New MFA features proposition

[Nina Nedjar]

Hello,

We plan to add MFA provided by Okta to our CAS portal and therefore create a suitable module as there are modules to integrate the Authy and Google authenticator solutions for example.

To do this we used the Authy module to have an example and we modified it to be able to use the mfa provided by Okta.

To use Okta MFA, you must create an Okta tenant and retrieve an API token which will allow you to make the API calls necessary to use MFA authentication. The token and the tenant URL are parameters that we will keep in the cas.properties file.

The objective being to offer the different types of MFA used by Okta (sms, email, Okta push, Okta TOTP) we have added several actions in the authentication flow so that when a user connects they can choose which type of MFA they want to use and thus enlist on this factor or be challenged on it. Depending on the user's choice, the corresponding action is launched and allows the authentication flow to continue.

The user will either enroll on the factor if it is the first time they connect or they will be challenged on the factor if they connect after having already been enrolled.

To enable verification of the different MFA methods, each action will make the different API calls in order to verify the information and perform the steps necessary for MFA. We use the okta SDK to make these different calls.

Once the MFA is validated, the user is connected to the application.

We created 9 actions to manage the different factors (enrollment and challenges) and to do the validation and we created 7 views to display web pages necessary for the user.

We have already tried to make a PR (https://github.com/apereo/cas/pull/5751 ) but it was refused because there were too many changes and also because we had directly modified the authy files. and not created module specific files.

We have several points in progress:

• As we used the authy module as a base, we are in the process of 'cleaning up' the files so that they are no longer named after the authy files.

• We also want to carry out a PR so that this module is added to the CAS project, how can we do this?Do you have any recommendation?

• Can this Okta MFA module be part of a release and if so in which one? 

Our module is available and functional here: https://github.com/Lyvoc/cas-uni-montpellier

Best regards,

Nina Nedjar

---

This message is confidential and is for the sole use of the intended recipient(s). It may also be privileged or otherwise protected by copyright or other legal rules. If you have received it by mistake please let us know by reply and delete it from your system. It is forbidden to copy it or disclose its content to anyone. Any confidentiality or legal professional privilege is not waived or lost by any mistaken delivery of the message.

All messages sent to and from SHAPLE may be monitored to ensure compliance with internal policies, to protect the company's interests and to remove potential malware. Electronic messages are not secure nor error free as they can be intercepted, amended, lost or deleted, or contain viruses. Anyone who communicates with our company by electronic messaging accepts these risks. Delegations of power and authority have to be verified and are available upon request.

[Misagh]

> We also want to carry out a PR so that this module is added to the CAS project, how can we do this?Do you have any recommendation?

Yes. Please see:
https://apereo.github.io/cas/developer/Contributor-Guidelines.html

> Can this Okta MFA module be part of a release and if so in which one?

When and if a PR is merged, it will be part of a release. Which
release depends on when that merge happens.