Bill,
The InCommon Technical Advisory Committee has launched an effort to develop a document that presents the landscape of identity-related projects of particular relevance to the Research and Education (R&E) community, including information about their state, the relationships among them, and gaps among those relationships and between the capabilities they provide and what is needed by this community. This Identity Landscape document is intended to provide information as input to strategic decision making by those providing leadership to the identified projects and to promote increased coordination among them. It will be written with those audiences in mind, though we also expect it to be shared widely with the R&E public.
As a representative of the CAS project, your participation in this effort would be invaluable to us and, we hope, to you as well. In order to give you an idea of what we're looking for, I have included a quick set of questionnaire topics that we are using to collect basic information about each project, as well as answers to that questionnaire for the Grouper project, at the bottom of this message. As you can see, we are looking for very brief summary information, although we may ask to schedule a telephone conversation at a later date to fill in additional information. Simply replying to this note, editing your responses into the Questionnaire Topics below would be greatly appreciated. We could also schedule a telephone interview to go through the questionnaire and draft answers for your review, if that works better for you.
Please let me know if you are willing to participate, or could designate someone else. Don't hesitate to contact me if you have any questions. Thank you for your help.
David Walker
InCommon Technical Advisory Committee
dhwprof@gmail.com
Questionnaire Answers - DRAFT
Project Name
Apereo CAS
Contacts
Bill Thompson, Unicon
wgthom@unicon.net
Overview / Mission
CAS is an authentication system originally created by Yale University to provide a trusted way for web application to authenticate a user. CAS became a Jasig project in December 2004 and subsequently an Apereo project in 2013.
CAS provides an enterprise web single sign-on service:
- An open and well-documented protocol
- An open-source Java server component
- A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others
- Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others
- Community documentation and implementation support
- An extensive community of adopters
Goals / Roadmap
Specific goals the project has for the future. If available, also a time frame for achieving those goals.
CAS maintains a roadmap at: https://wiki.jasig.org/display/CAS/CAS+Roadmap.
CAS 4.0 is the current work in progress an includes the following scope slated for 2013:
- improved authN APIs to support multiple credentials (forces Major release per release strategy)
- new skin and better support for mobile devices
- Improvements to the Ldap Password Policy enforcement that are described here.
- potentially other minor evolutionary improvements that would have been targeted for 3.6.
Approach to Work
How priorities are set, the process for releasing deliverables, collaborative work style, expectations of members, etc.
CAS is loosely run as an Apache style open source project with priorities mostly set by availability of interested developers and committer consensus.
CAS has been a solid and mature product for some time. Improvements and extensions evolve from both a community recognition of priorities and the will of developers to take ownership of particular facets of the CAS product. An active developer list provides the primary collaborative forum for both incremental improvements and proposing and vetting new requirements and features. Multiple releases typically occur during a year and reflect contributions in the interim. The development lifecycle is structured with coding standards (https://wiki.jasig.org/display/CAS4UM/Code+Standards), and review and release management processes.
Strategies for Sustainability
Strategies for funding, inclusion of new members, etc.
CAS has no funding or means for support beyond the umbrella infrastructure provided by Apereo. Typical of a successful open source project, the work of a relatively small community of contributors is leveraged across many consumers. Though CAS adopters need not be involved in any way, the criticality of CAS single sign-on to large-scale adopters keeps the activtiy level of the project very high. This activity is true with respect to the CAS server and integration of the CAS protocol in clients.
A CAS Steering Committee exists to advocate for the project and set any strategic and administrative direction (https://wiki.jasig.org/display/CASST/Home).
CAS relies on Apereo to fund general community infrastructure (mailing lists, website, jira). The project also makes use of free infrastructure from github for source code control. Development and management of the project is mostly resourced directly from the participants. Unicon's Support program also contributes directly to the project based on the number of subscribers to the program. Sustainability is derived from three primary sources:
- Apereo support for community infrastructure
- Community participants (direct contribution)
- Unicon Support program (indirect via Unicon)
Relationships with Other Projects
Areas where there is observed interdependence or similarity with other projects.
CAS is perhaps the most widely adopted solution for WebSSO. Although CAS may be seen as performing in a narrower range of the SSO spectrum compare with Shibboleth, the fact is that many enterprises continue to adopt and rely on CAS as both a convenient tried-and-true WebSSO solution. It's adoption in enterprises typically predated that of SAML-based federated solutions and over time CAS has increased in sophistication while a wide ecosystem of open source and proprietary products have established integrations with CAS.
