...
- LDAP username+password
- Simple password policy: 6+ characters
- Medium password policy: 8+ characters, with special characters and numbers
- Strong password policy: 12+ characters, with special characters and numbers, forced rotation
- Send code to SMS
- Google Authenticator
- Facebook Connect
- Twitter Login
- Registered machine/device/browser
- Trusted Partner (running another CAS server)
- Send code to email (used for password reset)
- Security questions and answers (used for password reset)
LOA
...
Policies and Server Config
Here is a list of some of the applications that we are protecting (or will soon be protecting) with CAS, and the corresponding LOA policy that we are discussing for that application. All of these are, of course, subject to change as we evaluate relative security and consider the direction of CAS's future LOA capabilities.
The main concept here is that each client can have it's own "policy" (or set of policies) that determine what it finds acceptable.
Application | User | Usage | LOA Policy for this app |
---|---|---|---|
PeopleSoft HR | all employees | self-service | (Policy A) LDAP username+password, medium password policy |
PeopleSoft HR | various HR departments | employee admin | (Policy B) One of the following:
|
PeopleSoft HR | HR admins | workforce admin | (Policy C) LDAP username+password, strong password policy + Google Authenticator or SMS |
PeopleSoft Financials | various departments | budgets, etc. | (Policy B) One of the following:
|
PeopleSoft Financials | financial admins | GL, etc. | (Policy C) LDAP username+password, strong password policy + Google Authenticator or SMS |
Employee Portal | all employees & some volunteers | news, announcements, forms, self-service, payroll, etc. | (Policy D) One of the following:
|
E-Commerce site | all employees & some volunteers | purchase supplies | (Policy D) One of the following:
|
Fund raising tools | all employees | Track donations, view donor information | (Policy D) One of the following:
|
Google Apps | all employees | Email, documents, etc | (Policy D) One of the following:
|
Google Apps | executives | Email, documents, etc. | (Policy E) LDAP username+password, strong password policy |
Social networking site | employees, guests, students, alumni | connecting and sharing info | (Policy F) One of the following:
|
Event Registration Site | guests and students | register for events | (Policy F) One of the following:
|
Event Registration Site | employees | create and manage events | (Policy D) One of the following:
|
Password Reset* | most employees | reset forgotten password | (Policy G) One of the following:
|
Password Reset* | executives, HR, Finance, and admins | reset forgotten password | (Policy H) One of the following:
|
* In this example, I'm considering the possibility of using CAS+LOA to protect our "forgotten password" self-service feature. However, this is just an idea I'm exploring as opposed to a "requirement."
Authentication "Levels" / Policy Defined on the Server
Here is one way that we might wish to define our levels of authentication in a root policy on the server. These are subject to change based on research and evaluation by our IT security expert.
Description | Level | Authentication Handler Ordered List | |||
---|---|---|---|---|---|
ldap_strong_google | (LDAP username+&password, strong password policy) + (Google Authenticator) | 45 | ldap(password_strength>=12), google_auth | ||
ldap_strong_sms | (LDAP username+&password, strong password policy) + (SMS) | 44 | ldap(password_strength>=12), sms_code | ||
ldap_medium_google | (LDAP username+&password, medium password policy) + (Google Authenticator) | 35 | ldap(password_strength>=8), google_auth | ||
ldap_medium_sms | (LDAP username+&password, medium password policy) + (SMS) | 34 | ldap_ldap(password_strength>=8), sms_code | ||
ldap_strong | LDAP username+&password, strong password policy | 33 | ldap(password_strength>=12) | ||
ldap_medium_lan | (LDAP username+&password, medium password policy) + (on the company LAN) | 32 | ldap(password_strength>=8), local_ip_addr | ||
ldap_medium | LDAP username+&password, medium password policy | 30 | ldap(password_strength>=8) | ||
trusted_partner | Trusted Partner (federation using a CAS client on our CAS server) | 20 | * | 20 | partner_cas_client |
ldap_weak | LDAP username+&password, weak password policy | 10 | ldap | ||
10 | facebook_oauth | ||||
10 |
Other Possible Requirements
We are also considering other requirements.
