Hi Everyone, 

I'll be the first to admin I'm no CAS expert.  In fact, I don't even manage 
our deployments here.  Instead, I work with applications which interface 
with it so I do understand to some degree.  That being said, I have a 
question which came up in internal discussions I'm hoping to get some input 
on. 

We have CAS delegating authentication to our IDP.  Our IDP enforces 
two-factor auth so if we require it, we don't have to facilitate with CAS.  
We've run into an issue where every request to an application behind 
two-factor prompts the user for the second factor of authentication.  This 
happens even when in a browser you've already verified.  This is an issue 
because it takes away from the true SSO experience and a user can't move 
from app to app. 

The main reason it is asking for the second factor again is due to the way 
we integrate CAS into our IDP.  That's a whole different topic and really 
outside of the scope of this questions so just know we're aware of why it 
happens even if it isn't right. 

The question is this.  Is CAS ticket validity secure enough to trust only 
that?  Why should we even check with our IDP a second time if the user's 
session already has a valid CAS ticket?  Do others use this configuration 
or do you always check with the IDP?

It seems like trusting the CAS ticket if valid is the best option and would 
allow us to better control application logins and state but maybe I'm not 
thinking it all the way through. 

Thanks in advance for any insight!

-Matt

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ed4ac9e-139b-4273-b491-16ae953a9347%40apereo.org.

Reply via email to