Versions Compared

Old Version 1

changes.mady.by.user Nathan Kopp

Saved on

compared with

New Version Current

changes.mady.by.user Andrew Petro

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

I. Introduction

This document is the specification of levels of assurance (LOA) in CAS clients and server.

...

II. Authentication API in CAS server

NOTE:  This document is based on the following documents:  First Level Of Assurance Specification - Discussions and Example LOA Use Cases

A) CAS 3.5.0

In CAS server 3.5.0, an authentication manager is in charge of validating credentials. It takes credentials as input.

...

  • an authentication date
  • attributes
  • a principal with identifier and attributes.

B) CAS 4.0.0

TODO Marvin : describe briefly the new design of the authentication API in CAS server 4.0.0

 

III. New concepts or updated ones for LOA

A) Assurance Policy (new)

The CAS server has one and only AssurancePolicy. It consists of one or more AssurancePolicyLines.

...

  • method boolean validateCredential(Credential) - checks to ensure that the credentials pass some specific rules
Examples of CredentialsDetailValidator:
  • PasswordStrengthValidator(int weakest, int strongest)
  • IPSubnetRange(subnetMask, subnetPrefix)

B) Authentication handler (update)

So far, an AuthenticationHandler authenticates Credentials and is defined to support a kind of Credentials.

...

  • maybe: attribute name
  • maybe: method String getSupportedCredentialsType() - return a string representation of the type of Credentials supported by this handler
  • maybe: method YesNoMaybe principalHasSufficientCredentials(Principal p, String credentialsTypeIdentifier, List<CredentialsDetailValidator> validators) - given a non-null principal, determine if that principal is actually able to fulfill the credentials in question.  returns an enum which can indicate an unknown state

C) CredentialsGatherer (new)

An CredentialsGatherer is a way to get Credentials. Each CredentialsGatherer is defined to support a kind of Credentials it will return when called.

There are two types of CredentialsGatherer :

  • InteractiveCredentialsGatherer means the user has to give inputs as Credentials. An InteractiveCredentialsGatherer is also defined with a View to display to get user inputs. At least, one InteractiveCredentialsGatherer is defined in CAS server : the LoginPageCredentialsGatherer which supports UsernamePasswordCredentials.
  • SilentCredentialsGatherer means the CAS server will get by itself Credentials silently from the HTTP request.
The CredentialsGatherer consists of:
  • List<String> supportedCredentialsTypes- list of string representations for the types of credentials that might be gathered by this gatherer
    • alternative:  boolean supportsCredentials() method
  • For InteractiveCredentialsGatherer
    • getView() - returns something that can be used to initiate a spring web flow
    • that web flow will result in an Action that creates a "Credentials" object
    • actually, I think it would be better if interactive credentials gatherers could be plugged-in without modifying the web flow XML

D) Actions and Web Flow (updated)

The logic for authentication actions (such as AuthenticationViaFormAction) and corresponding web flows might need to be be updated and generalized.  I'm not quite sure how yet, but the goal would be to allow pluggable actions and credential gatherers without the need for updating the spring web flow or duplicating any of the login found in AuthenticationViaFormAction.  Probably generalize in a way similar to AbstractNonInteractiveCredentialsAction.  Here's a possible type hierarchy:
  • AbstractCredentialsAction
    • AbstractNonInteractiveCredentialsAction
    • AbstractInteractiveCredentialsAction
      • AbstractAuthenticationViaFormPostAction
      • AbstractAuthenticationViaRedirectAction - note that this maybe could be handled on the "non-interactive" side better (consider existing OpenID and OAuth variations)
------ NOTE: THIS DOCUMENT IS CURRENTLY INCOMPLETE... TEMPORARILY STOPPED EDITING HERE.... ------

D) Interaction manager (new)

An InteractionManager is in charge of finding the right CredentialsGatherer to try for a given CredentialRequirement.
The InteractionManager provides the following methods:
  • getGathererForCredentials(CredentialRequirement) - given a particular credentials requirement, find an appropriate gatherer

E) Ticket Granting Ticket (update)

The ticket granting ticket needs to be updated to support a list of Authentication objects instead of only a single Authentication object.

F) Authentication manager (update)

So far, an authentication manager takes credentials as input.
To support LOA, it will now take a numeric level of assurance as input also.

