Hi, We have used CAS for about 10 years with LdapAuthenticationHandler against Active Directory. All good.
At the moment we are working to configure MFA on CAS. Our company (is a educational institution) is using SMS Passcode from censornet.com to implement MFA. We have succeeded to configure CAS MFA using *RadiusAuthenticationHandler* and multifactor provider *mfs-radius* (no LDAP used). SMS Passcode supports RADIUS. Everthing is good for "clean" *LdapAuthenticationHandler* (no MFA) and "clean" *RadiusAuthenticationHandler* (MFA) setup. Then working with bypass - "step up" or "step down" - it becomes tricky. When bypassing MFA provider *mfa-radius* with *RadiusAuthenticationHandler* the CAS page/web flow do the bypass. But because authentication is done against RADIUS it also trickers a challenges and the user gets a not needed SMS. Then we tried to use *LdapAuthenticationHandler* and *RadiusAuthenticationHandler* together. With a Groovy sctript we tried "step up" from *LdapAuthenticationHandler* to *RadiusAuthenticationHandler* with *mfa-radius* provider. The user is then authenticated against LDAP. After that the CAS page/web flow show the page for one time password *but expects* the users password a second time. Then CAS actually authenticate against RADIUS. The user get an SMS but is already authenticated and page/web flow is completed. We have tried a variation of MFA "step up" and "step down" by using service definitions and groovy scripts. Some how it seems more simple to have a kind of a split configuration where CAS uses "clean" *LDAP configuration for non MFA* and on the other hand use a "clean" *RADIUS configuration* with mfa-radius provider when *MFA is needed*. Is something like this possible. Any ideas? Version is cas-overlay-template 5.3.9 Regards Henrik -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e65d93ab-0b82-441a-aea1-18dd733e8a26%40apereo.org.
