Hi Ben, Misagh can weigh in and give you definitive answers, but here¹s my stab at them: 1. No, support for OATH/Google Authenticator has not yet been added into CAS-MFA. 2. CAS-MFA and shib-cas-authn2 will not break each other With that said, MFA request from Shib side SPs don¹t get passed down to CAS or CAS-MFA at this point. Nor does CAS-MFA utilize the entityId that is passed to it from Shib via the shib-cas-authn2 plugin to make an MFA decision. This functionality has not been added yet. 3. CAS-MFA supports multiple options for whom gets challenges A user attribute can be used to indicate that user has opted in; specific services can be forced in while allowing others to not require MFA; a service can optionally request MFA if, for example, a user had already authenticated but was trying to perform some high level access with in the app. 4. The current CAS-MFA implementation dynamically bolts onto the login webflow to add its MFA support. Adding support for OATH would require creating an additional module like what has been done for RADIUS, Duo, Toopher, etc. Feel free to contact Unicon if this is something that you¹d like to sponsor.*
Hopefully that helps answer some questions. * Disclaimer: I work for Unicon. :) John Gasper IAM Consultant Unicon, Inc. From: Ben Branch <[email protected]> Reply-To: <[email protected]> Date: Wednesday, March 25, 2015 at 8:22 AM To: <[email protected]> Subject: [cas-user] CAS 3.5.2 + MFA Hello, As my CAS environment grows and we bring on more and more hosted applications, the one question that I constantly have coming up is MFA. So, I have a few questions about CAS + MFA. Before I get started, I will give a little background information on my environment. We are currently running a clustered CAS 3.5.2 + shib-cas-authn2 environment (EhCache Ticket Replication + Tomcat User State Replication). Everything we have right now runs perfect with no issues. Now, the questions: 1. Are there any working examples of CAS 3.5.2 using the Unicon cas-mfa add-on with Google Authenticator? I¹ve googled far and wide, and have yet to see a working example of a CAS MFA setup using Google Authenticator. 2. Does the CAS MFA add-on play well with other extensions like shib-cas-authn2? Example, if I enable CAS MFA, and a user accesses a shibboleth based service that is then delegated to the CAS for auth, will this cause issues? 3. My understanding of MFA is that this is possibly an all or nothing scenario, and this somewhat concerns from an end user perspective. Is there an Opt-In/Out option available for those users that wish to use MFA and those that don¹t? Or will this require us to setup 2 different environments, one with MFA support and one without? 4. How much customization is involved with the login-webflow.xml in order to support MFA? I think this would be specifically to the strong-two-factor module that appears to be used for custom MFA support like Google Authenticator. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCE 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco. <mailto:bbranch@uco.> edu | www.uco.edu <http://www.uco.edu/> ³I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.² - Socrates -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
