You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.To view the documentation for a specific Apereo CAS server release, please choose an appropriate version. The release schedule is available here.
RC2 Release Notes
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set
you up for unpleasant surprises. A
GA is a tag and nothing more. Note that CAS releases are strictly time-based
releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular
release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner. Funding will ensure support for the software you rely on and you gain an advantage and say in the way Apereo, and the CAS project at that, runs and operates. If you consider your CAS deployment to be a critical part of the identity and access management ecosystem, this is a viable option to consider.
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
gradle.properties of the CAS WAR Overlay, adjust the following setting:
There are no changes to the minimum system/platform requirements for this release.
New & Noteworthy
The following items are new improvements and enhancements presented in this release.
OpenID Connect Compliance
The collection of algorithms specified in the CAS configuration for signing and encryption operations of ID tokens are now taken into account when CAS responses are produced for ID token and user profile requests. Furthermore, settings and values declared in CAS configuration for OpenID Connect discovery are now taken into account when responding or validating requests. These include supported scopes when building attribute release policies for each OpenID Connect scope, supported ACR values, response modes, prompt values, response types and grant types.
SAML2 Integration Tests
SAML2 integration tests managed by Puppeteer have switched to using simpleSAMLphp Docker containers for easier management and maintenance.
OpenID Connect Issuer Aliases
CAS configuration for OpenID Connect is now extended to support issuer aliases. Essentially, endpoint validation for OpenID Connect can now be be reached via alternative URLs that are trusted and registered in CAS as aliases of the issuer.
Bucket4j Capacity Planning
Integrations with Bucket4j such as those that throttle authentication attempts or request simple multifactor authentication tokens are now able to construct and allocate buckets for individual requests as opposed to preparing a global bucket for the entire server instance. The allocation strategy is specific to the client IP address.
Support for feature toggles is now extended and handled by all CAS modules.
OpenID Connect Client Registration
Dynamic Client Registration is now able to support an expiration date for client secrets and registration requests. Authentication requests from clients with an expired client secret blocked until the application renews its client secret. Furthermore, the client configuration endpoint is now able to accept
PATCH requests to update existing application records, or it may also be used to renew the client secret, if and when expired.
Also in a situation where CAS is supporting open client registration, it will now check to see if the
policy_uri have the same host as the hosts defined in the array of
Delegation Redirection Strategy
The Groovy redirection strategy for delegated authentication is now modified to receive a list of all available providers upfront for better performance, in case the script needs to handle repeated tasks.
You will need to examine the script you have today and rewrite certain parts of it to handle the signature change.
CAS Initializr Projects
CAS Initializr is now updated to produce and sync WAR overlay projects for the Spring Cloud Configuration Server. Furthermore, along with the
6.5.x releases of the CAS Management web application, CAS Initializr has been updated to produce WAR overlays for those builds as well.
SAML2 Authentication Context Class
Building a SAML2 authentication context class can now be done in more dynamic ways using a Groovy script.
Spring Framework RCE
As part of routine dependency upgrades and library maintenance, the version of the Spring Framework used by CAS is also bumped to remove the threat of the RCE vulnerability discussed here.
Puppeteer Testing Strategy
The collection of end-to-end browser tests based on Puppeteer are now split into separate categories to allow the GitHub Actions job matrix to support more than
255 jobs. At the moment, total number of jobs stands at approximately
277 distinct scenarios. Furthermore, the GitHub Actions builds are now modified and improved to support running Puppeteer-based tests on Windows and MacOS.
CAS may also allow individual end-users to update certain aspects of their account that relate to password management in a mini portal like setup, such as resetting the password or updating security questions, etc.
Authentication requests can be mapped and geo-tracked to physical locations using Groovy scripts.
Google Authenticator Scratch Codes
CAS now allows to encrypt the Google Authenticator scratch codes to protect their values. This is enabled when the following key is set:
cas.authn.mfa.gauth.core.scratch-codes.encryption.key. You must notice that while the encrypted scratch codes are still numbers, they are in fact encrypted forms of the same scratch code encoded as large numbers. Note that previous, existing scratch codes will continue to work as they did before.
You may need to massage the underlying data model to account for this change. See notes below on how to handle this for relational databases.
In case you are managing device registration records in a database, the
scratch_codes column in the
scratch_codes table in the database needs to be updated. For example for PostgreSQL, you must run this SQL command to alter the column from an
int4 to a
1 ALTER TABLE scratch_codes ALTER COLUMN scratch_codes TYPE numeric USING scratch_codes::numeric;
This should be very similar for other databases: you need to migrate the column type from
- Minor UI improvements to ensure “Reveal Password” buttons line up correctly in input fields.
- The SAML2 attribute definition catalog is extended to support a few known attributes such as
- Using “Provider Selection” in combination with a multifactor authentication policy for a service that triggers on principal attributes is now supported.
- Links displayed as part of an interrupt notification can now take advantage of single sign-on sessions.
- Support for Apache Shiro is now deprecated; this feature is scheduled to be removed.
- Minor bug fixes to correct the device registration flow for FIDO2 WebAuthn.
- Documentation improvements to take advantage of DataTables instead to show and paginate CAS configuration properties.
- Support for graceful shutdowns for all embedded servlet containers such as Apache Tomcat.
- Multifactor provider selection can now function in delegated authentication flows when required.
- OAuth and OpenID Connect userinfo/profile endpoints are now able to accept
application/jwtas a supported content type.
- Apache Tomcat
- Spring Data
- Spring Boot
- Spring WS
- Spring Kafka
- Spring Integration
- Apache Shiro
- Joda Time
- Font Awesome