I said MFA Cohortium, but that was "shorthand" for the Internet2 Scalable Privacy project, which is funding the MFA Cohortium and a variety of other MFA-related activities, as a funded project under the Federal NSTIC effort. See:
https://spaces.internet2.edu/display/scalepriv/Scalable+Privacy if you want to know more about NSTIC and the Scalable Privacy effort. On Sep 18, 2014, at 11:02 PM, Michael A Grady <[email protected]> wrote: > Linda, have you looked at the CAS-MFA work which you can find here: > > https://github.com/Unicon/cas-mfa > > That has been funded work (by the MFA Cohortium) to expand on previous > CAS/MFA work (for Evergreen State), and provide functionality for CAS similar > to what the Multi-Context Broker (MCB) does for the Shibboleth IdP. (Of > course, you have that at Alaska.) I.e. try to significantly lower the > threshold of work it takes to integrate a particular MFA technology into CAS, > and provide flexible ways to "trigger it" (by service, by individual, etc.) > That work, and its documentation, is currently being vetted by the University > of Utah. But additional "vetters" ;-) would be most welcome. It includes a > connector for Duo, and a connector for Toopher has been discussed. > > It would be a different conversation to consider having the CAS Server defer > authentication to the Shib IdP, where the IdP has the MCB. Certainly one > could look into the "install a Shib SP and use the "TrustedAuth" login > handler' approach that was discussed in an email thread that contained the > following: > > http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind1304&L=IDM&D=0&P=14972 > > If you got the Shib SP to send the needed authentication context in the authn > request, you could force it for a given service. But it wouldn't work as well > if you wanted to require MFA by individual, because you'd already need > username/password to happen before you could look up whether this person was > required to do MFA. Then they'd have to redo it for the IdP. (Unless you get > circular and have the IdP then defer to CAS for username/password, but trying > to think thru whether that could work smoothly would make my head hurt. Would > clearly need to delineate between services at the CAS Server so that when > sent there from the IdP, you didn't try and start the MFA loop over again.) > > On Sep 17, 2014, at 8:08 PM, Linda Toth <[email protected]> wrote: > >> Hi >> I searched the list archvies, but it yielded only one pertinent posting. >> >> Has anyone integrated CAS to Shib when Shib has been integrated to Duo >> Security? What experience do folks have with Duo Security or and type of >> multi-factor product with CAS - even if not integrated to Shib? >> >> Linda >> >> -- >> Linda Toth >> University of Alaska - Office of Information Technology (OIT) - Identity and >> Access Management >> 910 Yukon Drive, Suite 103 >> Fairbanks, Alaska 99775 >> Tel: 907-450-8320 >> Fax: 907-450-8381 >> [email protected] | www.alaska.edu/oit/ >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > Michael A. Grady > Senior IAM Consultant, Unicon, Inc. > -- Michael A. Grady Senior IAM Consultant, Unicon, Inc. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
