2016 09-15 unicon-iam-update
Download as PPTX, PDF0 likes646 views
This document provides information about an upcoming webinar on September 15, 2016 at 11am PT hosted by Unicon on CAS, Shibboleth, and Grouper. The webinar will include presentations from Mike Grady on Shibboleth, Dmitriy Kopylenko on CAS, and John Gasper on Grouper, with questions to follow. Details are provided on joining the webinar via Zoom or telephone. Information is also given on recent and upcoming identity and access management events, trends in the field, and Unicon's contributions to various open source identity projects.
2016 09-15 unicon-iam-update
- 1. Unicon IAM Webinar CAS, Shibboleth, Grouper 15 September 2016 - 11am Pacific Time (PT) Mike Grady • Dmitriy Kopylenko • John Gasper Join from PC, Mac, Linux, iOS or Android: https://unicon.zoom.us/j/588322739 Or iPhone one-tap (US Toll): +16465588656,588322739# or +14086380968,588322739# Or Telephone: Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll) Meeting ID: 588 322 739
- 2. Welcome • Community updates • Unicon contributions • Q&A
- 3. Presenters Mike Grady Shibboleth IDP | Shibboleth SP Dmitriy Kopylenko CAS John Gasper Grouper Charise Arrowood MC
- 5. • OpenID Connect Workshop: 22-23, 24-25 Feb 2016 in Denver, CO • Open Apereo Conference: 22-25 May 2016 in NYC • 2016 Internet2 Global Summit: 15–18 May, Chicago, IL Past Events
- 6. • Internet2 2016 Technology Exchange: 25-29 Sept, Miami, FL • EDUCAUSE 2016 Annual Conference: 25-28 Oct, Anaheim, CA • InCommon Shibboleth Workshop: 27-28 Oct, Long Beach, CA • 2017 Internet2 Global Summit: 23–26 Apr, Washington, DC • 2017 Open Apereo: 4-8 June, Philadelphia, PA Upcoming Events
- 7. IAM Trends •MFA for Shibboleth, CAS ○Risk-based Adaptive AuthN •OpenID Connect •TIER: Packaging, APIs, Person Registry, ... •SAML Integrations w/ O365 & ADFS •Metadata Query (MDQ) Protocol
- 8. IAM Trends •IAM in the Cloud ○Hosted SSO services and more ○Unicon’s offering: https://www.unicon.net/solutions/IAM-cloud
- 9. IDP | SP Mike Grady Unicon Contributions
- 10. News ● Identity Provider V2.4.5, OpenSAML 2.6.6 ○ EOL !!!! V2 full End-Of-Life date was July 31, 2016 ○ 2.4.4 was last 2.x “minimum safe release” ● Service Provider V2.6.0 Now Available ○ Includes a new version of the Xerces XML parser that addresses Apache Xerces-C XML Parser library versions prior to V3.1.4 security vulnerability
- 11. Shibboleth Versions ● Latest versions: ○ IdP v3.2.1 (19 Dec 2015) ○ V3.1.1 considered “minimum safe release” ○ SP v2.6.0 (27 June 2016) ● v3.2.0 and v3.2.1 released ○ HTML5 local storage ○ SLO: Front channel SAML and CAS ○ SPNEGO authentication ○ Bug fixes
- 12. Now Past End-Of-Life ….. How soon that is a significant problem is unknown, could be tomorrow, could be months, but you need to have a plan to upgrade. Shibboleth 2.x Lifetime
- 13. IdP: OpenID Connect https://github.com/uchicago/shibboleth-oidc ●Authorization/Implicit Flow ●Dynamic Discovery ●Standard/Custom claims ●Certified by OpenID foundation for University of Chicago
- 14. Shib-CAS AuthN v3 https://github.com/Unicon/shib-cas-authn3 ● v3.1.0 ○ Shibboleth IdP v3.X support ○ Fixed encoding on entityId/service parameters. ● Plan to produce a version where attributes returned from CAS are available to the IdP, and the AuthN Context Class w.r.t MFA. ○ Info from CAS coming back is done, now need a “data connector” to expose it for use within the IdP
- 15. Other/Ongoing work ● Hazelcast Storage Service https://github.com/UniconLabs/shibboleth-hazelcast-storage-service ● Duo Support for IdP v3 https://github.com/Unicon/shib-mfa-duo-auth ●Shib IdP as a Gradle Overlay https://github.com/UniconLabs/shibboleth-idp-gradle-overlay ● IdP v3 powered by Docker https://github.com/unicon/shibboleth-idp-dockerized
- 16. Other/Ongoing work ● Split Authn ○ Support for users coming from 2 different Authentication/Attribute sources in distinct config files, only one or the other used for Authn and Resolver for any given authentication. ○ Easy to “hard code” attributes based on source (“role”) chosen. “Role” choice on Login page. ○ Demo with 2 LDAP servers, but should work with any 2 sources ○ https://github.com/Unicon/ccc-shib-split-authn
