MFA Triggers for LOA enforcement
15 views
Skip to first unread message
Rich Renomeron
Jan 26, 2018, 5:52:38 PM1/26/18
to cas-...@apereo.org
I have a requirement to enforce LOA rather than particular authn methods on my CAS implementation, something I hacked in to my CAS 3 overlay a long time ago. The authn methods we use are assigned LOA like this:
- Level 1: un/pw, "weak" pac4j clients
- Level 2: un/pw and MFA, "stronger" pac4j clients (maybe weak pac4j client + MFA in the future)
- Level 3: one very special pac4j client
In my CAS 3 implementation, clients request a particular LOA by appending a "securityLevel" parameter to the CAS login URL. It's enforced by a webflow hack that checks the LOA and sends the user back to "viewLoginForm" when the authn doesn't cut it, both for the initial authn and when the user has a valid TGT. Obviously I don't want to repeat this for CAS 5.
I can almost see how to do this easily with a custom MFA trigger, but there are two things I'm not sure of after a day of doc reading and code spelunking:
- For cases where you can't meet the security level by simply adding an MFA, I'll send the user back to the login page, perhaps with an error message. That's just returning CasWebflowConstants.STATE_ID_HANDLE_AUTHN_FAILURE", yes? Or should I throw an exception from the trigger?
- Is the trigger run if there is an existing SSO session/TGT, or I have to do something else to handle that case?
Thanks,
Rich
Rich
Rich Renomeron, Project Lead
TCG, Inc. - Positively Distinct - CMMI-DEV Level 3 - CMMI-SVC Level 2 - ISO 9001:2015
+1 (202) 643-8460 | richard....@tcg.com | www.tcg.com
TCG, Inc. - Positively Distinct - CMMI-DEV Level 3 - CMMI-SVC Level 2 - ISO 9001:2015
+1 (202) 643-8460 | richard....@tcg.com | www.tcg.com
Reply all
Reply to author
Forward
0 new messages