CAS will be upgraded from version 5.0 to version 6.3, the latest support version. The upgrade is required in order to better ensure that we can apply security patches and bug fixes and will allow us to implement new features as they are needed, such as asserting the REFEDS MFA attribute to service providers such as the Nation Institute of Health, which will be of importance to our research community.

Schedule:

• New 6.3 Test environment availability: Monday, July 12, 2021

  • https://cas-future-test.its.hawaii.edu/

• Production environment upgrade: Sunday, August 15, 2021 starting at 6:45 AM and concluding by 7:45 AM

Blog update for 8/9/2021:

• The current Test environment was upgraded Monday, August 9, 2021 
  
  

  • https://cas-test.its.hawaii.edu/

Test early!  Verify that your application can successfully authenticate.

While we do not anticipate any issues, testing is highly recommended so that you can assure yourself that the CAS 6.3 upgrade will not adversely impact your community.  One caveat, see Known Issue #1 below.  If your application is meant to ignore SSO (to require authentication each time) and does not request LDAP attributes, be sure to test your application to ensure that it is configured consistently.

Please keep in mind that there are now two CAS Test environments:

• The new CAS 6.3 test environment URL is <https://cas-future-test.its.hawaii.edu/>. 

• The original CAS 5.0 test environment will be upgraded August 9, 2021.

It is recommended that you maintain a test environment for testing your application at all times. Creating one can be time consuming, which should be factored into your planning. In the future, upgrades to UH Login will become more frequent, making the ability to easily test all the more critical.

What does success look like?

• A successful authentication to your application indicates success.

The best strategy for testing:

• Point your application test environment to the new CAS 6.3 test environment and ensure that you are able to authentication successfully and access and process any expected attributes that are returned.

A strategy to consider if there is no test environment:

1. Designate a maintenance window for your application and coordinate with your community.

2. Ensure that you have UH accounts that work in the UH Login test environment (see below).

3. During the outage configure your application to point to the new test CAS 6.3.

4. Rinse and repeat until you have tested successfully.

5. Create a repeatable procedure, this is going to become regular activity.

The User Interface has been updated:

If you provide IT support, please note that there are minor changes to the IU.  If you have created documentation that includes a screenshot of UH Login, you may want to update the screenshot.  The following blog provides details:

• Blog: UH Login to feature an updated user experience

If you encounter issues while testing, the IAM team and the UH App Developer community participate in a community emailing list.  Please post your questions there since others will likely benefit from the discussion:

• uh-app-developers-l@lists.hawaii.edu

If your password is not working in the test environment, contact the IAM team to request a password sync:

• its-iam-help@lists.hawaii.edu

Issue Summary:

• If an application does not apply the renew=true option for the login action, but does apply it for the validation action, the user may not be required to re-authenticate.

Issue Details:

• If the application does not use renew=true for /login, but subsequently uses renew=true for either /validate or /serviceValidate, the user may use an existing SSO session and will not be forced to re-authenticate.

  • Example usage that triggers bug

    • https://cas.example.edu/cas/login?service=https://www.example.com/app
https://cas.example.edu/cas/validate?service=https://www.example.com/app&ticket=ST-...-cas&renew=true

• This bug does not occur for the /samlValidate option used to obtain LDAP attributes.

• This is a known issue with CAS 6.3.5 that was originally detected with the IAM team's regression testing suite for CAS. CAS 6.3.5 is the most current release of CAS.

Issue Assessment:

• It is common for applications that access sensitive information to require LDAP attributes in order to limit access to sensitive information. The bug will not manifest for these applications.

• This bug should rarely occur, if it all, and is easily mitigated if encountered. 

Issue Mitigation:

• Configure the application's use of CAS consistently if requiring authentication each time, as opposed to potentially reusing an existing SSO session.  Application developers should consistently apply the renew=true for both the /login and the validation action, /validate, /serviceValidate, or /samlValidate option while you are revisiting your configuration.

  • Example usage that mitigates bug (note consistent usage of renew=true)

    • https://cas.example.edu/cas/login?service=https://www.example.com/app&renew=true
https://cas.example.edu/cas/validate?service=https://www.example.com/app&ticket=ST-...-cas&renew=true

• CAS Developer Documentation

• IAM Blog: UH Login to feature an updated user experience, for the IT community