Versions Compared

Old Version 45

changes.mady.by.user Jérôme LELEU

Saved on

compared with

New Version 46

changes.mady.by.user Jérôme LELEU

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • annual acceptable use policy
  • need to increase password strength
  • need to register (or confirm) contact information such as cell #
  • need to select security Q&A
  • need to register device/browser (you've probably seen facebook do this, for example)

I think it would greatly benefit CAS to have a generalized solution for interrupt screens, and I think it could be done without much complexity by simply generalizing the concepts found in LPPE.

Jérôme :

I agree. I propose to keep this spec focused on LOA (steps 1, 2 and 3 in roadmap) and start a new spec after for other steps (4 ,5 and 6).

E) Interaction manager (new)

...

Nathan:  I think this scenario is actually much easier if we allow composition of handlers instead of using a custom combined handler.  The service requests the "LDAP + SMS" multifactor-LOA.  The server realizes that "LDAP" authentication is already fulfilled, so it simply sends the user through the "SMS" interaction and authentication handler.  If the handlers were hard-coded together into a single handler and a single interaction, there would be no easy way for the server to send the user through only the second half of the interaction and run only the second half of the authentication handler with the second-half of the credentials.  However, if the two authentication handlers are kept separate but simply composed together in the configuration, it would be easy for the server to trigger only the SMS parts of the flow.

VII. Roadmap

A)

...

Step 1

...

: only client requested LOA

For a first versionstep, the idea is to target only the LOA requested by the client (renew parameter).

It means creating the assurance policy, level of assurance and assurance evaluator, updating the authentication handler and the authentication manager and implementing the main algorithm (impacts on webflow).

B)

...

Step 2

...

: add server requested LOA

For a second versionstep, we can add the requested LOA defined in CAS server.

It means updating the registered service, the services management webapp and the main algorithm.

C)

...

Step 3

...

: add interactions

For a third versionstep, we can finally add the interactions and interactions manager and update the main algorithm (impacts on webflow).

Jérôme :

D)

...

Step 4 : add interrupt screens

By extending the current LPPE feature, a mechanism of interrupt screens could be created.

E) Step 5 : return "real" SAML information to clients

It would be usefull to return "real" SAML information, i.e. authentication contexts to the client through SAML validation.

...

F) Step 6 : support SAML authentication requests

To be able to handle very complex client requests on LOA with many parameters (and without previous definition on CAS server), the CAS server should be able to handle SAML authentication requests on /login url.

...