upgrading to cas 4.0 at oakland university
TRANSCRIPT
Upgrading to CAS 4.0
Lee Foltz, Senior Identity Systems Engineer, Oakland University Brandon Powell, Java Developer Analyst, Oakland University
Oakland University20,000+ Active Students5,000+ Faculty & Staff
Location: Rochester Hills, MI
TopicsEnvironment configuration● The Service Manager (web UI)● CAS web services● Adding a custom theme to show institution's
colors● HazelCast Replication● Integration with Google Apps for Education● Integration with Banner
Terms to KnowCAS - Central Authentication Service
Used for single sign on environments, protects user credentialsSSO - Single Sign On
Authenticate once for access to many applicationsSAML - Security Assertion Markup Language
Used in exchanging authentication data between a user and a service
REST - Representational State Transfer Architectural style applied to web applications
Overview Of What CAS Can Do
● A single sign on authentication service
● Can be opened up to the outside world
● Hides the directory server(LDAP, AD) from outside attackers
● Protects the users credentials; no passwords are sent to the service
Environment Configuration● CAS 4● RHEL6 64bit● Java 7● Maven 3● Tomcat 7
1 Physical Server & 1 Virtual Server:(Physical):Intel Xeon CPU E5-2620 v3 @ 2.40GHz2, 6 cores hyper threaded,
32GB RAM(Virtual):Intel Xeon CPU E5-2680 @ 2.70GHz, 1 core hyper threaded, 8GB
RAM
Load Balanced via BIG -IP F5Primary/slave configuration15 second probe before failover
Oakland University CAS
CAS Service Manager
● The service manager allows CAS to be closed off● Only services we allow are granted access to
our CAS server
● This can be managed on the fly with the cas-management webapp
CAS Service Manager
Configure access with this file: /etc/cas/user-details.properties
Adding A Service
Service Is Not Allowed
Service Is Allowedhttps://cas.oakland.edu/cas/login?service=https://mysail.oakland.edu/uPortal/Login
If the login credentials are correct, we will be allowed in
CAS Web ServicesFrom the Apereo wiki: Applications need to programmatically access CAS. Generally,
proxying works for this. However, there are cases where an application needs to access a resource as itself, in which case proxying doesn't make any sense.
REST is where it’s at!
Bare minimum version to support the REST API in CAS is 3.5.2
Uses For CAS Web Services
● Apps, apps, apps!
● Android and iOS applications can use CAS for authentication
● More secure and better than web scraping
● Enables a SSO environment for mobile devices
Custom Themes● In your CAS overlay go to this directory (or create it if it is not
there):● cas-server/src/main/webapp/WEB-INF/view/jsp/default/ui
● Override any of these files:● https://github.com/Jasig/cas/tree/master/cas-server-webapp/
src/main/webapp/WEB-INF/view/jsp/default/ui● Add custom CSS to fit the style of your institution We only overrode three files:casLoginView.jspincludes/
top.jspbottom.jsp
Legacy Page With Improper Theme
CAS 4 vs CAS 3.5
Mobile View CAS 4 vs CAS 3.5
HazelCast
Allows ticket replication across many nodes
● Users do not need to re-authenticate if a node goes down● Can now easily be in a load balanced environment● Easier to setup and configure
○ modify /etc/cas/cas.properties○ add other nodes to hz.cluster.members
Integrating Google Apps
The CAS Side Of Google
● The users NetID is passed to Google
● The Google keys are now located in /etc/casFor more information go here:https://wiki.jasig.org/display/CASUM/SAML+Support+in+CAS+4
Integrating BannerWe use Banner Self Service version 8
There is great documentation on the Apereo Wiki
https://wiki.jasig.org/display/UPC/CASifying+Banner+Self+Serve
If you use Banner XE:CAS is supported out of the box
QUESTIONS?