G) Registered service (update)

So far, a registered service supports attributes : id, name, theme, description, isAnonymous...
To support LOA, it will now define what authentication handlers it supports. None selected means all.
I think it would be better for the registered service to define a list of assurance levels (from the server's policy) that it accepts. -Nathan

H) Assurance evaluator (new)

The assurance evaluator is in charge of evaluating the LOA of the authentication given as input. It returns a numeric value.
Generally, it returns the numeric value of the LOA associated with the authentication handler used to authenticate previously the user and stored in the authentication.
In case of remember-me, the LOA returned is not the one of the authentication handler but is computed.
I would like to redefine the assurance evaluator as the system that evaluates the assurance attribute constraint expressions and determines which level(s) of assurance (single number and possibly multiple names) are fulfilled by the current set of user authentication objects. -Nathan

IV. Extension to CAS protocol

So far, the CAS server supports the renew parameter set to true to force re-authentication whatever the current authentication is.

For backward compatibility, these parameter and value will remain but new values will be possible for the renew parameter to handle LOA :

  • renew=value, the numeric value is strictly positive, it's meant to be a requested numeric LOA
  • renew=name, name is the name of an authentication handler or the name of a level of assurance.  (I recommend allowing the client to specify either a minimum number or a list of names of the level of assurance and not an individual authentication handler.  If that level of flexibility is desired, then the client should be able to specify a complete authentication constraint expression and not just an authentication handler name. Noe that with a list of names, only exact matches count. Even if the user has fulfilled a higher number but not fulfilled the requested type of authentication specified by the named level, then it doesn't count. -Nathan)
Jérôme :
I'm not sure if we should keep the availability to request LOA by authentication handler name of by constraint expression. Does it match real use case ? Does it make sense ? I think we should always request a LOA by name or numeric value, meaning a specific level and ALSO the "superior" levels.
I think I'd prefer if we created a new parameter named "loa" or something like that, instead of reusing "renew".  We would still want to preserve the behavior of "renew=true", but I think that we don't gain much by piggy-backing on the existing parameter.  I don't think it really "costs" us much to add a new "loa" parameter and it makes the protocol more understandable.
Jérôme :
I agree. We can use a parameter named "loa" instead of "renew" to avoid confusion.
Note that behavior is slightly different whether the client requests LOA by name or by number.  Here's an example.  Refer back to the table above under the "Example Assurance Policy" section.   Let's say that a user has satisfied the requirements for level 47 (renewed LDAP authentication with strong password).  In this case, the user's numeric LOA value would be 47, and they would have satisfied the following named levels: strong_ldap_renew, strong_ldap, any_ldap_renew, and any_ldap.  If a service requests "loa=30" (meaning any numeric value >=30), then the user would be allowed to access the service.  But if a service requests "loa=public_idp" (level requested by name), then the user would be prevented from accessing the service, even though their numeric value is higher.
Jérôme :
Using a name or a numeric value of LOA must lead to the same result. The only diffrence between name and numeric value is that a name should match a defined name whereas a numeric value doesn't need to match a numeric LOA because it only relies on numeric comparison (and not on exact matching).
Nathan:
In the use cases that I need to support, our central IT policies and concepts of "better" and "worse" most likely won't be agreed-upon by the entire organization.  This means that in some cases, an app (or a set of apps run by a particular department) might reject an authentication method (considering it weaker) that the rest of the organization has deemed acceptable and considers stronger.  Certainly it would be GREAT if we could just force agreement, but that just isn't the case where I work.  Our central IT department doesn't have that authority.  It would be very helpful to be able to support exceptions to the rule.
Another way to think of it is this:  This concept extends beyond pure "levels" of authentication (where one is always better than another) to "types" of authentication (where each type has pros and cons that make it better or worse under varying circumstances).  One example would be related to PCI compliance.  As an organization, we might say that the two-factor combination of a simple password plus Google Authenticator is stronger than a complex password.  But PCI rules might say that all users need a strong password regardless of whether or not they have Google authenticator.  Thus, the systems that need to be PCI compliant would need to be configured to handle an exception to the rule and reject something that the rest of the organization thinks is strong.
NEW Jérôme :
Just to be sure : you want to keep the ability to request a specific authentication method (and not a level of authentication), correct ?
But, how do you do that with authentication constraint ? What do you imagine as a syntax ?
NEW Nathan:
Take a look at bottom this document for a description: Example LOA Use Cases
Note that I've simplified the concept of the "constraint expression" so that it basically is simply an ordered list of authentication handlers (with attributes) that all need to be fulfilled.  I've eliminated "OR" and grouping, since these can be handled in other ways.

