Seek for your advice on CAS adoption

[Paul Luk]

Hi all,

  i am doing a research on adoption of CAS.

  Background - my company is a healthcare company (managed many hospitals and offer 24x7x365 business) that run hundreds of in-house developed systems, as well as acquire some 3rd party products.

  Currently, for the in-house developed systems, they have their own authentication/authorization mechanism, mostly:

  1. user credentials & attributes stored in DB

  2. active directory for authentication and DB for user attributes

  There are dedicate support for maintenance and support of each system and, when downtime is required, support will liaise with users to arrange for downtime. There won't be a period that all systems can down for maintenance.

  To reduce repeated effort spent on authentication and authorization of each systems, i am checking whether we can adopt CAS to help, especially on:

  1. OpenID Connect 1.0 + JWT  (to achieve single sign on in the future)

  2. OAuth 2.0 (password grant) + JWT (seems be a good path for migration and finally to OpenID Connect)

  3. SAML2/Kerberos [mainly for backward compatibility])

  My concern on CAS adoption are:

  1. Do CAS are flexible enough to extend to cater for future authentication requirement? we will definitely requested to support more and more authentication mechanism (e.g. FIDO2, RSA hardware token [with custom username/password paddings], trust device registration...etc).
     
      I found there is not much document telling developer to extend the CAS login flow, custom authenticator / MFA). Is there a starter guide for CAS development (e.g. the detail system flow / architecture diagram)?

   2. For high availability, in my company, the CAS service need at least deployed to 2 or more datacenters, can you share your experience of CAS high availability (in terms of maintenance and setup, stability, performance...)

   3. After adoption of CAS, all systems will make use of it/depends on it, i am worry about the system update/patching as we cannot have a period to  shutdown all CAS instances for upgrade/patching (which will impact ALL systems...vs currently, individual systems down for maintenance will smaller impact to hospital operations).

      Can you share you experience of system upgrade/patching? Do you have experience to update CAS (say from 5.x to 6.x) without downtime?

   4. Where can i find unknow security issue/vulnerability of each CAS version? i am just able to find this and the CAS security mailing list.

   5. Unlike commercial product that we can't request to backport fix from a newer version to an older version, but upgrade CAS seems not easy, how do you cater for that? Do you have a good strategy?

   6. for authorization (like, who can perform what function in which system) with OpenID Connect JWT token, anybody tried to put the permissions in the scope field and check for that for authorization? How to you enforce authorization?  Use of Oauth 2.0 UMA seems make the system more complicate?

   Thank you.

   

[Andy Ng]

Hi Paul,

With one and a half year upgrading and maintaining our company CAS, I think I will share some of my experience on your questions there:

1. Do CAS are flexible enough to extend to cater for future authentication requirement?

    - If your requirement is a standard requirement, you usually can see that implemented in CAS 5 or above

           - In my case, I have SAML2, CAS and OAuth2 together in both mobile and web, and they can still all do SSO no problem

    - If you have some really custom authentication / authorization requirements (like us!), you can always use the custom authentication handler to customize your own stuff https://apereo.github.io/2017/02/02/cas51-authn-handlers/

    - I can't say about the future, but I can give you some experience about the past:
        - The upgrade from CAS 4 to CAS 5 was very painful because CAS change a lot of from 4 to 5, the change from 4 to 5 is much greater than the one from 5 to 6.

        - However, after upgrading from 4 to 5, everything is still working completely fine (Our company starts with CAS 3), so the dev team in CAS definitely make sure service are backward compatible

2. For high availability, in my company, the CAS service need at least deployed to 2 or more datacenters

    - Our server is very stable with our own high availability setup, you might see some opinion of other people on this thread too (https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/david$20high$20availability%7Csort:date/cas-user/tCk7jJz5pnE/7cXWmHd0BgAJ)

3. After adoption of CAS, all systems will make use of it/depends on it, i am worry about the system update/patching as we cannot have a period to shutdown all CAS instances for upgrade/patching

   - We also cannot have downtime during maintenance, you (most of the time) don't need to shutdown all CAS instances for upgrade most of the time. 

