Level of identity assurance implementation in CAS 5.0
76 views
Skip to first unread message
Philippe MARASSE
Sep 29, 2016, 8:43:15 AM9/29/16
to CAS Community
Hello,
I'm wondering if CAS is able to do service-based LOA, eg, internal users
use SPNEGO and external users use Login/Password, and if requested by
service : MFA with Yubikey or other not yet implemented mean (OTP via
SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by service :
- access to Webmail with required level of 15 points
- access to Personal informations with required level of 20 points
And successful authentication would be granted by handler :
- SPNEGO : 25 points
- Login/Password : 15 points
- MFA yubikey : 10 points
- ...
So internal users would always gain access with SPNEGO, and external
users will be requested login/password only for Webmail, and
login/password + MFA for Personal Informations.
Is it already possible with CASv5 ?
I think it will need some development though, in this case, I'll need
directions :-)
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
I'm wondering if CAS is able to do service-based LOA, eg, internal users
use SPNEGO and external users use Login/Password, and if requested by
service : MFA with Yubikey or other not yet implemented mean (OTP via
SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by service :
- access to Webmail with required level of 15 points
- access to Personal informations with required level of 20 points
And successful authentication would be granted by handler :
- SPNEGO : 25 points
- Login/Password : 15 points
- MFA yubikey : 10 points
- ...
So internal users would always gain access with SPNEGO, and external
users will be requested login/password only for Webmail, and
login/password + MFA for Personal Informations.
Is it already possible with CASv5 ?
I think it will need some development though, in this case, I'll need
directions :-)
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Philippe MARASSE
Oct 5, 2016, 8:16:42 AM10/5/16
to cas-...@apereo.org
No idea, really ?
It's mentioned in section MFA of
https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html
but not anymore on v5
https://apereo.github.io/cas/development/planning/Security-Guide.html ??
Regards.
It's mentioned in section MFA of
https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html
but not anymore on v5
https://apereo.github.io/cas/development/planning/Security-Guide.html ??
Regards.
Philippe MARASSE
Oct 6, 2016, 4:39:33 PM10/6/16
to Misagh Moayyed, cas-...@apereo.org
Hello,
I'll try to be clearer :-), for example, a user wants to use our healthcare software :
- if he's connected from LAN, SPNEGO auth will be required & sufficient to grant access to the service.
- if he's connected from the Internet, connection will be granted only with login/password + OTP (SMS, mail, yubikey, ... we've not chosen yet).
I already have modified login webflow to trigger SPNEGO only on our LAN, so login/password is only triggered from the Internet. Then... I don't know, yet, how to perform MFA only for Internet users and some services.
Regards.
I'll try to be clearer :-), for example, a user wants to use our healthcare software :
- if he's connected from LAN, SPNEGO auth will be required & sufficient to grant access to the service.
- if he's connected from the Internet, connection will be granted only with login/password + OTP (SMS, mail, yubikey, ... we've not chosen yet).
I already have modified login webflow to trigger SPNEGO only on our LAN, so login/password is only triggered from the Internet. Then... I don't know, yet, how to perform MFA only for Internet users and some services.
Regards.
Le 06/10/2016 à 13:19, Misagh Moayyed a
écrit :
What exactly do these points mean?
If you mean to say, multiple MFA options are assigned to a user, and you wish to rank them by weight, that’s already supported.
--
Misagh
-- br/>Philippe MARASSE <
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex
Tel : 05.49.44.57.19
-- br/>You received this message because you are subscribed tto the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Misagh Moayyed
Oct 7, 2016, 11:42:58 AM10/7/16
to cas-...@apereo.org
What you want to do is, assign an mfa level to your healthcare software registered in CAS. That will trigger MFA for both SPNEGO and “internet” login attempts. You then write your own “selective” resolver to determine the method of authentication and conditionally decide how MFA might be activated at the end.
