Hi Paul, Let's me mark mine in blue this time arond :)
> Hi Paul, > > With one and a half year upgrading and maintaining our company CAS, I > think I will share some of my experience on your questions there: > > 1. Do CAS are flexible enough to extend to cater for future authentication > requirement? > - If your requirement is a standard requirement, you usually can see > that implemented in CAS 5 or above > - In my case, I have SAML2, CAS and OAuth2 together in both > mobile and web, and they can still all do SSO no problem > - If you have some really custom authentication / authorization > requirements (like us!), you can always use the custom authentication > handler to customize your own stuff > https://apereo.github.io/2017/02/02/cas51-authn-handlers/ > (i definitely require the custom authentication as my company have special requirement on audit and compliance. Sometimes, business users want to alter the authentication flow [e.g. add security warning). As internal IT, we need to fulfill their requests, which is unknown now. So, for such uncertainty, i definitely want a product that is easy to customize. And i found there are not much resource about CAS architecture/authentication flow and guideline for customization. Do you know where can i find such resources? CAS is built to make sure everything works out of the box, I reckon most other authentication servers do too. So customization on the entire flow will needs deep knowledge on CAS and how Spring webflow works, you can starts by looking at here: https://apereo.github.io/cas/5.3.x/installation/Webflow-Customization.html Or... in actuality, only in very weird case you need to modified the webflow, for example, in your case "Add security warning", you can use CAS consent https://apereo.github.io/cas/5.3.x/integration/Attribute-Release-Consent.html I do not recommend customizing the webflow, even if it works it will be maintenance nightmare. - I can't say about the future, but I can give you some experience about > the past: > - The upgrade from CAS 4 to CAS 5 was very painful because CAS > change a lot of from 4 to 5, the change from 4 to 5 is much greater than > the one from 5 to 6. > - However, after upgrading from 4 to 5, everything is still > working completely fine (Our company starts with CAS 3), so the dev team in > CAS definitely make sure service are backward compatible. > (can you please briefly talk about the painful experience? Is it about rewriting all your custom code or data patching? This is one of the point i am concerned about. Also, do the upgrade involve downtime?) You won't need to experience this, but: - Did you remember me saying it is a maintenance nightmare if you edit the webflow? My previous colleague did just that so I need to read through the entire CAS webflow code to make sure when I upgrade the webflow didn't messed up..... It take at least a 1 or 2 weeks of constantly debugging in dev environment to make it work. And I sometime between CAS 5.1.x to 5.2.x it messed up again because webflow will changed in the non major upgrade. - All the jsp customized file need to change to html..... - Need to make sure all the other customization that we did previously still works - And a lot of confusion looking at weird code until I figure out it was for CAS 3 As for major version upgrade, At that time, We have the resources to make 2 groups of CAS, one group for CAS 4, and one group for CAS 5. We just switch from one to another, so no downtime > 2. For high availability, in my company, the CAS service need at least > deployed to 2 or more datacenters > - Our server is very stable with our own high availability setup, you > might see some opinion of other people on this thread too ( > https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/david$20high$20availability%7Csort:date/cas-user/tCk7jJz5pnE/7cXWmHd0BgAJ > ) > (If adopt CAS, i probably needs to deploy it to private or public cloud (as docker image) which is another headache, we need dynamic CAS instance discovery, caching, cross datacenter data sync...i am not able to find a step by step guideline to setup it. For high availability setup (and validation/verification), your experience is? easy or need trail and error?) CAS do have a docker version, however I haven't try it myself: https://apereo.github.io/cas/5.3.x/installation/Docker-Installation.html For high availability, If you use Hazelcast, CAS wise it is easy as you just need to specified the servers in the group. On server side it is already configured before I arrived, so I stick to that and didn't research more on that. > 3. After adoption of CAS, all systems will make use of it/depends on it, i > am worry about the system update/patching as we cannot have a period to > shutdown all CAS instances for upgrade/patching > - We also cannot have downtime during maintenance, you (most of the > time) don't need to shutdown all CAS instances for upgrade most of the > time. > - However user might get logout after the upgrade if the ticketing > system (like Hazelcast) have upgraded > (this sounds very good, forcing user to logout is acceptable for system upgrade/patch, but downtime for a long period is nearly unacceptable for us. Do you ever encounter a case that need to shutdown all CAS instances?) Do you ever encounter a case that need to shutdown all CAS instances? - No, I haven't. > 4. Where can i find known security issue/vulnerability of each CAS > version? i am just able to find this and the CAS security mailing list. > - Don't quote me on that, but security mailing list is also the only one > place I found CAS vulnerability. > - With CAS being using a lot of libraries, it might be very difficult to > keep track of all the vulnerability of all the libraries, in this regards I > myself would just trust the CAS team and upgrade my server as frequently as > possible > > 5. Unlike commercial product that we can't request to backport fix from a > newer version to an older version, but upgrade CAS seems not easy, how do > you cater for that? Do you have a good strategy? > - See this: > https://apereo.github.io/cas/developer/Maintenance-Policy.html > - If you use an old version of CAS (e.g. CAS 4), the dev team usually > will not fix them > - And... Since CAS is an open source project, if you found some bug that > need fixing and is not in the priority list of the CAS dev team, usually > they would ask you to help do the PR yourself > - Or, you can just fix your own stuff using this guide here if your > fix mostly only applies to your project: > https://apereo.github.io/cas/5.3.x/installation/Configuration-Management-Extensions.html > > <https://www.google.com/url?q=https%3A%2F%2Fapereo.github.io%2Fcas%2F5.3.x%2Finstallation%2FConfiguration-Management-Extensions.html&sa=D&sntz=1&usg=AFQjCNEV19zslXjXA8IhlhdAvrsycAaUCg> > > 6. for authorization (like, who can perform what function in which system) > with OpenID Connect JWT token, anybody tried to put the permissions in the > scope field and check for that for authorization? How to you enforce > authorization? Use of Oauth 2.0 UMA seems make the system more complicate? > - I have no idea... > (ic...that means individual CAS client application make use of their > own mechanism for authorization...?) > Hmm. still have no idea what you mean haha > By the way, my opinion is going to favour CAS, otherwise I am not going to > be here typing this sharing :) So, take this with a grain of salt > (actually, i am now evaluating CAS, WSO2 Identity server, Keycloak, Connect2id... can you please talk about why you choose CAS but not others?) CAS was chosen before I join my organization :D So unlike you I didn't have a choice I did however touch on WSO2 IS before, but only for a brief moment so can't really say much. WSO IS seems OK I think I have time to reply to this post anymore, need to get back to work. See if other have other inputs on your question! Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3303b0d0-d9ee-4cb3-8a97-c4cf338817ae%40apereo.org.
