2005-01-24 Yale-Rutgers Video Conf
2005.01.24 Yale/Rutgers Video Conference
Yale Participants
Susan Bramhall
Howard Gilbert
Drew Mazurek
Andrew Petro
Rutgers Participants
ScottS
Bill Thompson
CAS Product High Level System Model
Human facing component
- responsible for capturing Credentials and interacting with the CAS Ticket Domain Model via a Service facade. Also responsible for responding to Ticket validation request with Security Assertions.
Utility component
- used by Human facing component to translate CAS Assertions to a particular protocol or representation (e.g. SAML, CAS2, CAS1,...)
CAS Service facade
- provides access to the CAS Domain Model in order to drive the CAS Ticket/Assertion protocol.
Out of the box CAS3 is committed to a Web based driver similar to CAS2 and a WebServices based driver.
Shib Integration
In order to allow CASified apps to particapate in inter-institutions authentication via Shib. CAS3 must be able to take a Shib handle as an authN credential and talk the shib protocol in order to obtain person attributes that it will marshal in an a normal CAS3 Assertion (SAML).
Extension points will be designed in to support this feature in CAS3, but it is not currently a show-stopper for CAS3.0.
Person Attributes
Thought must be given to the design such that it can support the data need for Assertions covering person attributes. This is already a well-known extension point for CAS2 and is in scope for CAS3.0.
SAML - OpenSAML
- where possible no extensions to CAS2 payload
- we will commit to a SAML CAS 3.0 payload
- we will leave open support for shib (remote users) in CAS2 payload.
What is a Principal?
Universal Principal Name - UPN
LDAP Distinguished Name - DN
Can't assume a one Principal per person.
Shib support for pseudo-netid
Project Plan
Worked some deliverables on the list, wiki, and JIRA. Suggestion is we shoot for a Milestone release about every month. Implement nightly integration builds. Target a major deliverable for June JASIG (Release Candidate?)
OpenSAML support in CAS3
Wrappers for SAML payload. No need to write our own.
Principal may or may not have a netid. Shib Assertions can be only attribute based.
Support for HA and Load Balance Configurations
As long as ticket cache can be serialized any HA/LB config should be possible. Supporting artifacts for this is not a show-stopper for CAS3.0. Should be easily possible via Spring cache plug-ins.