Page Comparison

The reason I write this Request for Change on the whislist is that some of us CAS users in Sweden has found that different application needs different assurance levels regarding the authentication handler and the user identity. For example a personalized page may just need an simple self asserted identity, a student portal need an proofed identity with a username and password login and a web page where examiner report the students results may need a onetime password (OTP) or certificate login. What we can see there is a good "industry standard" for level of assurance in the combination of OMB M-04-04 (http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf) and NIST SP800-63 (http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf). To go the technical way to say that we demand OTP for login or username/password for login due to the fact that the login technique changes via time and is a question for the CAS server not the application server. So what we want to do is to make CAS level of assurance aware. To use multiple CAS installations to accommodate this functionality is not a very good solution due to that than you need to install, configure and support multiple CAS installations. Furthermore the application deployers must think more than once when they configure which CAS server that should be used for the application.

...