Status: Completed

Background

CAS, which stands for Central Authentication Service, is both an authentication mechanism and an enterprise single sign-on service.  It is an open software implemented as part of the Apereo’s projects and has a wide Higher Ed adaptation. The Rutgers OIT-Enterprise Application Services/Identity Management group manages this service as the enterprise Authentication Service. Currently the service runs on version 3.6. In the last few years, the IdM group has incorporated some custom features that are now available as part of the standard feature in the newer version of CAS.  In addition, newer features and support for extended authentication protocols have been added to updated CAS versions.

IdM group has chosen to upgrade to one of these productions’ stable versions, which is CAS 5.3.  For full supported features please check : https://apereo.github.io/cas/5.3.x/index.html

What is not changing?

In General, most Applications who use standards CAS agents will not need to make any changes.  The following have not changed:

• CAS Validation URL will remain as:
  • CAS1 Validation: https://cas.rutgers.edu/validate
  • CAS 2 Validation: https://cas.rutgers.edu/serviceValidate
  • SAML Validation Response: https://cas.rutgers.edu/samlValidate

For a list of CAS Agents, please see https://apereo.github.io/cas/5.3.x/integration/CAS-Clients.html

What is changing?

New Login Page!

• New look and feel login page , for a preview

Addition CAS 3 Validation has been added:

• CAS 3 Validation: https://cas.rutgers.edu/p3/serviceValidate

Certain applications may need to make changes if they:

• Used customized agents that handle encoding/decoding in a certain way that is no longer compatible. For these types of applications, it is strongly recommended to upgrade to most recent CAS agents , For a list of CAS Agents, please see https://apereo.github.io/cas/5.3.x/integration/CAS-Clients.html
• Authentication via SOAP has been deprecated. If you use the CAS authentication API’s, you must use Restful API . Soap API is no longer  supported in this new version.
• Proxy Ticket:
  • If your application is configured to use proxy ticket, but you do not really use it, we recommend that you remove it from your configuration and ask the IdM team to remove this from the CAS whitelist configuration.
  • If you use proxy ticket and is not working after the upgrade, then more likely the proxy receptor URL is not reachable from CAS server. CAS 5.3 enforces that this url is reachable. In this case, please contact IdM @ idm_operations@email.rutgers.edu and provide the URL for your Proxy receptor.  Someone will check connectivity and get back to you.

• If you application check for using custom service validate attributes returned in cas3.6 to validate for authType (Safeword/Kerberos) and authenticationMethod(duo-two-factor), then you will need to make a change as authType attribute is no longer supported in CAS 5.3 .

  • You will have to change client code to call /p3/serviceValidate instead of /serviceValidate
  • Look for following values in /p3/serviceValidate response: and look for following values in response:
    • <cas:authenticationMethod>mfa-duo</cas:authenticationMethod>

Please note that safeword has been decommissioned and replaced by Duo

Testing:

CAS 5.3 has been available in the standard test environment https://test-cas.rutgers.edu since end of October 2020.  IdM group has requested via cas_annoucements that application owners test their integration and report any issues to  :

• email to:  idm_operations@email.rutgers.eduOR
• Submit a CAS request

Known Issues:

Timelines:

• Launched in test-cas.rutgers.edu (10/30/2020) – Completed
• System Integration Testing  (10/30 – 12/15/2020) – Completed
• User Acceptance Testing     (12/1 – 12/07/2020)  – Completed
• Production deployment (01/10/2021)  – Completed