Update CAS to 6.6
Open, MediumPublic
Actions

Assigned To

None

Authored By

	MoritzMuehlenhoff
	Jun 23 2022, 2:27 PM

Description

Before enabling webauthn we should update CAS to the latest version 6.6.

Details

Subject	Repo	Branch	Lines +/-
Migrate service definitions to CasRegisteredService	operations/puppet	production	+2 -2
cas: Update to 6.6.0	operations/software/cas-overlay-template	master	+89 -155 K
Failover idp.w.p to idp1002	operations/dns	master	+1 -1
apero_cas: fix key name	operations/puppet	production	+2 -2
idp: Add missing/renamed keys	operations/puppet	production	+123 -76
Drop jackson-module-kotlin (experimental)	operations/software/cas-overlay-template	master	+0 -2

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T305518 Upgrade IDPs to CAS 6.6/Bullseye and enable webauthn
		Open		None	T311235 Update CAS to 6.6

Event Timeline

cas 6.5.5 has been built and uploaded to apt.wikimedia.org. It's currently installed on idp-test.wikimedia.org and functionality is working fine. The WMF-specific theming needs to be adapted still, the login screen is currently visually a little distorted.

Change 809132 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/software/cas-overlay-template@master] Drop jackson-module-kotlin (experimental)

https://gerrit.wikimedia.org/r/809132

gerritbot added a project: Patch-For-Review.Jun 28 2022, 10:29 AM

ssingh triaged this task as Medium priority.Jun 29 2022, 5:46 PM

CAS 6.6 has been released two days ago and features several changes related to webauthn and OIDC, so we'll move to 6.6 instead. Notable changes are:

OpenID Connect Compliance
The collection of algorithms specified in the CAS configuration for signing and encryption operations of ID tokens are now taken into account when CAS responses are produced for ID token and user profile requests. Furthermore, settings and values declared in CAS configuration for OpenID Connect discovery are now taken into account when responding or validating requests. These include supported scopes when building attribute release policies for each OpenID Connect scope, supported ACR values, response modes, prompt values, response types and grant types.

Account Profile Management
Devices that are registered with CAS for multifactor authentication flows and integrations can now be listed in the account profile dashboard page. At the moment, the supported multifactor providers for this capability are Duo Security, Google Authenticator, and WebAuthn FIDO2.

CAS Registered Services
Application definitions that are registered with CAS typically are marked with RegexRegisteredService that indicates the service type. As part of a larger refactoring effort to simplify the service definition models and to assist with future development efforts in the area of authorization policies, such services should be updated to use the now-dedicated type CasRegisteredService for all CAS-enabled applications.

WebAuthn FIDO Multifactor Authentication
Following on work done in previous release candidates, this release upgrades the YubiKey WebAuthn FIDO implementation to version 2.0.0. While this is a major upgrade internally, its exteral effects should remain largely invisible to the end-user.

The codebase for the WebAuthn helper library is now merged into CAS as part of its core WebAuthn feature.

Triggering multifactor authentication based on a Groovy script is now able to support provider selection menus.

SSO Sessions
A modest version of the user’s active SSO sessions is included in the account profile dashboard. Authentication requests that can be linked to user agents and devices may also be automatically geo-tracked and located on the dashboard.

https://apereo.github.io/cas/6.6.x/release_notes/RC1.html
https://apereo.github.io/cas/6.6.x/release_notes/RC2.html
https://apereo.github.io/cas/6.6.x/release_notes/RC3.html
https://apereo.github.io/cas/6.6.x/release_notes/RC4.html
https://apereo.github.io/cas/6.6.x/release_notes/RC5.html

Change 830236 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/software/cas-overlay-template@master] cas: Update to 6.6.0

https://gerrit.wikimedia.org/r/830236

MoritzMuehlenhoff renamed this task from Update CAS to 6.5 to Update CAS to 6.6.Oct 10 2022, 12:14 PM

MoritzMuehlenhoff updated the task description. (Show Details)Nov 15 2022, 10:48 AM

Mentioned in SAL (#wikimedia-operations) [2022-11-15T15:43:03Z] <moritzm> uploaded cas 6.6.2 to apt.wikimedia.org T311235

Change 857563 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/dns@master] Failover idp.w.p to idp1002

https://gerrit.wikimedia.org/r/857563

Mentioned in SAL (#wikimedia-operations) [2022-11-16T14:40:40Z] <moritzm> upgrade idp1002 to CAS 6.6 T311235

Change 858332 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] idp: Add missing/renamed keys

https://gerrit.wikimedia.org/r/858332

Change 858332 merged by Jbond:

[operations/puppet@production] idp: Add missing/renamed keys

https://gerrit.wikimedia.org/r/858332

Change 858350 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] apero_cas: fix key name

https://gerrit.wikimedia.org/r/858350

Change 858350 merged by Jbond:

[operations/puppet@production] apero_cas: fix key name

https://gerrit.wikimedia.org/r/858350

Change 857563 merged by Muehlenhoff:

[operations/dns@master] Failover idp.w.p to idp1002

https://gerrit.wikimedia.org/r/857563

Mentioned in SAL (#wikimedia-operations) [2022-11-17T16:12:51Z] <moritzm> active CAS instance has been switched to CAS 6.6.2 (from 6.4.6.3) T311235

Change 860551 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Migrate service definitions to CasRegisteredService

https://gerrit.wikimedia.org/r/860551

Change 830236 abandoned by Muehlenhoff:

[operations/software/cas-overlay-template@master] cas: Update to 6.6.0

Reason:

Replaced by different patch