Didn't consider using CAS for this as this multifactor auth is a
requirement addressing human behavior more than security against an attack.
I asked about this and pretty much they don't expect the user to physically
be in the system all the time (They expect users sometimes even asking a
CAS can do multifactor. It can also release a bunch of attributes about
how the authentication went if you use the CAS 3 protocol. The service
directing the individual to CAS can also request that a fresh login is
used. Combined together, the service can be assured (so long as they
trust the
i see. So it was indeed something I wasn't really understanding about how
to handle the data, even when I was right about the authentication and
authorization roles of CAS and Spring Security. That tells me that for my
scenario, I will need to get a ticket for a meeting to rebuild some things,
Cas can find username/password from a variety of sources and this can be
configured per service [1].
You can use the CAS 3 protocol [2] to release attributes to the client
application. And like username/password, attributes can be obtained from
more than one location [3].
There is also the
