...
| Info | ||
|---|---|---|
| ||
This is just a draft and may be heavily edited as development moves on. Items that will not fit the release schedule and timeline will be removed from this list. We are just trying to gather and collect proposals for the release. |
Open Items
Secure release of client credential, PGT and (optionally) CAS attributes
Modify the clearpass mechanism so that the credential is returned as an encrypted authentication attribute. Modify service registry to allow public keys that would encrypt the password as well as the PGT. Optionally, allow for a configuration that would also encrypt other user attributes. This is a proxy approach that is used to verify and authenticate the service, and in the case of clearpass and PGT, should greatly reduce the pain of callback URLs. The public key should be generated by the client and can be sent to the CAS server via insecure means such as email. By default, all other attributes would be sent as plain text OOTB for backwards compatibility and debugging purposes. Rather than using a different or newly invented method, we simply trust SSL.
Potentially deprecate the clearpass module and update the docs. This may also impact the CAS protocol in the way that PGT and credentials are sent over, as well as the encryption of attributes.
We are NOT going to remove the existing methods of callbacks, but simply would deprecate them for now and can mention the new method as an optional feature of the protocol for now.
This is discussed and proposed under SEC_8: Proposals to mitigate security risks
Proposed by Misagh Moayyed
Front Channel SLO
The existing front-channel SLO feature in CAS4 is still experimental. Improvements could be made in terms of UI or client integration.
...
Done Items
Secure release of client credential, PGT and (optionally) CAS attributes
Modify the clearpass mechanism so that the credential is returned as an encrypted authentication attribute. Modify service registry to allow public keys that would encrypt the password as well as the PGT. Optionally, allow for a configuration that would also encrypt other user attributes. This is a proxy approach that is used to verify and authenticate the service, and in the case of clearpass and PGT, should greatly reduce the pain of callback URLs. The public key should be generated by the client and can be sent to the CAS server via insecure means such as email. By default, all other attributes would be sent as plain text OOTB for backwards compatibility and debugging purposes. Rather than using a different or newly invented method, we simply trust SSL.
Potentially deprecate the clearpass module and update the docs. This may also impact the CAS protocol in the way that PGT and credentials are sent over, as well as the encryption of attributes.
We are NOT going to remove the existing methods of callbacks, but simply would deprecate them for now and can mention the new method as an optional feature of the protocol for now.
This is discussed and proposed under SEC_8: Proposals to mitigate security risks
Proposed by Misagh Moayyed
Role-based Access Control and Authorization
...