   - However user might get logout after the upgrade if the ticketing system (like Hazelcast) have upgraded

4. Where can i find unknow security issue/vulnerability of each CAS version? i am just able to find this and the CAS security mailing list.

  - Don't quote me on that, but security mailing list is also the only one place I found CAS vulnerability.

  - With CAS being using a lot of libraries, it might be very difficult to keep track of all the vulnerability of all the libraries, in this regards I myself would just trust the CAS team and upgrade my server as frequently as possible

5. Unlike commercial product that we can't request to backport fix from a newer version to an older version, but upgrade CAS seems not easy, how do you cater for that? Do you have a good strategy?

  - See this: https://apereo.github.io/cas/developer/Maintenance-Policy.html

  - If you use an old version of CAS (e.g. CAS 4), the dev team usually will not fix them

  - And... Since CAS is an open source project, if you found some bug that need fixing and is not in the priority list of the CAS dev team, usually they would ask you to help do the PR yourself

     - Or, you can just fix your own stuff using this guide here if your fix mostly only applies to your project: https://apereo.github.io/cas/5.3.x/installation/Configuration-Management-Extensions.html

6. for authorization (like, who can perform what function in which system) with OpenID Connect JWT token, anybody tried to put the permissions in the scope field and check for that for authorization? How to you enforce authorization? Use of Oauth 2.0 UMA seems make the system more complicate?

  - I have no idea...

By the way, my opinion is going to favour CAS, otherwise I am not going to be here typing this sharing :) So, take this with a grain of salt

Cheers!

- Andy 

[Paul Luk]

Hi Andy,

   Many thanks for your advice and sharing.
 
   I put more queries below, highlighted in yellow, i hope you have time to have a check.
  

   Thanks.

Andy Ng於 2019年4月19日星期五 UTC+8下午3時08分05秒寫道：

Hi Paul,

With one and a half year upgrading and maintaining our company CAS, I think I will share some of my experience on your questions there:

1. Do CAS are flexible enough to extend to cater for future authentication requirement?
    - If your requirement is a standard requirement, you usually can see that implemented in CAS 5 or above

           - In my case, I have SAML2, CAS and OAuth2 together in both mobile and web, and they can still all do SSO no problem

    - If you have some really custom authentication / authorization requirements (like us!), you can always use the custom authentication handler to customize your own stuff https://apereo.github.io/2017/02/02/cas51-authn-handlers/

      (i definitely require the custom authentication as my company have special requirement on audit and compliance. Sometimes, business users want to alter the authentication flow [e.g. add security warning). As internal IT, we need to fulfill their requests, which is unknown now.
       So, for such uncertainty, i definitely want a product that is easy to customize. And i found there are not much resource about CAS architecture/authentication flow and guideline for customization.
       Do you know where can i find such resources?)

    - I can't say about the future, but I can give you some experience about the past:
        - The upgrade from CAS 4 to CAS 5 was very painful because CAS change a lot of from 4 to 5, the change from 4 to 5 is much greater than the one from 5 to 6.

        - However, after upgrading from 4 to 5, everything is still working completely fine (Our company starts with CAS 3), so the dev team in CAS definitely make sure service are backward compatible.

       (can you please briefly talk about the painful experience? Is it about rewriting all your custom code or data patching? This is one of the point i am concerned about.
        Also, do the upgrade involve downtime?)

2. For high availability, in my company, the CAS service need at least deployed to 2 or more datacenters

    - Our server is very stable with our own high availability setup, you might see some opinion of other people on this thread too (https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/david$20high$20availability%7Csort:date/cas-user/tCk7jJz5pnE/7cXWmHd0BgAJ)

       (If adopt CAS, i probably needs to deploy it to private or public cloud (as docker image) which is another headache, we need dynamic CAS instance discovery, caching, cross datacenter data sync...i am not able to find a step by step guideline to setup it. 
        For high availability setup (and validation/verification), your experience is? easy or need trail and error?)

3. After adoption of CAS, all systems will make use of it/depends on it, i am worry about the system update/patching as we cannot have a period to shutdown all CAS instances for upgrade/patching

   - We also cannot have downtime during maintenance, you (most of the time) don't need to shutdown all CAS instances for upgrade most of the time. 

