2005-01-24 Yale-Rutgers Video Conf

2005.01.24 Yale/Rutgers Video Conference


Yale Participants

Susan Bramhall
Howard Gilbert
Drew Mazurek
Andrew Petro

Rutgers Participants

ScottS
Bill Thompson

CAS Product High Level System Model

Human facing component

  • responsible for capturing Credentials and interacting with the CAS Ticket Domain Model via a Service facade. Also responsible for responding to Ticket validation request with Security Assertions.

Utility component

  • used by Human facing component to translate CAS Assertions to a particular protocol or representation (e.g. SAML, CAS2, CAS1,...)

CAS Service facade

  • provides access to the CAS Domain Model in order to drive the CAS Ticket/Assertion protocol.

Out of the box CAS3 is committed to a Web based driver similar to CAS2 and a WebServices based driver.

Shib Integration

In order to allow CASified apps to particapate in inter-institutions authentication via Shib. CAS3 must be able to take a Shib handle as an authN credential and talk the shib protocol in order to obtain person attributes that it will marshal in an a normal CAS3 Assertion (SAML).

Extension points will be designed in to support this feature in CAS3, but it is not currently a show-stopper for CAS3.0.

Person Attributes

Thought must be given to the design such that it can support the data need for Assertions covering person attributes. This is already a well-known extension point for CAS2 and is in scope for CAS3.0.

SAML - OpenSAML

  1. where possible no extensions to CAS2 payload
  2. we will commit to a SAML CAS 3.0 payload
  3. we will leave open support for shib (remote users) in CAS2 payload.

What is a Principal?

Universal Principal Name - UPN
LDAP Distinguished Name - DN
Can't assume a one Principal per person.
Shib support for pseudo-netid

Project Plan

Worked some deliverables on the list, wiki, and JIRA. Suggestion is we shoot for a Milestone release about every month. Implement nightly integration builds. Target a major deliverable for June JASIG (Release Candidate?)

OpenSAML support in CAS3

Wrappers for SAML payload. No need to write our own.
Principal may or may not have a netid. Shib Assertions can be only attribute based.

Support for HA and Load Balance Configurations

As long as ticket cache can be serialized any HA/LB config should be possible. Supporting artifacts for this is not a show-stopper for CAS3.0. Should be easily possible via Spring cache plug-ins.