I have a requirement to enforce LOA rather than particular authn methods on my CAS implementation, something I hacked in to my CAS 3 overlay a long time ago. The authn methods we use are assigned LOA like this:
- Level 1: un/pw, "weak" pac4j clients - Level 2: un/pw and MFA, "stronger" pac4j clients (maybe weak pac4j client + MFA in the future) - Level 3: one very special pac4j client In my CAS 3 implementation, clients request a particular LOA by appending a "securityLevel" parameter to the CAS login URL. It's enforced by a webflow hack that checks the LOA and sends the user back to "viewLoginForm" when the authn doesn't cut it, both for the initial authn and when the user has a valid TGT. Obviously I don't want to repeat this for CAS 5. I can almost see how to do this easily with a custom MFA trigger, but there are two things I'm not sure of after a day of doc reading and code spelunking: - For cases where you can't meet the security level by simply adding an MFA, I'll send the user back to the login page, perhaps with an error message. That's just returning CasWebflowConstants.STATE_ID_HANDLE_AUTHN_FAILURE", yes? Or should I throw an exception from the trigger? - Is the trigger run if there is an existing SSO session/TGT, or I have to do something else to handle that case? Thanks, Rich -- *Rich Renomeron,* Project Lead *TCG, Inc. - Positively Distinct* - CMMI-DEV Level 3 - CMMI-SVC Level 2 - ISO 9001:2015 +1 (202) 643-8460 | [email protected] | www.tcg.com <https://www.facebook.com/TCG-32241785903> <https://twitter.com/TCGnews> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMYXOV88Fj-3bj%3DTicmBrFTm0apePQ%3DZADYS%3DW1gMGWfcRwmjQ%40mail.gmail.com.
