I'm back to CAS testing... I wrote a selective resolver derived from the one mentioned (SelectiveAuthenticationProviderWebflowEventResolver) to not trigger MFA when SPNEGO has succeeded. This part seems to work, but when Service ticket is validated, I get :
============================================================= WHO: testuser WHAT: ST-3-tvHk2g6TMkOasczQisfX-devcas1 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Thu Oct 27 15:07:30 CEST 2016 CLIENT IP ADDRESS: 172.16.10.177 SERVER IP ADDRESS: unknown ============================================================= > 2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <Attempting to match requested authentication context mfa-yubikey against []> 2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No authentication context could be determined based on authentication attribute authnContextClass> 2016-10-27 15:07:30,347 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No satisfied multifactor authentication providers are recorded in the current authentication context.> AuthenticationContextValidator wants to find mfa-yubikey in context... but cannot as I've only SPNEGO. What should I do know ? Regards. Le 07/10/2016 à 17:27, Misagh Moayyed a écrit : > What you want to do is, assign an mfa level to your healthcare > software registered in CAS. That will trigger MFA for both SPNEGO and > “internet” login attempts. You then write your own “selective” > resolver to determine the method of authentication and conditionally > decide how MFA might be activated at the end. > > See http://bit.ly/2dKxtxw > > Thinking more about this; seems like this would be an attractive > feature to add; to turn on/off mfa levels conditionally based on mode > of authentication. You’re welcome to file a request. > > -- > Misagh > > From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> > <mailto:philippe.mara...@ch-poitiers.fr> > Date: October 7, 2016 at 12:09:37 AM > To: Misagh Moayyed <mmoay...@unicon.net> <mailto:mmoay...@unicon.net>, > cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> > Subject: Re: [cas-user] Level of identity assurance implementation in > CAS 5.0 > >> Hello, >> >> I'll try to be clearer :-), for example, a user wants to use our >> healthcare software : >> - if he's connected from LAN, SPNEGO auth will be required & >> sufficient to grant access to the service. >> - if he's connected from the Internet, connection will be granted >> only with login/password + OTP (SMS, mail, yubikey, ... we've not >> chosen yet). >> >> I already have modified login webflow to trigger SPNEGO only on our >> LAN, so login/password is only triggered from the Internet. Then... I >> don't know, yet, how to perform MFA only for Internet users and some >> services. >> >> Regards. >> >> Le 06/10/2016 à 13:19, Misagh Moayyed a écrit : >>> >>> What exactly do these points mean? >>> >>> >>> If you mean to say, multiple MFA options are assigned to a user, and >>> you wish to rank them by weight, that’s already supported. >>> >>> >>> -- >>> Misagh >>> >>> From: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> >>> <mailto:philippe.mara...@ch-poitiers.fr> >>> Reply: Philippe MARASSE <philippe.mara...@ch-poitiers.fr> >>> <mailto:philippe.mara...@ch-poitiers.fr> >>> Date: October 5, 2016 at 3:46:46 PM >>> To: cas-user@apereo.org <cas-user@apereo.org> >>> <mailto:cas-user@apereo.org> >>> Subject: Re: [cas-user] Level of identity assurance implementation >>> in CAS 5.0 >>> >>>> No idea, really ? >>>> >>>> It's mentioned in section MFA of >>>> https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html >>>> >>>> but not anymore on v5 >>>> https://apereo.github.io/cas/development/planning/Security-Guide.html >>>> ?? >>>> >>>> Regards. >>>> >>>> Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : >>>> > Hello, >>>> > >>>> > I'm wondering if CAS is able to do service-based LOA, eg, >>>> internal users >>>> > use SPNEGO and external users use Login/Password, and if requested by >>>> > service : MFA with Yubikey or other not yet implemented mean (OTP via >>>> > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by >>>> service : >>>> > - access to Webmail with required level of 15 points >>>> > - access to Personal informations with required level of 20 points >>>> > >>>> > And successful authentication would be granted by handler : >>>> > - SPNEGO : 25 points >>>> > - Login/Password : 15 points >>>> > - MFA yubikey : 10 points >>>> > - ... >>>> > >>>> > So internal users would always gain access with SPNEGO, and external >>>> > users will be requested login/password only for Webmail, and >>>> > login/password + MFA for Personal Informations. >>>> > >>>> > Is it already possible with CASv5 ? >>>> > >>>> > I think it will need some development though, in this case, I'll need >>>> > directions :-) >>>> > >>>> > Regards. >>>> > >>>> >>>> -- br/>Philippe MARASSE < >>>> >>>> Responsable pôle Infrastructures - DSIO >>>> Centre Hospitalier Henri Laborit >>>> CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex >>>> Tel : 05.49.44.57.19 >>>> >>>> >>>> -- br/>You received this message because you are subscribed tto the >>>> Google Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to cas-user+unsubscr...@apereo.org. >>>> To post to this group, send email to cas-user@apereo.org. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr. >>>> For more options, visit >>>> https://groups.google.com/a/apereo.org/d/optout. >> >> -- >> Philippe MARASSE >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 >> -- >> You received this message because you are subscribed to the Google >> Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to cas-user+unsubscr...@apereo.org >> <mailto:cas-user+unsubscr...@apereo.org>. >> To post to this group, send email to cas-user@apereo.org >> <mailto:cas-user@apereo.org>. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To post to this group, send email to cas-user@apereo.org > <mailto:cas-user@apereo.org>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd215ee2-41c0-2399-2c9e-eb3892cc0747%40ch-poitiers.fr.
smime.p7s
Description: Signature cryptographique S/MIME
