No idea ? Is there another class/bean I have to extend/overload ?
Regards. Le 27/10/2016 à 16:05, Philippe MARASSE a écrit : > I'm back to CAS testing... I wrote a selective resolver derived from > the one mentioned > (SelectiveAuthenticationProviderWebflowEventResolver) to not trigger > MFA when SPNEGO has succeeded. This part seems to work, but when > Service ticket is validated, I get : > > ============================================================= > WHO: testuser > WHAT: ST-3-tvHk2g6TMkOasczQisfX-devcas1 > ACTION: SERVICE_TICKET_VALIDATED > APPLICATION: CAS > WHEN: Thu Oct 27 15:07:30 CEST 2016 > CLIENT IP ADDRESS: 172.16.10.177 > SERVER IP ADDRESS: unknown > ============================================================= > > > > 2016-10-27 15:07:30,346 DEBUG > [org.apereo.cas.authentication.AuthenticationContextValidator] - > <Attempting to match requested authentication context mfa-yubikey > against []> > 2016-10-27 15:07:30,346 DEBUG > [org.apereo.cas.authentication.AuthenticationContextValidator] - <No > authentication context could be determined based on authentication > attribute authnContextClass> > 2016-10-27 15:07:30,347 DEBUG > [org.apereo.cas.authentication.AuthenticationContextValidator] - <No > satisfied multifactor authentication providers are recorded in the > current authentication context.> > > AuthenticationContextValidator wants to find mfa-yubikey in context... > but cannot as I've only SPNEGO. > > What should I do know ? > > Regards. > > > Le 07/10/2016 à 17:27, Misagh Moayyed a écrit : >> What you want to do is, assign an mfa level to your healthcare >> software registered in CAS. That will trigger MFA for both SPNEGO and >> “internet” login attempts. You then write your own “selective” >> resolver to determine the method of authentication and conditionally >> decide how MFA might be activated at the end. >> >> See http://bit.ly/2dKxtxw >> >> Thinking more about this; seems like this would be an attractive >> feature to add; to turn on/off mfa levels conditionally based on mode >> of authentication. You’re welcome to file a request. >> >> -- >> Misagh >> >> From: Philippe MARASSE <[email protected]> >> <mailto:[email protected]> >> Reply: Philippe MARASSE <[email protected]> >> <mailto:[email protected]> >> Date: October 7, 2016 at 12:09:37 AM >> To: Misagh Moayyed <[email protected]> >> <mailto:[email protected]>, [email protected] >> <[email protected]> <mailto:[email protected]> >> Subject: Re: [cas-user] Level of identity assurance implementation in >> CAS 5.0 >> >>> Hello, >>> >>> I'll try to be clearer :-), for example, a user wants to use our >>> healthcare software : >>> - if he's connected from LAN, SPNEGO auth will be required & >>> sufficient to grant access to the service. >>> - if he's connected from the Internet, connection will be granted >>> only with login/password + OTP (SMS, mail, yubikey, ... we've not >>> chosen yet). >>> >>> I already have modified login webflow to trigger SPNEGO only on our >>> LAN, so login/password is only triggered from the Internet. Then... >>> I don't know, yet, how to perform MFA only for Internet users and >>> some services. >>> >>> Regards. >>> >>> Le 06/10/2016 à 13:19, Misagh Moayyed a écrit : >>>> >>>> What exactly do these points mean? >>>> >>>> >>>> If you mean to say, multiple MFA options are assigned to a user, >>>> and you wish to rank them by weight, that’s already supported. >>>> >>>> >>>> -- >>>> Misagh >>>> >>>> From: Philippe MARASSE <[email protected]> >>>> <mailto:[email protected]> >>>> Reply: Philippe MARASSE <[email protected]> >>>> <mailto:[email protected]> >>>> Date: October 5, 2016 at 3:46:46 PM >>>> To: [email protected] <[email protected]> >>>> <mailto:[email protected]> >>>> Subject: Re: [cas-user] Level of identity assurance implementation >>>> in CAS 5.0 >>>> >>>>> No idea, really ? >>>>> >>>>> It's mentioned in section MFA of >>>>> https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html >>>>> >>>>> but not anymore on v5 >>>>> https://apereo.github.io/cas/development/planning/Security-Guide.html >>>>> ?? >>>>> >>>>> Regards. >>>>> >>>>> Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : >>>>> > Hello, >>>>> > >>>>> > I'm wondering if CAS is able to do service-based LOA, eg, >>>>> internal users >>>>> > use SPNEGO and external users use Login/Password, and if >>>>> requested by >>>>> > service : MFA with Yubikey or other not yet implemented mean >>>>> (OTP via >>>>> > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by >>>>> service : >>>>> > - access to Webmail with required level of 15 points >>>>> > - access to Personal informations with required level of 20 points >>>>> > >>>>> > And successful authentication would be granted by handler : >>>>> > - SPNEGO : 25 points >>>>> > - Login/Password : 15 points >>>>> > - MFA yubikey : 10 points >>>>> > - ... >>>>> > >>>>> > So internal users would always gain access with SPNEGO, and external >>>>> > users will be requested login/password only for Webmail, and >>>>> > login/password + MFA for Personal Informations. >>>>> > >>>>> > Is it already possible with CASv5 ? >>>>> > >>>>> > I think it will need some development though, in this case, I'll >>>>> need >>>>> > directions :-) >>>>> > >>>>> > Regards. >>>>> > >>>>> >>>>> -- br/>Philippe MARASSE < >>>>> >>>>> Responsable pôle Infrastructures - DSIO >>>>> Centre Hospitalier Henri Laborit >>>>> CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex >>>>> Tel : 05.49.44.57.19 >>>>> >>>>> >>>>> -- br/>You received this message because you are subscribed tto >>>>> the Google Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> Visit this group at >>>>> https://groups.google.com/a/apereo.org/group/cas-user/. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr. >>>>> For more options, visit >>>>> https://groups.google.com/a/apereo.org/d/optout. >>> >>> -- >>> Philippe MARASSE >>> >>> Responsable pôle Infrastructures - DSIO >>> Centre Hospitalier Henri Laborit >>> CS 10587 - 370 avenue Jacques Cœur >>> 86021 Poitiers Cedex >>> Tel : 05.49.44.57.19 >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected] >>> <mailto:[email protected]>. >>> To post to this group, send email to [email protected] >>> <mailto:[email protected]>. >>> Visit this group at >>> https://groups.google.com/a/apereo.org/group/cas-user/. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr?utm_medium=email&utm_source=footer>. >>> For more options, visit https://groups.google.com/a/apereo.org/d/optout. >> -- >> You received this message because you are subscribed to the Google >> Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to [email protected] >> <mailto:[email protected]>. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- > Philippe MARASSE > > Responsable pôle Infrastructures - DSIO > Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Cœur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd215ee2-41c0-2399-2c9e-eb3892cc0747%40ch-poitiers.fr > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd215ee2-41c0-2399-2c9e-eb3892cc0747%40ch-poitiers.fr?utm_medium=email&utm_source=footer>. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f8ef189-0f74-96f7-a4d5-6ced5ba007a3%40ch-poitiers.fr.
smime.p7s
Description: Signature cryptographique S/MIME
