gradle build task is now restored and made functional for the CAS overlay.
Passwordless Authentication is now broken down to dedicated modules for LDAP, JPA, etc to handle user and/or token management.
Initial baseline work on WebAuthn Support has begun, and while the changes are still in progress and have not landed in the codebase yet, there is a fair amount of progress made to make WebAuthn available as another form of multifactor authentication in CAS. It is expected for this feature to finalize before the final GA release.
Groovy Multifactor Authentication Trigger Per Service
A more advanced and easier-to-configure multifactor authentication is now available in form of a Groovy script to determine the multifactor authentication policy for a registered service.
The old strategy using the
GroovyRegisteredServiceMultifactorPolicy is now deprecated and will be removed in future releases.
Google Apps Integration
Integration with Google Apps is now deprecated and scheduled to be removed in future releases.
Open ID Protocol
The Open ID protocol is now deprecated and scheduled to be removed in future releases.
Not-So Passwordless Authentication
Passwordless Authentication can now conditionally skip the normal passwordless flow and fallback onto the usual cas authentication flow, challenging the user for a password.
Attribute Definitions Store
Attribute definitions can now be defined centrally with additional metadata relevant for each protocol.
Thymeleaf templates and all other CAS views in general are transformed to use Material Design.
Multifactor Authentication Bypass
A new multifactor authentication bypass strategy is now available, where multifactor bypass can be activated for the registered application if the authenticated principal contains an attribute with the specified value(s).
The Hazelcast library mainly used a ticket registry is now upgraded to version 4. Take a look at the release notes published by Hazelcast to learn more available features. The upgrade mainly affects the CAS configuration schema for Hazelcast features, specially when it comes to integrations with the Hazelcast management center.
Passwordless Authentication Integrations
Passwordless Authentication can now be combined with multifactor authentication and delegated authentication flows in CAS using standard multifactor triggers that are already available.
Spring Cloud Configuration via REST
The configuration server available in CAS and backed by Spring Cloud is now also able to fetch CAS settings using a REST API.
Thymeleaf views and related message bundles are moved onto a new dedicated module for
cas-server-support-thymeleaf to allow for maximum reuse and modularization. This is purely an internal change and should not affect deployments or overlays.
- Audit actions are given the ability to be excluded from CAS audit logs via configuration.
testcasscript is altered to accept more than one test category type.
- Bug fix to ensure OAuth’s
nonceparameters are returned back to relying parties in their original value.
- Small number of fixes to delegated authentication, specially when combined with follow-up multifactor flows.
- Additional tests and validations across the codebase modules to try to reach 70% test coverage.
- Fixes to the distributed session store facility to better handle logout ops.
- Multifactor authentication tests are refactored into their own test category for better parallelism.
- The Thymeleaf templating engine is now refactored and extracted from the codebase into its own sepa0rate module.
- Token expiration value reported by OAuth/OIDC introspection is now correctly calculated.
- Small fixes to expiration policies based on idle timeouts to work nicely with JWT-enabled tickets.
- Small UI enhancements to allow Show Password functionality for input fields marked with
- Corrections to service resolution strategies when dealing with SAML2 Unsolicited SSO flows.
- Small API improvements to CAS Event tracking facilities to allow for filtering of events.
- OAuth2 PKCE
code_challengeis now corrected to use a SHA2 digest.
- The hibernate framework is removed as a transitive dependency from modules, preventing it from sneaking out where unnecessary.
- Small improvements to delegated authentication to SAML2 identity providers.
- Integration with Duo Security for multifactor authentication can now conditionally be enabled/included only when relevant settings are defined.
- Small internal improvements to allow the selection strategy of multiple multifactor authentication
triggers to support both logical disjunction and conjunction (i.e.
- Amazon SDK
- Apache CXF
- Commons Codec
- Eureka Client
- Person Directory
- Java Melody
- Azure DocumentDb
- Apache Tomcat
- Google Maps
- Spring Data
- Spring Integration
- Spring Boot
- Grouper Client
- Azure KeyVault
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!