- 17. Other/Ongoing work ● Coming Soon: Symantec VIP MFA ○ Token Authentication ○ OTP Authentication ○ Push Authentication ○ Risk based Authentication ○ Sponsored by the University of Wisconsin - Whitewater ○ Work done, but not yet “fully generalized” for open source
- 18. Shib IdP v3.3 ● Next version of Shib IdP due by late 2016 ● Improvements to logout options and accessibility aspects of such ● Adding in more built-in support for metadata filtering, more “conditionals”, etc. ● New login flow(s) allowing combining factors in what the Shib Dev core team believes will be a more manageable/predictable way
- 19. Shib IdP v3.3 ● Looks like an “out-of-the-box” Duo flow will be part of it ●Unicon will need to determine if our current Duo plugin should be “retired” or updated for the new version. ○ Or if there are updates to the supplied one that make sense to add ● Unicon will need to verify and/or “modify” our other current authentication flow add-ons
- 21. CAS v4.2 ● v4.2.5 is the current version ○ Dynamic Plug-N-Play module configuration ○ ADFS/WS-FED delegated authN ○ UIs to manage SSO sessions/statistics ○ BASIC, JWT, Shiro, MongoDB, Stormpath authN ○ Couchbase, Ignite, Infinispan ticket registries ○ ABAC via attributes, time, or Grouper ●See http://jasig.github.io/cas/4.2.x/index.html
- 22. CAS v5.0.0 ● Tentative release date: October 2016 ● Current release: 5.0.0.RC1 ● Major features: ○ MFA via DuoSecurity, RADIUS, YubiKey ■ Risk-based adaptive authN ○ SAML2 Web SSO support ○ OAuth/OIDC support ○ Full internal config re-architecture via Spring Boot ○ Java 8
- 23. Other/Ongoing work ● Auto config for CAS Java clients https://github.com/Unicon/cas-client-autoconfig-support ● Delegated SAML authN for CAS 3.5.x https://github.com/UniconLabs/cas-saml-auth ● Bootstrap CAS via a Gradle overlay: https://github.com/UniconLabs/cas-strap
- 24. Further CAS Resources ● CAS maintenance policy: https://apereo.github.io/cas/developer/Maintenance- Policy.html ● Apereo Blog: https://apereo.github.io/
- 26. Grouper v2.3.0 ● Can run multiple simultaneous Loader/Daemon instances ●WS: Manage attribute/permission defs; TIER authorization ●PSP-NG: New Grouper provisioner ○ LDAP and AD connectors built-in ●Exporting tree to GSH script. ●Lots of patches: ○ API: 24, UI: 8, WS: 5, PSP-NG: 2
- 27. Other/Ongoing work ●Internet2 Grouper Dockerized: Composable images/containers https://github.com/Unicon/grouper-dockerized ● Grouper-Demo for Docker https://hub.docker.com/r/unicon/grouper-demo/ ● Custom Provisioning Target Form https://github.com/Unicon/grouper-provisioning-target-ui ● Azure AD (Office 365) Provisioner https://github.com/Unicon/office365-and-azure-ad-grouper- provisioner
- 28. Docker Demo Grouper environment based on the composable images/container
- 29. Questions / Discussion Mike Grady mgrady@unicon.net Dmitry Kopylenko dkopylenko@unicon.net John Gasper jgasper@unicon.net
Editor's Notes
- #3: Unicon's CAS strategy* Participate directly in CAS* Develop open source software on behalf of clients* Inform maintenance development through support. You have to source your support somewhere* In-house staff* Goodwill and engagement of the community* Commercial partner (e.g., Unicon)* (Reality Often combination of these)Unicon's "Cooperative" Support* Cooperates with you, your staff, the community* Support experiences yield improved public documentation* Support-inspired and subscriber-needs-guided open source maintenance development** Directly in and available for adoption with the Jasig CAS softwareThank you to our support subscribers!* Support subscriptions make Unicon maintenance development possible* Support experiences and subscriber input guide Unicon maintenance development towards the worthwhile
- #7: https://www.incommon.org/shibtraining/
- #27: https://spaces.internet2.edu/display/Grouper/Grouper+2.3+Release+Announcement https://spaces.internet2.edu/display/Grouper/v2.3+Release+Notes