I'm back to CAS testing... I wrote a selective resolver derived from the one mentioned (SelectiveAuthenticationProviderWebflowEventResolver) to not trigger MFA when SPNEGO has succeeded. This part seems to work, but when Service ticket is validated, I get :
============================================================= WHO: testuser WHAT: ST-3-tvHk2g6TMkOasczQisfX-devcas1 ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Thu Oct 27 15:07:30 CEST 2016 CLIENT IP ADDRESS: 172.16.10.177 SERVER IP ADDRESS: unknown ============================================================= > 2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <Attempting to match requested authentication context mfa-yubikey against []> 2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No authentication context could be determined based on authentication attribute authnContextClass> 2016-10-27 15:07:30,347 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No satisfied multifactor authentication providers are recorded in the current authentication context.> AuthenticationContextValidator wants to find mfa-yubikey in context... but cannot as I've only SPNEGO. What should I do know ? Regards. Le 07/10/2016 à 17:27, Misagh Moayyed a écrit : > What you want to do is, assign an mfa level to your healthcare > software registered in CAS. That will trigger MFA for both SPNEGO and > “internet” login attempts. You then write your own “selective” > resolver to determine the method of authentication and conditionally > decide how MFA might be activated at the end. > > See http://bit.ly/2dKxtxw > > Thinking more about this; seems like this would be an attractive > feature to add; to turn on/off mfa levels conditionally based on mode > of authentication. You’re welcome to file a request. > > -- > Misagh > > From: Philippe MARASSE <[email protected]> > <mailto:[email protected]> > Reply: Philippe MARASSE <[email protected]> > <mailto:[email protected]> > Date: October 7, 2016 at 12:09:37 AM > To: Misagh Moayyed <[email protected]> <mailto:[email protected]>, > [email protected] <[email protected]> <mailto:[email protected]> > Subject: Re: [cas-user] Level of identity assurance implementation in > CAS 5.0 > >> Hello, >> >> I'll try to be clearer :-), for example, a user wants to use our >> healthcare software : >> - if he's connected from LAN, SPNEGO auth will be required & >> sufficient to grant access to the service. >> - if he's connected from the Internet, connection will be granted >> only with login/password + OTP (SMS, mail, yubikey, ... we've not >> chosen yet). >> >> I already have modified login webflow to trigger SPNEGO only on our >> LAN, so login/password is only triggered from the Internet. Then... I >> don't know, yet, how to perform MFA only for Internet users and some >> services. >> >> Regards. >> >> Le 06/10/2016 à 13:19, Misagh Moayyed a écrit : >>> >>> What exactly do these points mean? >>> >>> >>> If you mean to say, multiple MFA options are assigned to a user, and >>> you wish to rank them by weight, that’s already supported. >>> >>> >>> -- >>> Misagh >>> >>> From: Philippe MARASSE <[email protected]> >>> <mailto:[email protected]> >>> Reply: Philippe MARASSE <[email protected]> >>> <mailto:[email protected]> >>> Date: October 5, 2016 at 3:46:46 PM >>> To: [email protected] <[email protected]> >>> <mailto:[email protected]> >>> Subject: Re: [cas-user] Level of identity assurance implementation >>> in CAS 5.0 >>> >>>> No idea, really ? >>>> >>>> It's mentioned in section MFA of >>>> https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html >>>> >>>> but not anymore on v5 >>>> https://apereo.github.io/cas/development/planning/Security-Guide.html >>>> ?? >>>> >>>> Regards. >>>> >>>> Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : >>>> > Hello, >>>> > >>>> > I'm wondering if CAS is able to do service-based LOA, eg, >>>> internal users >>>> > use SPNEGO and external users use Login/Password, and if requested by >>>> > service : MFA with Yubikey or other not yet implemented mean (OTP via >>>> > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by >>>> service : >>>> > - access to Webmail with required level of 15 points >>>> > - access to Personal informations with required level of 20 points >>>> > >>>> > And successful authentication would be granted by handler : >>>> > - SPNEGO : 25 points >>>> > - Login/Password : 15 points >>>> > - MFA yubikey : 10 points >>>> > - ... >>>> > >>>> > So internal users would always gain access with SPNEGO, and external >>>> > users will be requested login/password only for Webmail, and >>>> > login/password + MFA for Personal Informations. >>>> > >>>> > Is it already possible with CASv5 ? >>>> > >>>> > I think it will need some development though, in this case, I'll need >>>> > directions :-) >>>> > >>>> > Regards. >>>> > >>>> >>>> -- br/>Philippe MARASSE < >>>> >>>> Responsable pôle Infrastructures - DSIO >>>> Centre Hospitalier Henri Laborit >>>> CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex >>>> Tel : 05.49.44.57.19 >>>> >>>> >>>> -- br/>You received this message because you are subscribed tto the >>>> Google Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at >>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr. >>>> For more options, visit >>>> https://groups.google.com/a/apereo.org/d/optout. >> >> -- >> Philippe MARASSE >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 >> -- >> You received this message because you are subscribed to the Google >> Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to [email protected] >> <mailto:[email protected]>. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at > https://groups.google.com/a/apereo.org/group/cas-user/. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd215ee2-41c0-2399-2c9e-eb3892cc0747%40ch-poitiers.fr.
smime.p7s
Description: Signature cryptographique S/MIME