V. Main algorithm

A) Diagram

Image Removed

B) Requested LOA

1) Client requested LOA

A client requested LOA is computed from the renew parameter if this one is defined :

  • If renew is a numeric value, all authentication handlers whose LOA is superior or equals are selected
  • If renew is a LOA name, the associated numeric value is used to find the authentication handlers as previously
  • If renew is an authentication handler name, the authentication handler is selected.

2) Server requested LOA

A server requested LOA is computed from the requested registered service (service parameter).

The requested registered service gives the requested authentication handlers.

If no service is defined, all authentication handlers are requested.

3) Computed requested LOA

The requested authentication handlers are the intersection between the ones computed for client and the ones computed for server.

If no authentication handler is selected, a CAS error page is displayed : "The CAS server cannot grant the level of assurance requested by service and/or by renew parameter".

The requested LOA is the lowest numeric value of all selected authentication handlers.

C) Current LOA

The current LOA is retrieved from the authentication using the assurance evaluator.

D) Compare requested LOA and current LOA

If the current LOA is equals or superior to requested LOA, a service ticket is generated and the user is redirected to the service with this service ticket or to the generic login successfull view is displayed (if no service is requested).

If the current LOA is strictly inferior to the requested LOA, an authentication process should be started.

E) Define the needed interactions

At this step, we have the requested authentication handlers and LOA.

From these requested authentication handlers, the needed interactions can be computed using the interaction manager.

If no interaction is returned, a CAS error page is displayed : "The CAS server cannot grant the level of assurance requested by service and/or by renew parameter".

F) Process interactions

At this step, we have a list of ordered interactions to use for authentication process.

Let's start with the first interaction if it exists.

If the interaction is a system one, credentials are returned by this interaction.

  • If credentials are null, we move to the next interaction. If credentials are not null, the authentication manager is called with these credentials and the requested LOA. A principal is returned.
    • If the principal is null, we move to the next interaction. If the principal is not null, the user is authenticated and we can generate a service ticket and redirect him to the service or display the generic login successfull view (if no requested service).
If the interaction is a user one, the associated view is display to let the user fill its credentials. After the user has filled its credentials, these are submitted to the authentication manager with the requested LOA. A principal is returned.
  • If the principal is null, the user is redirected back to the view with an error message. If the principal is not null, the user is authenticated and we can generate a service ticket and redirect him to the service or display the generic login successfull view (if no requested service).
If no more interaction is available (no interaction was able to authenticate successfully a user), a CAS error page is displayed : "The CAS server cannot grant the level of assurance requested by service and/or by renew parameter".

G) Communication with Client

Ideas for a new CAS Protocol for Ticket Validation Response   -Nathan

Code Block
languagehtml/xml
titlePossible CAS Protocol 4.0 ticket validation response
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
  <cas:authenticationSuccess>
    <cas:user>${principal.id}</cas:user>
    <cas:proxyGrantingTicket>${pgtIou}</cas:proxyGrantingTicket>

    <cas:proxies>
       <cas:proxy>${proxy.principal.id}</cas:proxy>
       ...
    </cas:proxies>

    <cas:user-attributes>
      <cas:attrib name="${attrib.key}">${attrib.value}</cas:attrib>
      ...
    </cas:user-attributes>

    <cas:loa-number>${max_loa_number}</cas:loa-number>
 
    <cas:levels-satisfied>
       <cas:level>${level.name}<cas:level>
       ...
    </cas:levels-satisfied>

    <cas:auth-handlers>
      <cas:auth-handler name="${authhandler.name}">
        <cas:attrib name="${attrib.key}">${attrib.value}</cas:attrib>
        ...
      </cas:auth-handler>
      ...
    </cas:auth-handlers>
  </cas:authentication>

