We’re excited to share that the Apereo CAS project has been awarded funding from NLnet, through the NGI0 Commons Fund, to support the development of CAS — an initiative aimed at strengthening open, sovereign, and self-hosted identity infrastructure on the internet.
We also extend our sincere gratitude to the Apereo Foundation for their continued support and stewardship. Their assistance was instrumental in helping us secure the necessary funding, and their commitment to open source identity infrastructure remains a vital part of the CAS project’s ongoing success.
About Apereo
The Apereo Foundation is a global non-profit advancing open source software in service of higher education. Since its founding in 2012, Apereo has empowered colleges and universities to build, use, and sustain innovative software for teaching, learning, research, and campus operations. At the heart of Apereo is a vibrant, collaborative community—institutions, educators, developers, and technologists—working together to solve common challenges and shape the future of education technology. Through shared development, open governance, and a culture of transparency, members co-create solutions that are cost-effective, adaptable, and aligned with academic values.
About CAS
Apereo CAS (Central Authentication Service), released under an Apache 2.0 license, is an open source identity provider. Offering native clustering capabilities and a resilient architecture, Apereo CAS acts as an identity provider for all applications deployed by an organization at scale, supporting hundreds of thousands of users. Developed in the early 2000s, Apereo CAS has since expanded to play a critical role in providing security across various public interests: government agencies, NGOs, and the business sector.
About NLnet
NLnet, a foundation dedicated to promoting open technologies that benefit the public interest, has committed funding to support the CAS development effort. This is provided via the NGI0 Commons Fund, which focuses on improving the privacy, resilience, and trustworthiness of internet infrastructure.
NLnet’s role is intentionally non-operational: the foundation exists to enable impactful work, not to direct it. The success of the project is measured by the public benefit it delivers to the wider internet and identity community.
Proposal & Work Ahead
Our proposal focuses on expanding CAS in specific areas that include support for better management interfaces, from smaller enhancements and bug fixes that focus on security to larger development efforts to improve authentication protocol support with a targetted focus on OpenID Connect.
All work produced under this project — including source code, designs, and documentation — will be released publicly under the Apereo CAS project existing license, Apache v2. The results will not be proprietary and can be freely used, modified, and repurposed by anyone.
This work is undertaken voluntarily and in the public interest. It is not an employment contract or a commercial arrangement; the funding here is provided to support open-source development aligned with NLnet’s mission. We’re grateful not only for NLnet’s support, but also for the broader ecosystem of experts and organizations involved with the NGI0 Commons Fund who help ensure projects like this have lasting, wide-reaching impact.
Tasks & Work Items
As part of this project, the following work items will be worked out and developed.
External Identity Provider Management
The CAS admin interface, codenamed Palantir, will be enhanced to allow for registration and modifications of identity providers for external authentication using a web-based editor. CAS already has the ability to support identity providers that understand the CAS, OpenID Connect, OAuth, or SAML2 protocols. However, the registration process for such identity providers requires access to CAS configuration files, which further require the deployer to rebuild and redeploy the software. This task intends to provide a graphical interface, included in Palantir, that allows one to register and update such identity providers without having to rebuild and redeploy the system, with the assumption that CAS configuration is backed by a persistent storage such as a SQL database or MongoDb.
Configuration Management
The CAS admin interface, codenamed Palantir, presents a read-only web view of active configuration settings and properties that control server behavior. The operator is only able to view all properties and settings as well as their source, default values, etc. Real changes to settings require manual modifications and server restarts. This task is about enhancing Palantir to allow the CAS operator to add, edit, and possibly remove configuration settings at runtime using a web-based editor. The operator should have the ability to update existing settings or add new ones, have them be stored in the appropriate persistent configuration store that survives restarts. All server functionality that depends on a given setting should be able to seamlessly refresh itself to work with the new copy of the setting. Specifically,
- Support SQL databases for configuration store updates
- Support MongoDb for configuration store updates
Release Maintenance
CAS is currently pushing towards its next major iteration under version 8.0.0. This task is about supporting the development lifecycle and allowing for several release candidates to be published, typically one every 4-5 weeks, to allow the community to experiment and to deliver a steady stream of fixes and minor enhancements before the final release. Activities include upgrading libraries, build tools, documentation corrections, minor bug fixes, and finally getting the release published. Our estimated timeline for the final GA release is around May/June 2026.
Performance Improvements
CAS stores its authorized applications in the services registry. When many applications are defined (several hundreds), there are performance drawbacks related to sorts and patterns computation. Specifically,
- Improve sorting
- Improve regular expression pattern computation
Bug Fixes
- Passwordless support for LDAP does not handle properly handle MFA via an attribute.
- Secret validation in OAuth suffers from URL decoding.
- SAML logout requests sent in SOAP binding don’t have the proper form (extra parameter) and the right content type.
- Process results from security audit and accessibility scan provided by NLnet.
OpenID Federation
Today, OpenID Connect is the standard protocol for authentication. It has many specifications on top of OAuth to bring new features (like sessions management), but the last big feature is Federation which should be available in CAS, acting both as a server and as a client. Specifically,
- Implement the CAS server as a Trust Anchor
- Implement the CAS server as a Federation Operator
- Add federation support to the CAS server as an OP (
/.well-known/openid-federation) - Add federation support to the CAS server as a RP:
/.well-known/openid-federation, consume TA/Operator, validate chains up to an OP.
Open Development, Open Governance
The project is led by Misagh Moayyed and Jérôme Leleu, both long-time CAS core developers with deep experience in open standards and free software. Misagh will serve as the primary point of contact for the project.
In the spirit of transparency and collaboration:
- Progress updates will be shared with the community at least every two months
- A public status page will track milestones and outcomes
- The broader CAS user and developer community is encouraged to follow along, contribute, and provide feedback.
Our efforts span an initial 12-month period, with the possibility of extension by mutual agreement if the work remains relevant. As always, success will be defined by usefulness, adoption, and the value delivered to the community.
We’re excited to get started and even more excited to build this together.
Stay tuned for updates, and thank you to NLnet and the NGI0 Commons Fund for investing in open identity, open infrastructure, and the public good.
On behalf of the Apereo Foundation & CAS project,