Large well-known projects such as uPortal, Moodle, Liferay, and the Kuali products provide for out-of-the-box integration with CAS due to its prevalence and relative simplicity.
CAS and Shibboleth are similar in that they both can be used for WebSSO. They differ in that Shibboleth has mostly been focused on implementing the SAML specification, whereas CAS is mostly focused on being a great platform for enterprise WebSSO regardess of the protocol. Many deployers have found CAS and Shibboleth to be more complimentary than competitive. See: Shibboleth and CAS - Even More Perfect Together
CAS also has relationship with Apereo Person Directory for attribute resolution and can be used in conjunction with Grouper for course-gained access control.
Observed Gaps
Elements of the identity landscape that do not seem to exist, but are needed to achieve the project's goals.
The approach to the identity landscape is often panacean - the entire problem is stood up with the assumption that the right projects can be brought together in one holistic solution.
The identity landscape is apparently searching for large blueprints. There is a large gap between these future goals and a more practical packaging of identity solutions that align with common consumer scenarios. A feedback loop to potential consumers about what they could do today given a particular scenario is missing, particularly as institutions shorten project cycles and look for more agility. In retrospect, CAS' success has come from meeting as many adopter scenarios as possible without breaking any fundamental contracts that would jeopardize security or abandon a large set of current adopters.
Challenges
Potential roadblocks to achieving the project's goals.
- Lack of input from stakeholders outside of the developer community.
- Availability of developer resources.
- Governance/consensus around project direction.
Leadership beyond incremental release functionality.
More Information
URLs where further information about the project is available.
- http://www.jasig.org/cas
- https://wiki.jasig.org/display/CAS/Home
- https://wiki.jasig.org/display/CAS/CAS+Roadmap
Notes
Miscellaneous notes that do not fit in the other categories.
Sample Grouper Response
DRAFT - Project Summary - Grouper - DRAFT
Project Name
Grouper Access Management System
Contacts
Tom Barton
Overview / Mission
Grouper is an open source toolkit for managing access using groups, roles, and permissions. It is designed to function as the core element of a common infrastructure for managing access information across integrated applications and repositories. Grouper combines multiple sources of group information, both automated and manual, in managing memberships and other group information in a Group Registry, a central information asset complementary to a site's Person Registry.
The Grouper project started in 2003 to address group management needs in higher education. In this context, higher education is distinguished from most other enterprises in the following ways:
It is very decentralized. Distributed management and delegation are very important.
Large numbers of identity sources must be accommodated.
Privilege is not tied closely to job titles.
Goals / Roadmap
Privilege management was added to Grouper in release 2. The next release is 2.2 in about six months. Highlights for that release include:
An administrative user interface to address the needs of beginning and intermediate users.
Support for any sized screen, down to mobile devices.
Greater orientation to a service catalog paradigm, including service tags and the concept of service administrators.
Integration for popular software like uPortal
Approach to Work
Grouper maintains two electronic mail lists, grouper-users and grouper-devs for communication. "Those who show up make the decisions," and they try hard to get people to show up. Decisions to move forward with new functionality require at least one adopter/partner who will use the functionality to assure the development is grounded in real needs.
Strategies for Sustainability
Grouper is an open source project with financial support from Internet2 for about 1.5 FTE spread over about 4 developers. Internet2 also supports conference calls and a scribe.
The sustainability proposition is the value Grouper brings; it's not necessarily financial. Grouper addresses a problem that people agree is good to work on.
Observed Gaps
Better capabilities to work with AD. Grouper can provision AD, but nothing more. Nobody's speaking up about this, but Gartner observed this in an evaluation of group management tools that otherwise rated Grouper well.
Closer work with CIFER. The sustainability and governance models don't always mesh well, making collaboration a challenge.
Relationships with Other Projects
Grouper has touched many other projects. For example,
Release 2 of Grouper inherited much of its functionality needs from the now defunct Signet project.
uPortal
Apereo / Jasig
Shibboleth
Kuali Rice
CIFER
Some engagement with Globus, although the fit wasn't very good.
Universities
University of West Bohemia contributed a POSIX UID/GID manager for Grouper
A consortium of 180 universities in central France with a shared instance of uPortal, managed by Grouper
SURFnet
Challenges
Organizational gaps, such as observed above for CIFER.
More Information
Grouper web site:http://www.internet2.edu/grouper/
Grouper Product Roadmap (https://spaces.internet2.edu/pages/viewpage.action?pageId=14517754)
Notes