  </cas:authenticationSuccess>
</cas:serviceResponse>
Added sections:
  • NOT NECESSARILY RELATED TO LOA: user-attributes - contains attributes of the user (principal)
    • attrib - subject to the attribute release policy associated with this service - basically the same as the attributes in the SAML validation response
  • loa-number - the maximum number associated with any of the satisfied levels of assurance
  • levels-satisfied - list of the names of all assurance levels that were satisfied by the users's current session
    • level - the name of the level of assurance
  • MAYBE: auth-handlers - list of all auth handlers that have successfully authenticated for the user's current session (i.e. authentication objects) - note: this might not be needed or desired
    • auth-handler - an individual auth handler; the "name" XML attribute contains the name
      • attrib - each attribute in the authentication object can be listed here.  probably require deployer to specify which attributes should be released, or maybe include a release policy for registered services similar to that for user attributes
Jérôme :
Yes, it would be great to return user attributes.
Regarding LOA, I would return the current LOA of the user with numeric value and names, and I would add the authentication handler name used to authenticate the user.
But I thought we wanted to add these information to the SAML validation, not to the CAS one, to keep backward compatibility...
Nathan:
It would probably be fine to go that route (i.e. support the new LOA stuff only within SAML), but there was talk on the cas-dev mailing list about possibly coming out with a new revision of the CAS protocol (probably listening at a different URL), to add these types of things.
NEW Jérôme :
I agree, it would be great to improve CAS validation response, we have to try to get an agreement on that....

VI. Use cases

A) 2 webapps supporting remember-me and authentication by credentials / client requested LOA

- I access app1 and app2 as remember-me (round-trips on /login)
- I access a more secured area (requiring login/password authentication) in app2 -> I'm redirected to CAS server with renew=credentials, I need to re-authenticate, I fill my password and I'm redirected to app2 -> I get access as I'm now authenticated (not remembered)
- I access a more secured area (requiring login/password authentication) in app1 : what happens ? I'm still remembered in this one, so I'm redirected back to CAS server with renew=credentials and as I'm now authenticated in SSO session with the right LOA, I'm redirected back to application with a valid service ticket.

B) Other use cases

Note that some of these are various versions of the same story but using different scenarios.

NOTE: The following were written by Nathan.

