> Where might I find (or request) the means to require users to > multi-authenticate within CAS? For example, first by a PKI cert and then if > successful by a password?
That particular implementation is straightforward: simply configure your SSL connector components for mandatory client SSL. In that way PKI is entirely outside CAS and you can't even access the CAS login form without having presented a valid certificate. I should note that CRL and OSCP implementations in both OpenSSL and the JVM are fairly crude. You'll have to choose availability or security at extremes due to the lack of policy knobs. The CRL checking capability built into CAS is much more configurable and is suitable for HA environments and varying security policy. However implementing both X.509 and user/pass authentication with CAS is slightly more involved, but probably possible with OOB components. At worst it would require some additional glue components in the login Web flow. > Or another cert? You can add as many layers using the approach above as you want, though it will quickly reach a point of diminishing returns. > Or a token? What kind? If it's a hardware token that contains a cert, then the wrangling to access the private key is entirely a client concern. From the perspective of CAS, you're negotiating an SSL handshake with a client cert. If it's a token that uses a crypto sequence (e.g. RSA token) where a PIN or other data must be provided to an HTTP form and posted to a back-end for verification, then that's much more in the spirit of the MFA work that Misagh mentioned. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
