I'm a bit late to this conversation, but after reading through the wiki
and the notes from the unconference session in October, I figured I
would share how we've been approaching MFA at Texas A&M. I would
appreciate any questions or feedback.
In our development environment, we've implemented MFA using a custom
authentication handler, credentials, and attribute dao. It runs side by
side with traditional username/password authentication, and we use a GET
parameter (multifactor=true) to determine which authentication method to
use. We use the extended attributes to store the type of authentication
used.
The service registry is not used at all to determine whether to do a
single or multifactor authentication; we leave it to the service
provider to request the level of authentication they need. It requires
a bit more effort from those service providers that require MFA, but it
also gives them more leeway if they need to support both single-factor
and multi-factor auth (proxies are a good example).
Some things that I am sure will need more thought:
1. Our use of a GET parameter to indicate that MFA is required. First,
it would require an update to the protocol. Second, I think it's worth
discussing whether we're talking about just single-factor vs.
multi-factor, or being able to choose the authentication type(s) that a
service provider will accept (and if that's been discussed, I need to
catch up). If it's the latter, then "multifactor=true" isn't adequate.
I do think that a GET parameter is the most straightforward way to
indicate to the CAS server that MFA is required.
2. Putting the authentication type in the extended attributes. This is
mostly done for expedience/compatibility, since it doesn't require any
structural changes to a serviceValidate response and doesn't require any
changes to core CAS code. That's important to me if this is an
unsupported extension, but may not be appropriate for the official
implementation.
Sample login redirect:
https://cas-test.tamu.edu/cas/login?multifactor=true&service=http://sample.tamu.edu/login
serviceValidate response:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>someuser</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>000000000</cas:tamuEduPersonUIN>
<cas:authType>Hotp2Factor</cas:authType>
<cas:tamuEduPersonNetID>someuser</cas:tamuEduPersonNetID>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
--Jason
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev