Linda, have you looked at the CAS-MFA work which you can find here: https://github.com/Unicon/cas-mfa
That has been funded work (by the MFA Cohortium) to expand on previous CAS/MFA work (for Evergreen State), and provide functionality for CAS similar to what the Multi-Context Broker (MCB) does for the Shibboleth IdP. (Of course, you have that at Alaska.) I.e. try to significantly lower the threshold of work it takes to integrate a particular MFA technology into CAS, and provide flexible ways to "trigger it" (by service, by individual, etc.) That work, and its documentation, is currently being vetted by the University of Utah. But additional "vetters" ;-) would be most welcome. It includes a connector for Duo, and a connector for Toopher has been discussed. It would be a different conversation to consider having the CAS Server defer authentication to the Shib IdP, where the IdP has the MCB. Certainly one could look into the "install a Shib SP and use the "TrustedAuth" login handler' approach that was discussed in an email thread that contained the following: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind1304&L=IDM&D=0&P=14972 If you got the Shib SP to send the needed authentication context in the authn request, you could force it for a given service. But it wouldn't work as well if you wanted to require MFA by individual, because you'd already need username/password to happen before you could look up whether this person was required to do MFA. Then they'd have to redo it for the IdP. (Unless you get circular and have the IdP then defer to CAS for username/password, but trying to think thru whether that could work smoothly would make my head hurt. Would clearly need to delineate between services at the CAS Server so that when sent there from the IdP, you didn't try and start the MFA loop over again.) On Sep 17, 2014, at 8:08 PM, Linda Toth <[email protected]> wrote: > Hi > I searched the list archvies, but it yielded only one pertinent posting. > > Has anyone integrated CAS to Shib when Shib has been integrated to Duo > Security? What experience do folks have with Duo Security or and type of > multi-factor product with CAS - even if not integrated to Shib? > > Linda > > -- > Linda Toth > University of Alaska - Office of Information Technology (OIT) - Identity and > Access Management > 910 Yukon Drive, Suite 103 > Fairbanks, Alaska 99775 > Tel: 907-450-8320 > Fax: 907-450-8381 > [email protected] | www.alaska.edu/oit/ > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- Michael A. Grady Senior IAM Consultant, Unicon, Inc. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
