Matt,
It depends. If during CAS ticket validation, the validation result can assert that MFA took place for the authentication that created the TGT, then I think that would be sufficient if your requirement is simply that MFA took place already in the SSO session.
However, suppose not all services require MFA. If you first establish an SSO session to such a service, you might not be prompted for MFA. When you next go to a service that requires MFA, CAS would need to check in with the IdP so it could perform MFA, or else the SSO session would be denied access until it was terminated and a new SSO session was started that actually did use MFA.
If your setup is such that in order to establish an SSO session, you need to have provided a 2nd factor, then I would agree that CAS shouldn't need to check with the IdP each time whether MFA is valid-- the fact that the SSO session exists at all is based on the fact that MFA was successful. Whether it is possible to configure the software that way, I'm not sure.
Our own setup is the opposite of yours. We run both CAS and Shibboleth services. CAS clients interface directly with our CAS service. SAML2 clients interact with our Shibboleth IdP, but the IdP delegates all authentication to CAS so the SSO experience is unified. Our CAS service does need to signal to the IdP if MFA was used to establish the session. We require MFA on a per-user basis. Either a user will be required to use MFA to establish an SSO session or it will not. Any call to our IdP will always pass though to CAS to verify an SSO session exists. Users are only prompted for MFA once per session.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
--
- Website:
https://apereo.github.io/cas
- Gitter Chatroom:
https://gitter.im/apereo/cas
- List Guidelines:
https://goo.gl/1VRrw7
- Contributions:
https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ed4ac9e-139b-4273-b491-16ae953a9347%40apereo.org.