  1. Guest -> Student -> Employee
    1. I first interact with CAS when registering for an event as a guest.
      1. For convenience I choose to use Facebook authentication.
    2. A few months later, I join the organization as a student.
      1. Through a process out of the scope of this document, I sign up for a username and password.  These credentials are connected to my existing identity, which up to this point only contained Facebook authentication information.
      2. If I attempt to access a resource intended for guests (app1), I see a login page that does include the Facebook button.
      3. If I attempt to access a resource intended for students (app2), I see a login page that does not include the Facebook authentication option.
      4. Let's say I login to app1 using Facebook, then I navigate to app2.
        1. I am presented with the login page again, this time not showing the Facebook button and including a message stating, "You must login with your username and password.  Facebook Connect is not supported for the site you are trying to reach."
        2. After I login, I am taken to the page.
    3. A few years later, I join the organization as an employee.
      1. Through a process out of the scope of this document, I am forced to increase the strength of my password to meet employee standards.  This is likely handled through a business process but also enforced using an interrupt screen in CAS that analyzes my password strength (probably by looking at authentication attributes, the assurance policy, and my organizational roles) and, if necessary, sends me to a self-service change password page after logging in.  The change password page will check my role (in my case by looking in Grouper) and will enforce the employee password policy.
      2. In this case, because password strength has been enforced prior to my accessing a service (through the use of interrupt screens and validation), the service can assume that my password is strong enough.
  2. Remember me
    1. I'm a student.
    2. I read a blog on the organization's blog site and I want to leave a comment.  I log in and check the "remember me" box.
    3. When reading another blog a few days later, I am able to leave a comment without logging in again because the "remember me" feature worked for the blog.
    4. I access the event registration web app, and it presents me with the login page because it requires an LOA number higher than that of the "remember me" feature.
  3. Trusted external IdP  - Note that this is very similar to using a public IdP like Facebook, and (like Facebook Connect) is basically a form of federation
    1. I'm an employee at a partner organization.
    2. I attempt to access the event registration web app.  On the login page, I click the link "login with username and password from partner organization."  (yes, the real message would be much less generic... more along the lines of "login with facebook" but for the partner org)
    3. I attempt to access an employee portal website, which does not accept employees from partner org.  I am shown the login screen again, with a message saying something like, "You must login with your username and password.  Partner Org login is not supported for the site you are trying to reach."
  4. Add a second factor (selected by user) when accessing enterprise app
    1. I access the employee portal and login with my username and password.
    2. I navigate to the organization PeopleSoft HR system.
    3. The system looks up some info in my account and determines that I have my cell phone registered to receive SMS messages and I have Google Authenticator configured.  It presents me with a screen showing the two options and asking me to click one.  I click on the "SMS message" option.  (Note that if I had only previously set up one of these options, the system would have selected it automatically.  If I had not previously set up either option, the system would have given me instructions telling me to set up at least one of these.)
    4. My phone receives a code as an SMS message.  I type this code into a text box on the screen and click "continue".
    5. I am granted access to the PeopleSoft HR system.
  5. Extra-strong password policy enforced for user with power-admin role - Note that this is an important LOA scenario, though it is somewhat outside of the scope of LOA in CAS as we're talking about now.  It really highlights how interrupt screens can play an important role in LOA.
    1. I'm an employee with access to the PeopleSoft HR system.
    2. I'm granted a special role in PeopleSoft that gives me lots of power.  This is registered in the organization's RBAC system (in this case Grouper).
    3. The next time I login with my username and password, some code in CAS intercepts my login and realizes that my password is not strong enough for this role.  I get sent to a screen where I must choose a stronger password.
    4. After choosing the stronger password, I login again and then am granted access to PeopleSoft.
    5. Note that PeopleSoft itself might not specifically immediately request any special password strength (beyond what would be true for all users), since it doesn't know who is accessing it when it redirects the first time.  However, after it has received and validated the ticket, it might take the opportunity to look up the person's assigned roles to ensure that their current password strength or LOA level is sufficient.  In that case it could redirect the user back to CAS with a more specific LOA request.  Alternatively, it would probably block access and notify an administrator, because the interrupt screens should have already done the work to ensure that this aspect of the LOA policy was fulfilled.
Jérôme :
I'd like you to describe more the HTTP requests and the LOA values requested.
Nathan:  I didn't include the HTTP requests because in my use cases, the LOA requirements for each service will usually be defined in the service registry instead of being via HTTP.  (This is similar to how you can register a user to force renew using the service registry.)  However, I can certainly add this information.  I'll make a new page and write up some scenarios.
See this page: Example LOA Use Cases 
I may be mistaken, but I don't see anything here which cannot be addressed by what I proposed at first. I don't see the need for authentication handlers combination (&&, ||).
Did I miss something ?
Nathan:  As I mentioned above, the expressions allow deployers to easily compose out-of-the-box authentication handlers (and related components) into flexible multi-factor handlers with very little effort.
I'm only doubtful on how to handle properly the fact a user is already authenticated by username/password and needs to authenticate by SMS in addition to the previous authentication.
Nathan:  I think this scenario is actually much easier if we allow composition of handlers instead of using a custom combined handler.  The service requests the "LDAP + SMS" multifactor-LOA.  The server realizes that "LDAP" authentication is already fulfilled, so it simply sends the user through the "SMS" interaction and authentication handler.  If the handlers were hard-coded together into a single handler and a single interaction, there would be no easy way for the server to send the user through only the second half of the interaction and run only the second half of the authentication handler with the second-half of the credentials.  However, if the two authentication handlers are kept separate but simply composed together in the configuration, it would be easy for the server to trigger only the SMS parts of the flow.

VII. Roadmap

A) Step 1 : only client requested LOA

For a first step, the idea is to target only the LOA requested by the client (renew parameter).

It means creating the assurance policy, level of assurance and assurance evaluator, updating the authentication handler and the authentication manager and implementing the main algorithm (impacts on webflow).

B) Step 2 : add server requested LOA

For a second step, we can add the requested LOA defined in CAS server.

It means updating the registered service, the services management webapp and the main algorithm.

C) Step 3 : add interactions

For a third step, we can finally add the interactions and interactions manager and update the main algorithm (impacts on webflow).

NEW Jérôme :

D) Step 4 : add interrupt screens

By extending the current LPPE feature, a mechanism of interrupt screens could be created.

E) Step 5 : return "real" SAML information to clients

It would be usefull to return "real" SAML information, i.e. authentication contexts to the client through SAML validation.