   - However user might get logout after the upgrade if the ticketing system (like Hazelcast) have upgraded

      (this sounds very good, forcing user to logout is acceptable for system upgrade/patch, but downtime for a long period is nearly unacceptable for us. Do you ever encounter a case that need to shutdown all CAS instances?)

4. Where can i find known security issue/vulnerability of each CAS version? i am just able to find this and the CAS security mailing list.

  - Don't quote me on that, but security mailing list is also the only one place I found CAS vulnerability.

  - With CAS being using a lot of libraries, it might be very difficult to keep track of all the vulnerability of all the libraries, in this regards I myself would just trust the CAS team and upgrade my server as frequently as possible

5. Unlike commercial product that we can't request to backport fix from a newer version to an older version, but upgrade CAS seems not easy, how do you cater for that? Do you have a good strategy?

  - See this: https://apereo.github.io/cas/developer/Maintenance-Policy.html

  - If you use an old version of CAS (e.g. CAS 4), the dev team usually will not fix them

  - And... Since CAS is an open source project, if you found some bug that need fixing and is not in the priority list of the CAS dev team, usually they would ask you to help do the PR yourself

     - Or, you can just fix your own stuff using this guide here if your fix mostly only applies to your project: https://apereo.github.io/cas/5.3.x/installation/Configuration-Management-Extensions.html

6. for authorization (like, who can perform what function in which system) with OpenID Connect JWT token, anybody tried to put the permissions in the scope field and check for that for authorization? How to you enforce authorization? Use of Oauth 2.0 UMA seems make the system more complicate?

  - I have no idea...

   (ic...that means individual CAS client application make use of their own mechanism for authorization...?)

 

By the way, my opinion is going to favour CAS, otherwise I am not going to be here typing this sharing :) So, take this with a grain of salt

    (actually, i am now evaluating CAS, WSO2 Identity server, Keycloak, Connect2id...

     can you please talk about why you choose CAS but not others?)

Cheers!

- Andy 

[Andy Ng]

Hi Paul, 

Let's me mark mine in blue this time arond :)

Hi Paul,

With one and a half year upgrading and maintaining our company CAS, I think I will share some of my experience on your questions there:

1. Do CAS are flexible enough to extend to cater for future authentication requirement?
    - If your requirement is a standard requirement, you usually can see that implemented in CAS 5 or above

           - In my case, I have SAML2, CAS and OAuth2 together in both mobile and web, and they can still all do SSO no problem

    - If you have some really custom authentication / authorization requirements (like us!), you can always use the custom authentication handler to customize your own stuff https://apereo.github.io/2017/02/02/cas51-authn-handlers/

      (i definitely require the custom authentication as my company have special requirement on audit and compliance. Sometimes, business users want to alter the authentication flow [e.g. add security warning). As internal IT, we need to fulfill their requests, which is unknown now. 
       So, for such uncertainty, i definitely want a product that is easy to customize. And i found there are not much resource about CAS architecture/authentication flow and guideline for customization.
       Do you know where can i find such resources?

 

CAS is built to make sure everything works out of the box, I reckon most other authentication servers do too. So customization on the entire flow will needs deep knowledge on CAS and how Spring webflow works, you can starts by looking at here: https://apereo.github.io/cas/5.3.x/installation/Webflow-Customization.html

Or... in actuality, only in very weird case you need to modified the webflow, for example, in your case "Add security warning", you can use CAS consent

https://apereo.github.io/cas/5.3.x/integration/Attribute-Release-Consent.html

I do not recommend customizing the webflow, even if it works it will be maintenance nightmare.

- I can't say about the future, but I can give you some experience about the past:
        - The upgrade from CAS 4 to CAS 5 was very painful because CAS change a lot of from 4 to 5, the change from 4 to 5 is much greater than the one from 5 to 6.

        - However, after upgrading from 4 to 5, everything is still working completely fine (Our company starts with CAS 3), so the dev team in CAS definitely make sure service are backward compatible.

       (can you please briefly talk about the painful experience? Is it about rewriting all your custom code or data patching? This is one of the point i am concerned about.
        Also, do the upgrade involve downtime?)

