The Apereo Foundation has announced the official GA release of CAS 5. This is a major release which is packed with a lot of new features and enhancements, some of which are described here:
Configuration management and setup has been simplified extensively, thanks to the Spring Boot and Spring Cloud projects.The auto-configuration strategy of CAS features is as follows:
- Find and declare the feature module as a dependency, thus announcing your intention of enabling a particular feature in CAS.
- Optionally, configure the module by supplying settings via a simple properties configuration file.
At deployment time, CAS will auto-determine every single change that is required for the functionality of declared modules and will auto-configure it all in order to remove the extra XML configuration pain.
Multi-factor Authentication (MFA)
MFA is a first-class feature of CAS 5 with support for providers that include:
- Duo Security
- Google Authenticator
- And more...
MFA triggers are provided out of the box that allow you to activate MFA for applications, groups of users, and more. Adaptations of "trusted device/browser" features are also made available to help bypass MFA when/if needed.
In the past, SAML2 functionality of CAS was mostly limited to support for Google Apps. In this release, CAS becomes fully aware of SAML metadata, and starts to act as a SAML2-enabled identity provider with support for InCommon metadata and more.
As a brand new feature, CAS 5 begins to support the OpenID Connect protocol, to act as identity provider. Remember that it has always been possible to use an external OpenID Connect provider such as Google to log into CAS.
CAS 5 starts use to use Thymeleaf's basic simple HTML pages and layouts for user interfaces. A great amount of work is put into CAS 5 to make sure administrative screens are available to manage configuration, logging, SSO sessions, statistics, audit logs, trusted devices/browsers, and more.
Front Channel SLO
SAML2 Service Provider (SP) Integrations
CAS starts to support the following SAML SP integrations out-of-the-box:
- PowerFAIDS Net Partner
- And more...
Much like anything else, you should be able to declare what your SP metadata is and what attributes it requires in a simple .properties file.
Geoprofiling Authentication Requests
How do you block what you may consider a suspicious authentication attempt? For instance, you may wish to disallow requests from certain locations or IP addresses or, even fancier, you may want those requests to pass through MFA for extra security. As a variant of adaptive authentication, CAS allows you to geoprofile authentication requests and then, based on your devised rules, reject those requests or force them through a particular MFA provider. Geoprofiling can be achieved via Maxmind or GoogleMaps.
A big hearty thanks to all who participated in the development of this release to submit patches, report issues, and suggest improvements. Now is the best time to start trying out the release candidates and report back findings.
Start your early CAS 5 deployment today!