Thinking more about this; seems like this would be an attractive feature to add; to turn on/off mfa levels conditionally based on mode of authentication. You’re welcome to file a request.
--
Misagh
Misagh
From: Philippe MARASSE <philippe...@ch-poitiers.fr>
Reply: Philippe MARASSE <philippe...@ch-poitiers.fr>
Date: October 7, 2016 at 12:09:37 AM
To: Misagh Moayyed <mmoa...@unicon.net>, cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Level of identity assurance implementation in CAS 5.0
Hello,
I'll try to be clearer :-), for example, a user wants to use our healthcare software :
- if he's connected from LAN, SPNEGO auth will be required & sufficient to grant access to the service.
- if he's connected from the Internet, connection will be granted only with login/password + OTP (SMS, mail, yubikey, ... we've not chosen yet).
I already have modified login webflow to trigger SPNEGO only on our LAN, so login/password is only triggered from the Internet. Then... I don't know, yet, how to perform MFA only for Internet users and some services.
Regards.
Le 06/10/2016 à 13:19, Misagh Moayyed a écrit :
What exactly do these points mean?
If you mean to say, multiple MFA options are assigned to a user, and you wish to rank them by weight, that’s already supported.
--
Misagh
From: Philippe MARASSE <philippe...@ch-poitiers.fr>
Reply: Philippe MARASSE <philippe...@ch-poitiers.fr>
Date: October 5, 2016 at 3:46:46 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Level of identity assurance implementation in CAS 5.0
-- br/>Philippe MARASSE <
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex
Tel : 05.49.44.57.19
-- br/>You received this message because you are subscribed tto the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
-- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr.
Philippe MARASSE
Oct 27, 2016, 10:06:02 AM10/27/16
to cas-...@apereo.org
I'm back to CAS testing... I wrote a selective resolver derived from
the one mentioned
(SelectiveAuthenticationProviderWebflowEventResolver) to not trigger
MFA when SPNEGO has succeeded. This part seems to work, but when
Service ticket is validated, I get :
=============================================================
WHO: testuser
WHAT: ST-3-tvHk2g6TMkOasczQisfX-devcas1
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Thu Oct 27 15:07:30 CEST 2016
CLIENT IP ADDRESS: 172.16.10.177
SERVER IP ADDRESS: unknown
=============================================================
>
2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <Attempting to match requested authentication context mfa-yubikey against []>
2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No authentication context could be determined based on authentication attribute authnContextClass>
2016-10-27 15:07:30,347 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No satisfied multifactor authentication providers are recorded in the current authentication context.>
AuthenticationContextValidator wants to find mfa-yubikey in context... but cannot as I've only SPNEGO.
What should I do know ?
Regards.
=============================================================
WHO: testuser
WHAT: ST-3-tvHk2g6TMkOasczQisfX-devcas1
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Thu Oct 27 15:07:30 CEST 2016
CLIENT IP ADDRESS: 172.16.10.177
SERVER IP ADDRESS: unknown
=============================================================
>
2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <Attempting to match requested authentication context mfa-yubikey against []>
2016-10-27 15:07:30,346 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No authentication context could be determined based on authentication attribute authnContextClass>
2016-10-27 15:07:30,347 DEBUG [org.apereo.cas.authentication.AuthenticationContextValidator] - <No satisfied multifactor authentication providers are recorded in the current authentication context.>
AuthenticationContextValidator wants to find mfa-yubikey in context... but cannot as I've only SPNEGO.
What should I do know ?
Regards.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57f7beea.55aca4cb.1875%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Philippe MARASSE
Nov 8, 2016, 8:47:57 AM11/8/16
to cas-...@apereo.org
No idea ?
Is there another class/bean I have to extend/overload ?
Regards.
Is there another class/bean I have to extend/overload ?
Regards.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd215ee2-41c0-2399-2c9e-eb3892cc0747%40ch-poitiers.fr.
Reply all
Reply to author
Forward
0 new messages