Authentication Policies Configuration (Handlers chaining)
Neomia Dev
Hello everyone,
If this is not the right place to post this, sorry and please point me to the right forum/discussion channel.
I’m a software engineer (at neomia) and we developed an MFA plugin (Pulse) to add a second authentication factor to CAS based on typing biometrics.
We developed a specific AuthenticationHandler (PulseAuthenticationHandler) that currently works correctly but we need some help to configure the authentication policy. In a configuration where we have two handlers (LdapAuthenticationHandler and PulseAuthenticationHandler) we would like to have this behavior:
- Specify a desired execution order (e.g. LdapAuthenticationHandler is always executed first, PulseAuthenticationHandler second);
- If one handler fails, the following handlers in the authentication chain must not be invoked and the authentication must be refused (e.g. if LdapAuthenticationHandler fails – as first factor, the PulseAuthenticationHandler – as second factor - must not be invoked and the authentication must be refused);
- The authentication is successful if and only if all the specified authentication handlers are invoked and their results are successful.
In all possible configurations that we tried (with the different possible values - https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Policy.html). The PulseAuthenticationHandler still gets invoked and we couldn’t figure out how to stop the authentication chain right after the first handler failure.
We would be grateful if someone could point us in the right direction.
Thanks
Guillaume Laroyenne
neomia
Ray Bon
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.