Hello, As my CAS environment grows and we bring on more and more hosted applications, the one question that I constantly have coming up is MFA. So, I have a few questions about CAS + MFA. Before I get started, I will give a little background information on my environment. We are currently running a clustered CAS 3.5.2 + shib-cas-authn2 environment (EhCache Ticket Replication + Tomcat User State Replication). Everything we have right now runs perfect with no issues. Now, the questions:
1. Are there any working examples of CAS 3.5.2 using the Unicon cas-mfa add-on with Google Authenticator? I've googled far and wide, and have yet to see a working example of a CAS MFA setup using Google Authenticator. 2. Does the CAS MFA add-on play well with other extensions like shib-cas-authn2? Example, if I enable CAS MFA, and a user accesses a shibboleth based service that is then delegated to the CAS for auth, will this cause issues? 3. My understanding of MFA is that this is possibly an all or nothing scenario, and this somewhat concerns from an end user perspective. Is there an Opt-In/Out option available for those users that wish to use MFA and those that don't? Or will this require us to setup 2 different environments, one with MFA support and one without? 4. How much customization is involved with the login-webflow.xml in order to support MFA? I think this would be specifically to the strong-two-factor module that appears to be used for custom MFA support like Google Authenticator. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCE 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | www.uco.edu<http://www.uco.edu/> "I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know." - Socrates -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
