I am making some modifications to CAS to use MFA. We have a fairly customized installation, and I'm not planning to use the unicon mfa WAR overlay since the Duo integration instructions are fairly straightforward.
I'd like to know if a user is 'authorized' to login to a service once they have a session (JSessionID), or are they only authorized after the TGT cookie has been set? I need to modify the web flow, and the most obvious method is to have the user authenticate, then go through the MFA steps (but prior to the actual TGT cookie being created). In the login webflow, I would add a step after the 'realSubmit' action-state. I want to be certain there would be no way for a user to login with their credentials and then figure out a sneaky way to bypass the 2nd step of the authentication process. Thanks, Adam -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
