Michael, Thanks for sending this link. It did not pop when I searched. I thought MFA had been mentioned at the Apereo conference this summer, but it was in passing.
Let me read this documentation. I am definitely interested. Thank you so much. Linda Linda Toth University of Alaska - Office of Information Technology (OIT) - Identity and Access Management 910 Yukon Drive, Suite 103 Fairbanks, Alaska 99775 Tel: 907-450-8320 Fax: 907-450-8381 [email protected] | www.alaska.edu/oit/ On Thu, Sep 18, 2014 at 8:02 PM, Michael A Grady <[email protected]> wrote: > Linda, have you looked at the CAS-MFA work which you can find here: > > https://github.com/Unicon/cas-mfa > > That has been funded work (by the MFA Cohortium) to expand on previous > CAS/MFA work (for Evergreen State), and provide functionality for CAS > similar to what the Multi-Context Broker (MCB) does for the Shibboleth IdP. > (Of course, you have that at Alaska.) I.e. try to significantly lower the > threshold of work it takes to integrate a particular MFA technology into > CAS, and provide flexible ways to "trigger it" (by service, by individual, > etc.) That work, and its documentation, is currently being vetted by the > University of Utah. But additional "vetters" ;-) would be most welcome. It > includes a connector for Duo, and a connector for Toopher has been > discussed. > > It would be a different conversation to consider having the CAS Server > defer authentication to the Shib IdP, where the IdP has the MCB. Certainly > one could look into the "install a Shib SP and use the "TrustedAuth" > login handler' approach that was discussed in an email thread that > contained the following: > > http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind1304&L=IDM&D=0&P=14972 > > If you got the Shib SP to send the needed authentication context in the > authn request, you could force it for a given service. But it wouldn't work > as well if you wanted to require MFA by individual, because you'd already > need username/password to happen before you could look up whether this > person was required to do MFA. Then they'd have to redo it for the IdP. > (Unless you get circular and have the IdP then defer to CAS for > username/password, but trying to think thru whether that could work > smoothly would make my head hurt. Would clearly need to delineate between > services at the CAS Server so that when sent there from the IdP, you didn't > try and start the MFA loop over again.) > > On Sep 17, 2014, at 8:08 PM, Linda Toth <[email protected]> wrote: > > Hi > I searched the list archvies, but it yielded only one pertinent posting. > > Has anyone integrated CAS to Shib when Shib has been integrated to Duo > Security? What experience do folks have with Duo Security or and type of > multi-factor product with CAS - even if not integrated to Shib? > > Linda > > -- > Linda Toth > University of Alaska - Office of Information Technology (OIT) - Identity > and Access Management > 910 Yukon Drive, Suite 103 > Fairbanks, Alaska 99775 > Tel: 907-450-8320 > Fax: 907-450-8381 > [email protected] | www.alaska.edu/oit/ > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > Michael A. Grady > Senior IAM Consultant, Unicon, Inc. > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
