InCommon and NIH changes

59 views
Skip to first unread message

Mike Osterman

unread,
Mar 10, 2021, 6:19:18 PM3/10/21
to CAS Community
For those that are using CAS SAML IdP as their InCommon IdP (we are almost there but haven't made the switch), there are some upcoming requirements (September 21, 2021) for users of electronic Research Administration (eRA): https://incommon.org/news/nih-application-to-require-multi-factor-authentication/

The REFEDS Research & Scholarship attributes support seems well-documented:

The thing that I can't find in the docs is how to express the referenced MFA Authentication Context:

We've implemented Duo, so I'm guessing that flow would be where we would trigger this, but again, don't find in the docs how to trigger this or if it's even supported by CAS's SAML IdP.

I think I saw a couple names of frequent cas-user participants on the office hours webinar today, so I expect others are looking at this as well.

Thanks,
Mike



Richard Frovarp

unread,
Mar 11, 2021, 10:44:42 AM3/11/21
to cas-...@apereo.org
I'm running my InCommon membership through Shibboleth, so I'm not looking for a CAS solution. However, here is what I know:

1) R&S is documented as you point out. If you are going to provide REFEDS R&S to REFEDS R&S SPs, you probably want to go into the InCommon Federation Manager and assert that you are a R&S IdP. I would also suggest you review your error URL, and see if you can be SIRTFI compliant, as those are baseline v2 requirements. Separate from NIH, but while you are in there.

2) Parts of the NIH are also going to want assurance attributes based on the REFEDS Assurance profiles. Once you know which assurance values you can assert, they are just attributes that you return to the SP, like any other attribute.

3) MFA will come in the form of REFEDS MFA. I found this from a couple of months ago that looks promising given that Misagh wrote it: https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/ 

Mike Osterman

unread,
Mar 11, 2021, 11:36:15 AM3/11/21
to cas-...@apereo.org
Score! Looks like another blog that I need to be following. :) That MFA REFEDS post looks exactly like what was being discussed at yesterday’s office hours webinar.  

Good catch on the REFEDS Assurance profiles. I got the gist of what it was being discussed, but the requirements seemed a little unclear. Makes sense, as it sounds like the requirement compliance date has been announced, but the details are still being sorted out.

I’m still thinking we’ll switch our InCommon federation to CAS, largely for the operational efficiency (we’re a small school) and the reduced complexity of running a single SAML IdP, and at present, we only have one vendor that requires InCommon. If others have gone the consolidation route by using CAS as their InCommon SAML IdP, I’d welcome any feedback on how that has gone for you on or off list. 

Thank you,
Mike

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu.

Andrew Marker

unread,
Sep 21, 2022, 3:55:02 PM9/21/22
to CAS Community, Mike Osterman
HI all,

I've moved from 6.3 to 6.5.  and, I like Mike for 6.3 followed the advice of the blog mentioned. It was painless to add the property and I found instant success.
-----
In 6.5, I tried to port this property to the updated namespace:


cas.authn.saml-idp.core.authentication-context-class-mappings=https://refeds.org/profile/mfa->mfa-duo

It no longer seems to inject it for me.  I went back to the NIH preparedness site to verify and I'm not passing the assertion.

     Tried just in case it was a collection (plural name).  That didn't produce a warning but it also didn't work.
           cas.authn.saml-idp.core.authentication-context-class-mappings[0]=https://refeds.org/profile/mfa->mfa-duo

-----

I do see that I can set it explicitly on individual service definitions, but, I would rather set it once.

Is there an additional step that is needed?  Do I need to set it explicitly on each service definition in v6.5.x?

Thanks for your thoughts on this.
Reply all
Reply to author
Forward
0 new messages