F) Step 6 : support SAML authentication requests

To be able to handle very complex client requests on LOA with many parameters (and without previous definition on CAS server), the CAS server should be able to handle SAML authentication requests on /login url.I do not understand what is the advantage of giving up SWF/MVC capability to deal with lower level concerns like state management, http request binding and validation over re-inventing custom mechanisms to do essentially the same. I'd rather concentrate on the business domain of authentication/assurance than re-inventing the wheel. (Dmitriy Kopylenko)

From Jérôme Leleu : I'd like to avoid pollution on this document, but this requires an answer. I may not have been very clear, but this document must be cross-read with the first LOA spec and for both, the reader must focus on concepts more than on technical implementations details which may be discussed futher. Last tuesday, we had a conf call and this point (using or not SWF) was a key discussion : if I understood everything clearly, we came to the loose agreement of using SWF.

An CredentialsGatherer is a way to get Credentials. Each CredentialsGatherer is defined to support a kind of Credentials it will return when called.

This concept replaces the AuthenticationViaFormAction and AbstractNonInteractiveCredentialsAction.

There are two types of CredentialsGatherer :

  • InteractiveCredentialsGatherer means the user has to give inputs as Credentials. An InteractiveCredentialsGatherer is also defined with a View to display to get user inputs. At least, one InteractiveCredentialsGatherer is defined in CAS server : the LoginPageCredentialsGatherer which supports UsernamePasswordCredentials.  This replaces AuthenticationViaFormAction.
  • SilentCredentialsGatherer means the CAS server will get by itself Credentials silently from the HTTP request.  This replaces AbstractNonInteractiveCredentialsAction.

SilentCredentialsGatherer

Currently subclasses of AbstractNonInteractiveCredentialsAction are wired directly into the Spring WebFlow as action beans.  (See SPNEGO and X.509 Certificates as examples.)  Under the new design, there would be a generic non-interative action bean always wired into the SpringWebFlow.  This action bean would be configured with a list of SilentCredentialsGatherer beans and would process each one.  The beans might use session variables for caching and to reduce duplicate work.
SilentCredentialsGatherer beans might need to have the opportunity to issue redirects (to initiate silent federation, for example).  However, these use cases might be better handled with InteractiveCredentialsGatherer beans instead.  TBD.
Possible interface methods:
  • Credentials gatherCredentials(HttpServletRequest request)

InteractiveCredentialsGatherer

Currently, this is also handled using Spring WebFlow configuration (primarily via the viewLoginForm and realSubmit states).  Instead, a generic view-state should replace viewLoginForm and a generic action-state should replace realSubmit.  These two states would call beans that delegate all the implementation-specific details to the InteractiveCredentialsGatherer.  The gatherer is responsible for selecting the view (JSP page, which could display HTML or issue a redirect), and for receiving the form post or redirect return and extracting credentials (currently handled by AuthenticationViaFormAction.doBind()).
Attributes:
  • String id
  • String displayName
  • String logoImageUrl
  • String jspViewName
Methods:
  • Credentials extractCredentails(HttpServletRequest)
    • Alternative: something SpringMVC-specific like doBind() so that we can handle errors on fields, though I'd prefer something NOT SpringMVC-specific

D) Interaction manager (new)

An InteractionManager is the action bean that is responsible for processing authentication managers for silently-gathered credentials and for choosing next right InteractiveCredentialsGatherer to try for the currently-desired level of assurance.
The InteractionManager does this:
  1. Locate all existing Authentication objects (results of past successful authentications)
    1. These are found in the current TicketGrantingTicket
  2. Locate all existing Credentials that have not yet been authenticated
    1. These were gathered by SilentCredentialsGatherer beans in an earlier step of the web flow.
  3. Authenticate all Credentials that haven't yet been authenticated (i.e. silently gathered ones).  If successful, store in the current TGT.  Create a TGT if necessary.  If unsuccessful, store some kind of flag somewhere so we don't try to process the credential again.
  4. Determine all acceptable assurance policy lines, based on incoming parameters, attributes of the registered service, and defaults.
  5. If the current set of Authentications is insufficient to satisfy any acceptable assurance policy lines, determine which types of credentials would be necessary to come into compliance.
  6. If multiple types of credentials would be valid, choose one based on pre-configured preferences/rules.  Place the others into a list and put that list.
  7. Locate the corresponding InteractiveCredentialsGatherer.
  8. Locate InteractiveCredentialsGatherers for all of the alternative possible credentials, and put those into a list.
  9. Show the view for the selected InterativeCredentialsGatherer.

