...
| Description | Level | ||
|---|---|---|---|
| ldap_strong_google | LDAP username+password, strong password policy + Google Authenticator | 45 | |
| ldap_strong_sms | LDAP username+password, strong password policy + SMS | 44 | |
| ldap_medium_google | LDAP username+password, medium password policy + Google Authenticator | 35 | |
| ldap_medium_sms | LDAP username+password, medium password policy + SMS | 34 | |
| ldap_strong | LDAP username+password, strong password policy | 33 | |
| ldap_medium_lan | LDAP username+password, medium password policy on the company LAN | 32 | |
| ldap_medium | LDAP username+password, medium password policy | 30 | |
| trusted_partner | Trusted Partner (federation using a CAS client on our CAS server) | 20 | |
| ldap_weak | LDAP username+password, weak password policy | 10 | |
| 10 | |||
| 10 |
...
Interactions for Authentication Handlers
Each handler has an interaction that is used to gather credentials for that handler.
| Authentication Handler | Interaction | Type | Precedence |
|---|---|---|---|
| LDAP | Basic Login (with fb, twitter, and trusted partner links) | user-interactive | 1 |
| TrustedPartner | Basic Login (with fb, twitter, and trusted partner links) | user-interactive | 2 |
| Basic Login (with fb, twitter, and trusted partner links) | user-interactive | 3 | |
| Basic Login (with fb, twitter, and trusted partner links) | user-interactive | 4 | |
| Google Authenticator | Google Authenticator Screen | user-interactive | 5 |
| SMS Code | SMS Code Screen | user-interactive | 6 |
| RememberMe | RememberMe Cookie Fetcher | system-interactive (silent) | 7 |
| SPNEGO | SPNEGO Protocol Handler | system-interactive (silent) | 8 |
Alternatively, the TrustedPartner, Facebook, and Twitter mechanisms could each be given their own interaction:
| Authentication Handler | Interaction | Type | Precedence |
|---|---|---|---|
| LDAP | Basic Login (with no built-in links) | user-interactive | 1 |
| TrustedPartner | TrustedPartner CAS redirect and validate | user-interactive | 2 |
| Facebook OAuth redirect and validate | user-interactive | 3 | |
| Twitter OAuth redirect and validate | user-interactive | 4 | |
| Google Authenticator | Google Authenticator Screen | user-interactive | 5 |
| SMS Code | SMS Code Screen | user-interactive | 6 |
| RememberMe | RememberMe Cookie Fetcher | system-interactive (silent) | 7 |
| SPNEGO | SPNEGO Protocol Handler | system-interactive (silent) | 8 |
In this second case, if LDAP, Facebook and Twitter were all possible interactions to satisfy the LOA, then LDAP would be shown by default (because of its precedence), but that screen would include links to the other two interactions. See the "Implementation" section at the bottom of the page for more ideas on this.
Other Possible Requirements
...