CAS MFA 2014 Update
-
Upload
misagh-moayyed -
Category
Software
-
view
326 -
download
0
Transcript of CAS MFA 2014 Update
![Page 2: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/2.jpg)
Introduction
Objectives
Architecture Overview
Going Forward
Questions and Discussion
Open Apereo - June 1-4 2014
![Page 3: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/3.jpg)
This session will describe the latest extensions developed to enable multifactor authentication with CAS. The presentation will involve an overview of requirements, features and technical designs and may also touch upon feasibility of further contribution to the CAS community as well as a general roadmap.
Open Apereo - June 1-4 2014
![Page 4: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/4.jpg)
CAS Committer and PMC member
3 years with Unicon; 5 years with JasigApereo
Technical lead for Unicon’s Open Source Support for CAS
Open Apereo - June 1-4 2014
https://twitter.com/misagh84
https://github.com/mmoayyed
![Page 5: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/5.jpg)
Support, services, training, managed services and custom projects on and around enterprise open source in and around higher education
Identity and Access Management team working with CAS, Shibboleth, Grouper, OpenRegistry, …
Open Source Support for CAS, Shibboleth, Grouper, Sakai, uPortal, uMobile, SSP, …
Open Apereo - June 1-4 2014
![Page 6: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/6.jpg)
Additional steps to authenticate users ◦ Something you know/have/are?
Strategies to communicate the extra step
Configuration of authentication context fulfillment
Strategies to validate the authenticated assertion
Open Apereo - June 1-4 2014
![Page 7: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/7.jpg)
CAS extension on top of CAS 3.5.2
Support authentication using multiple factors
Support for relying parties to understand the authenticated context.
Support for relying parties exerting authentication strength requirements
Open Apereo - June 1-4 2014
![Page 8: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/8.jpg)
Open Apereo - June 1-4 2014
https://github.com/Unicon/cas-mfa
![Page 9: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/9.jpg)
Open Apereo - June 1-4 2014
Architecture Overview
![Page 10: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/10.jpg)
Via authn_method parameter: ◦ /cas/login?service=…&authn_method=strong_two_factor
CAS MFA Argument Extractor:
Open Apereo - June 1-4 2014
![Page 11: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/11.jpg)
Open Apereo - June 1-4 2014
![Page 12: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/12.jpg)
Open Apereo - June 1-4 2014
![Page 13: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/13.jpg)
CAS uses Spring Webflow to direct the login flow AuthN methods are then specified as subflows ◦ Primary AuthN handler to execute ◦ Invoke the appropriate subflow
Subflows define how authentication should take place for the Nth factor
Subflows can be chained!
Open Apereo - June 1-4 2014
![Page 14: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/14.jpg)
Open Apereo - June 1-4 2014
![Page 15: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/15.jpg)
Open Apereo - June 1-4 2014
![Page 16: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/16.jpg)
Open Apereo - June 1-4 2014
Every subflow contains two files:
◦ mfa_flowid_servlet.xml
◦ mfa_flowid_webflow.xml
mfa_strong_two_factor_webflow.xml:
![Page 17: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/17.jpg)
Open Apereo - June 1-4 2014
Achieve MFA by chaining subflows
For example, hulk_strong_mfa may be: ◦ First, authN via LDAP
◦ Then, authN via PIN
◦ Then, authN via blood sample…
◦ Then…
Note: authentication methods cannot change the primary authentication method.
Disclaimer: There is no BloodSampleAuthenticationHandler in CAS!
![Page 18: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/18.jpg)
Open Apereo - June 1-4 2014
Whence you authenticate, CAS does not care
Neither does CAS MFA extension!
Use available authN handlers, or write your own
mfa_strong_two_factor_servlet.xml:
![Page 19: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/19.jpg)
Open Apereo - June 1-4 2014
Remembering & Validating AuthN Context
![Page 20: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/20.jpg)
Open Apereo - June 1-4 2014
AuthN methods are remembered as Authentication attributes
This is achieved via RememberAuthenticationMethodMetaDataPopulator.java
![Page 21: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/21.jpg)
Open Apereo - June 1-4 2014
AuthN methods are returned to relying parties
![Page 22: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/22.jpg)
Open Apereo - June 1-4 2014
AuthN methods are single exact tokens remembered by CAS.
No strategy to rank or combine, or substitute, yet!
CAS will delegate to: ◦ Primary AuthN flow if no SSO session
◦ MFA AuthN subflow, if authN method mismatch
![Page 23: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/23.jpg)
Open Apereo - June 1-4 2014
![Page 24: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/24.jpg)
Open Apereo - June 1-4 2014
Going Forward
![Page 25: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/25.jpg)
Open Apereo - June 1-4 2014
AuthN methods via JSON service registry
AuthN methods via principal attribute
Ability to rank authN methods
Support for Duo Security MFA ◦ Remain vendor agnostic
Enhancements to Java CAS Client ◦ Support existing applications
![Page 26: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/26.jpg)
Open Apereo - June 1-4 2014
![Page 27: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/27.jpg)
Open Apereo - June 1-4 2014
![Page 28: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/28.jpg)
Open Apereo - June 1-4 2014
https://github.com/Unicon/cas-mfa
![Page 29: CAS MFA 2014 Update](https://reader034.fdocuments.net/reader034/viewer/2022052304/5575b0bed8b42a3b498b4cca/html5/thumbnails/29.jpg)
Open Apereo - June 1-4 2014
https://twitter.com/misagh84
https://github.com/mmoayyed