On Wed, Dec 3, 2014 at 2:28 PM, Misagh Moayyed <mmoay...@unicon.net> wrote: > > Think of this in MFA terms: you want to authenticate the user at every step, > invoking this facade on multiple types of credentials again and again from > this and that flow and subflow and keep collecting. You can do this > indefinitely until you come to a point where you decide, “I am OK. Give me > the TGT” at which point CASImpl would be get involved. Your collection needs > to include enough metadata about the individual authentication event so that > if the TGT needs any, it would have enough to proceed.
CAS.createTGT(final Subject subject) where subject is a container for any number of principals and authentication metadata perhaps using javax.security.auth.Subject directly. Another design change I think is worth considering is to fully embrace PGT and PT as first class concepts rather than special cases of TGT/ST. Switching gears a bit to a more feature driven release, I believe the community would benefit from: * Trusted Browser/Device support in conjunction with some MFA facility (i.e. remember I did MFA from this device, and only ask for password for the next X days) * Facility to record/view security events (login times, from where, from what device, etc) and ultimately a way to either stop authN or raise notification on certain criteria (e.g. login from unusual place/time/device, etc). Best, Bill -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
