This document is not longer maintained or valid. Please refer to the official CAS documentation at apereo.github.io/cas/ to learn more. |
The following items are proposed to fit the scope of the CAS 4.3 release. We are just focusing on the big picture here. Other smaller issues may also be fit candidates depending on the nature of the change. Items discussed on this list are in no particular order of priority.
This document specifically addresses the scope for the CAS Server 4.3. Features for official CAS clients that would want to take advantage of 4.x features should be documented and discussed elsewhere. |
This is just a draft and may be heavily edited as development moves on. Items that will not fit the release schedule and timeline will be removed from this list. We are just trying to gather and collect proposals for the release. |
Provide the ability for the CAS authn subsystem to allow one to login as another. This would be useful for troubleshooting purposes via special service accounts. Consider how the surrogate principal can be audited at the CAS server level, and how the proxy principal can be communicated back to the app in the CAS validation response.
Proposed by William G. Thompson, Jr.
Provide an optional webflow to allow CAS to display a list of attributes that may be released to the application. This is similar to what uApprove does. Provide an option for the user to accept the release and a way to CAS to remember the user's choice.
Proposed by Misagh Moayyed
Deliver OIDC functionality. Focus on AuthZ Code profile, and then move onto additional config.
Proposed by Jérôme LELEU
The existing front-channel SLO feature in CAS4 is still experimental. Improvements could be made in terms of UI or client integration.
Rather than dancing with the client, we could directly call apps from the CAS logout page/flow to logout. This can securely done in parallel invocations (via hidden images, iframes, etc) and possibly may require the creation of a new field in the service registry for "logout urls". We would need a specific url for logout that would be used for front channel SLO, with logout message that is SAML-like, which is to include the service ticket. The message can be hashed and zipped and sent along as a GET request. This would allow the CAS server to present 3 SLO options:
This may require mods to the protocol.
We have to be VERY careful with the wording of front-channel SLO on the UI. We cannot never guarantee a logout from the app POV, but can emphasize that a logout message has been sent to the application. It is still up to the application to decide how to handle the logout.
Proposed by Jérôme LELEU
CAS server can be customized to act as an OAuth server. Presently the OAuth implementation requires that the client receives the TGT to pass to the profile as an access token. Also, the implementation attempts to release all attributes rather than those are allowed due to the limitations in current design. The following alternatives may be used instead:
Spring Security's OAuth support may be a candidate to review.
Proposed by Jérôme LELEU
In some cases, it may be required of the CAS server to select the authentication scheme on a per-app level, something that may be configured inside the registry. Upon selection, CAS may try to find all handlers that support that scheme, and delegate the authn request to those only that claim support.
Proposed by Misagh Moayyed
Extend the existing capabilities of the CAS server to provide authentication flows for MFA. Consider MFA triggers that are per service or per user group. Consider support for MFA providers such as Duo Security and Toopher. For this release, we may simply just end up doing the groundwork, paving the way for future extensions to connect to Duo, etc. Unicon has developed a cas-mfa extension that can be used to inspire ideas and design guidelines.
Consider:
Proposed by Misagh Moayyed, William G. Thompson, Jr., Jeremy Jeremy, Sean Baker
Since JDK 7 has become EOL, an effort should be made to consider building CAS on top of JDK 8. We'll need to take a closer look at our javadocs and resolves issues that the JDK compiler may complain about with a much more strict policy around javadoc gen.
Proposed by Misagh Moayyed
Allow CAS to be built via Gradle. The current build and release process is very sluggish with Maven, and we could take advantage of Gradle's declarative configuration and daemon to expedite things much faster.
Proposed by Misagh Moayyed
Provide official CAS docker images as an alternative to the Maven overlay deployments.
Proposed by Misagh Moayyed
Implement JWT/Stormpath functionality via Pac4j. Ensure configuration is automatically available. Document.
Proposed by Jérôme LELEU,Misagh Moayyed
Implement SAML2 WebSSO profile for SAML SPs, thereby making CAS a SAML IDP provider. Ignore all other profiles.
Proposed by Jérôme LELEU,Misagh Moayyed