What you want to do is, assign an mfa level to your healthcare software registered in CAS. That will trigger MFA for both SPNEGO and “internet” login attempts. You then write your own “selective” resolver to determine the method of authentication and conditionally decide how MFA might be activated at the end.
See http://bit.ly/2dKxtxw Thinking more about this; seems like this would be an attractive feature to add; to turn on/off mfa levels conditionally based on mode of authentication. You’re welcome to file a request. -- Misagh From: Philippe MARASSE <[email protected]> Reply: Philippe MARASSE <[email protected]> Date: October 7, 2016 at 12:09:37 AM To: Misagh Moayyed <[email protected]>, [email protected] <[email protected]> Subject: Re: [cas-user] Level of identity assurance implementation in CAS 5.0 Hello, I'll try to be clearer :-), for example, a user wants to use our healthcare software : - if he's connected from LAN, SPNEGO auth will be required & sufficient to grant access to the service. - if he's connected from the Internet, connection will be granted only with login/password + OTP (SMS, mail, yubikey, ... we've not chosen yet). I already have modified login webflow to trigger SPNEGO only on our LAN, so login/password is only triggered from the Internet. Then... I don't know, yet, how to perform MFA only for Internet users and some services. Regards. Le 06/10/2016 à 13:19, Misagh Moayyed a écrit : What exactly do these points mean? If you mean to say, multiple MFA options are assigned to a user, and you wish to rank them by weight, that’s already supported. -- Misagh From: Philippe MARASSE <[email protected]> Reply: Philippe MARASSE <[email protected]> Date: October 5, 2016 at 3:46:46 PM To: [email protected] <[email protected]> Subject: Re: [cas-user] Level of identity assurance implementation in CAS 5.0 No idea, really ? It's mentioned in section MFA of https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html but not anymore on v5 https://apereo.github.io/cas/development/planning/Security-Guide.html ?? Regards. Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : > Hello, > > I'm wondering if CAS is able to do service-based LOA, eg, internal users > use SPNEGO and external users use Login/Password, and if requested by > service : MFA with Yubikey or other not yet implemented mean (OTP via > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by service : > - access to Webmail with required level of 15 points > - access to Personal informations with required level of 20 points > > And successful authentication would be granted by handler : > - SPNEGO : 25 points > - Login/Password : 15 points > - MFA yubikey : 10 points > - ... > > So internal users would always gain access with SPNEGO, and external > users will be requested login/password only for Webmail, and > login/password + MFA for Personal Informations. > > Is it already possible with CASv5 ? > > I think it will need some development though, in this case, I'll need > directions :-) > > Regards. > -- br/>Philippe MARASSE < Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex Tel : 05.49.44.57.19 -- br/>You received this message because you are subscribed tto the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
