I'm a bit late to this conversation, but after reading through the wiki and the notes from the unconference session in October, I figured I would share how we've been approaching MFA at Texas A&M. I would appreciate any questions or feedback.

In our development environment, we've implemented MFA using a custom authentication handler, credentials, and attribute dao. It runs side by side with traditional username/password authentication, and we use a GET parameter (multifactor=true) to determine which authentication method to use. We use the extended attributes to store the type of authentication used.

The service registry is not used at all to determine whether to do a single or multifactor authentication; we leave it to the service provider to request the level of authentication they need. It requires a bit more effort from those service providers that require MFA, but it also gives them more leeway if they need to support both single-factor and multi-factor auth (proxies are a good example).

Some things that I am sure will need more thought:

1. Our use of a GET parameter to indicate that MFA is required. First, it would require an update to the protocol. Second, I think it's worth discussing whether we're talking about just single-factor vs. multi-factor, or being able to choose the authentication type(s) that a service provider will accept (and if that's been discussed, I need to catch up). If it's the latter, then "multifactor=true" isn't adequate. I do think that a GET parameter is the most straightforward way to indicate to the CAS server that MFA is required.

2. Putting the authentication type in the extended attributes. This is mostly done for expedience/compatibility, since it doesn't require any structural changes to a serviceValidate response and doesn't require any changes to core CAS code. That's important to me if this is an unsupported extension, but may not be appropriate for the official implementation.

Sample login redirect:

https://cas-test.tamu.edu/cas/login?multifactor=true&service=http://sample.tamu.edu/login

serviceValidate response:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>someuser</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>000000000</cas:tamuEduPersonUIN>
<cas:authType>Hotp2Factor</cas:authType>
<cas:tamuEduPersonNetID>someuser</cas:tamuEduPersonNetID>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>


--Jason


--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to