You won't need to experience this, but:
- Did you remember me saying it is a maintenance nightmare if you edit the webflow? My previous colleague did just that so I need to read through the entire CAS webflow code to make sure when I upgrade the webflow didn't messed up..... It take at least a 1 or 2 weeks of constantly debugging in dev environment to make it work. And I sometime between CAS 5.1.x to 5.2.x it messed up again because webflow will changed in the non major upgrade.

- All the jsp customized file need to change to html.....

- Need to make sure all the other customization that we did previously still works

- And a lot of confusion looking at weird code until I figure out it was for CAS 3

As for major version upgrade, At that time,

We have the resources to make 2 groups of CAS, one group for CAS 4, and one group for CAS 5.

We just switch from one to another, so no downtime

2. For high availability, in my company, the CAS service need at least deployed to 2 or more datacenters

    - Our server is very stable with our own high availability setup, you might see some opinion of other people on this thread too (https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/david$20high$20availability%7Csort:date/cas-user/tCk7jJz5pnE/7cXWmHd0BgAJ)

       (If adopt CAS, i probably needs to deploy it to private or public cloud (as docker image) which is another headache, we need dynamic CAS instance discovery, caching, cross datacenter data sync...i am not able to find a step by step guideline to setup it. 
        For high availability setup (and validation/verification), your experience is? easy or need trail and error?)

CAS do have a docker version, however I haven't try it myself: https://apereo.github.io/cas/5.3.x/installation/Docker-Installation.html

For high availability, If you use Hazelcast, CAS wise it is easy as you just need to specified the servers in the group.

On server side it is already configured before I arrived, so I stick to that and didn't research more on that.

3. After adoption of CAS, all systems will make use of it/depends on it, i am worry about the system update/patching as we cannot have a period to shutdown all CAS instances for upgrade/patching

   - We also cannot have downtime during maintenance, you (most of the time) don't need to shutdown all CAS instances for upgrade most of the time. 

   - However user might get logout after the upgrade if the ticketing system (like Hazelcast) have upgraded

      (this sounds very good, forcing user to logout is acceptable for system upgrade/patch, but downtime for a long period is nearly unacceptable for us. Do you ever encounter a case that need to shutdown all CAS instances?)

Do you ever encounter a case that need to shutdown all CAS instances?

- No, I haven't. 

 

4. Where can i find known security issue/vulnerability of each CAS version? i am just able to find this and the CAS security mailing list.

  - Don't quote me on that, but security mailing list is also the only one place I found CAS vulnerability.

  - With CAS being using a lot of libraries, it might be very difficult to keep track of all the vulnerability of all the libraries, in this regards I myself would just trust the CAS team and upgrade my server as frequently as possible

5. Unlike commercial product that we can't request to backport fix from a newer version to an older version, but upgrade CAS seems not easy, how do you cater for that? Do you have a good strategy?

  - See this: https://apereo.github.io/cas/developer/Maintenance-Policy.html

  - If you use an old version of CAS (e.g. CAS 4), the dev team usually will not fix them

  - And... Since CAS is an open source project, if you found some bug that need fixing and is not in the priority list of the CAS dev team, usually they would ask you to help do the PR yourself

     - Or, you can just fix your own stuff using this guide here if your fix mostly only applies to your project: https://apereo.github.io/cas/5.3.x/installation/Configuration-Management-Extensions.html

6. for authorization (like, who can perform what function in which system) with OpenID Connect JWT token, anybody tried to put the permissions in the scope field and check for that for authorization? How to you enforce authorization? Use of Oauth 2.0 UMA seems make the system more complicate?

  - I have no idea...

   (ic...that means individual CAS client application make use of their own mechanism for authorization...?)

 Hmm. still have no idea what you mean haha

By the way, my opinion is going to favour CAS, otherwise I am not going to be here typing this sharing :) So, take this with a grain of salt

    (actually, i am now evaluating CAS, WSO2 Identity server, Keycloak, Connect2id...

     can you please talk about why you choose CAS but not others?)

CAS was chosen before I join my organization :D So unlike you I didn't have a choice

 I did however touch on WSO2 IS before, but only for a brief moment so can't really say much. WSO IS seems OK

I think I have time to reply to this post anymore, need to get back to work. See if other have other inputs on your question!

Cheers!

- Andy