E) Ticket Granting Ticket (update)

The ticket granting ticket needs to be updated to support a list of Authentication objects instead of only a single Authentication object.

F) Authentication manager (update)

The authentication manager takes credentials and returns an authentication.  Currently it is called directly by SpringMVC actions (such as AuthenticationViaFormAction and subclasses of AbstractNonInteractiveCredentialsAction).  Instead, the new CredentialsGatherer beans will be calling the authentication manager.
NOTE: currently the SWF action (AuthenticationViaFormAction) does not use AuthenticationManager directly, but instead the CentralAuthenticationService facade API is used (Dmitriy Kopykenko)
The authentication manager will always store the following attributes in a successful Authentication object:
  • name of the authentication handler
  • name of the credentials type

G) Registered service (update)

So far, a registered service supports attributes : id, name, theme, description, isAnonymous...
New optional attributes:
  • List of acceptable named lines from the assurance policy.
  • Minimum acceptable LOA value
If both are listed, that means: "Accept any value greater than or equal to the minimum, PLUS any lines listed by name."

H) Assurance evaluator (new)

Given a TGT containing a list of successful Authentication objects, the assurance evaluator computes two things:
  • a numeric value indicating the maximum assurance that is guaranteed by this set of Authentication objects.  (This is the row with the maximum value such that all lines with lesser values are also fulfilled.)
  • a list of all lines of the assurance policy that are fulfilled by this set of Authentication objects

IV. Extension to CAS protocol

So far, the CAS server supports the renew parameter set to true to force re-authentication whatever the current authentication is.

LOA requirements can be specified using a new parameter named "loa":

  • loa=<number>
    • Any lines in the assurance policy that matches this strength or greater are all acceptable.
  • loa=<comma-separated-list>
    • Any lines named in the comma-separated list are all acceptable.
  • loa=<number>,<comma-separated-list>
    • Any line in the assurance policy that matches this strength or greater OR any lines named in the comma-separated list are all acceptable.

V. Main algorithm

A) Diagram

 

G) Communication with Client

Ideas for a new CAS Protocol for Ticket Validation Response

Code Block
languagehtml/xml
titlePossible CAS Protocol 4.0 ticket validation response
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
  <cas:authenticationSuccess>
    <cas:user>${principal.id}</cas:user>
    <cas:proxyGrantingTicket>${pgtIou}</cas:proxyGrantingTicket>

    <cas:proxies>
       <cas:proxy>${proxy.principal.id}</cas:proxy>
       ...
    </cas:proxies>

    <cas:user-attributes>
      <cas:attrib name="${attrib.key}">${attrib.value}</cas:attrib>
      ...
    </cas:user-attributes>

    <cas:loa-number>${max_loa_number}</cas:loa-number>
 
    <cas:levels-satisfied>
       <cas:level>${level.name}<cas:level>
       ...
    </cas:levels-satisfied>

    <cas:auth-handlers>
      <cas:auth-handler name="${authhandler.name}">
        <cas:attrib name="${attrib.key}">${attrib.value}</cas:attrib>
        ...
      </cas:auth-handler>
      ...
    </cas:auth-handlers>
  </cas:authentication>

  </cas:authenticationSuccess>
</cas:serviceResponse>

Added sections:
  • NOT NECESSARILY RELATED TO LOA: user-attributes - contains attributes of the user (principal)
    • attrib - subject to the attribute release policy associated with this service - basically the same as the attributes in the SAML validation response
  • loa-number - the maximum number associated with any of the satisfied levels of assurance
  • levels-satisfied - list of the names of all assurance levels that were satisfied by the users's current session
    • level - the name of the level of assurance
  • MAYBE: auth-handlers - list of all auth handlers that have successfully authenticated for the user's current session (i.e. authentication objects) - note: this might not be needed or desired
    • auth-handler - an individual auth handler; the "name" XML attribute contains the name
      • attrib - each attribute in the authentication object can be listed here.  probably require deployer to specify which attributes should be released, or maybe include a release policy for registered services similar to that for user attributes

Note: Would it be better to use a JSON format validation response for the new CAS protocol response?  Easier to parse, less clumsy, more concise? -Andrew Petro

VI. Use cases

See Example LOA Use Cases