- For some services, if the request not coming from an IP within the user's home country, require Google Authenticator or SMS code in addition to LDAP.
- For some services, require user to register device/browser (like the way Facebook works). Maybe require extra authentication (like email code or secret Q&A) if registering a new machine. This might replace the "on the company LAN" LOA constraint.
- Add the ability for users to generate a temporary-use token that can be given out (e.g. to allow tech-support staff to temporarily login as the user). This type of credential would have an LOA equal to the authentication method that was used to generate the token... up to a maximum probably equivalent to a medium-strenth password. Some services (such as password reset) would need to be able to opt-out of supporting this feature. If the LOA subsystem is flexible enough, it could easily support this kind of feature.
LOA logic that should be handled by interrupt screens and triggered by the user's role
- If user is an employee, require at least medium password policy (otherwise, only require the weak password policy)
- If user is given mega-admin access to HR or Financials, require strong password policy
- If user is given normal departmental access to HR or Financials, require registration of SMS cell number or Google Authenticator
- If user is placed in the "executives" group, require strong password policy
- If user is an employee, recommend (or maybe require) registration of SMS cell number or Google Authenticator
Scenarios and Implementation
An HR employee outside the LAN accesses event registration to register for an event, then accesses the social networking site, then accesses employee portal, then accesses PeopleSoft HR.
...
- The event registration system redirects them to CAS, and includes "loa=10". (Alternatively, the service might have been pre-registered with the server with an LOA attribute set to "10".)
- The CAS server determines that the user's current LOA (not logged in = 0) is insufficient.
- The CAS server looks up in the LOA policy table and discovers that all possibilities will satisfy this requirement.
- The CAS server looks at the first authentication handler for each LOA row (this matters for rows that specify multiple authentication handlers). It finds: "LDAP", "Trusted Partner", "Facebook", and "Twitter".
- The CAS server looks up the "interaction" settings for each of these authentication handlers, and discovers that all four list "standard login page" as their interaction. When showing the login page as part of the interaction, the system injects the list of acceptable authentication handlers.
- The CAS server shows the standard login page (as defined by the interaction), and this page displays the username/password form as well as links to login with Facebook, Twitter, and "Trusted Partner."
- The user selects "Login with Facebook", enters her Facebook info, and proceeds.
- Before generating the service ticket, the CAS server computes the LOA and double-checks to ensure that the user's current LOA (now 10) is sufficient for the service (either as communicated via redirect parameter or as registered in the service registry).
- As the CAS client is validating the service ticket, it receives metadata about the method of authentication (authproviders="facebook", namedLOAs="facebook") and the computed LOA (10). The CAS client also has the ability to verify that the authentication details (including computed LOA and specific authprovider info) is acceptable.
...
- The employee portal redirects the user to the CAS server. The site is pre-registered with an LOA attribute of "10".
- The CAS server determines that the user's current LOA (10) is sufficient.
- The CAS server generates a service ticket and immediately sends the user back.
- The service ticket is validated, the site accepts the LOA metadata, and the user uses the site.
...
- The employee portal redirects the user to the CAS server, and includes "loa=20"
- The CAS server determines that the user's current LOA (10) is insufficient.
- The CAS server looks up in the LOA policy table and finds the list of rows that will satisfy this requirement.
- The CAS server looks at the first authentication handler for each LOA row (this matters for rows that specify multiple authentication handlers). It finds: "LDAP" and "Trusted Partner"
- The CAS server looks up the "interaction" settings for each of these authentication handlers, and discovers that all four list "standard login page" as their interaction. When showing the login page as part of the interaction, the system injects the list of acceptable authentication handlers.
- The CAS server shows the standard login page (as defined by the interaction), and this page displays the username/password form as well as a link to login with "Trusted Partner." The "Facebook" and "Twitter" links are NOT included because they are not on the list of acceptable providers. Also, a message might be displayed on the screen that says: "Although you already logged in using Facebook, the website you are trying to access does not accept Facebook authentication. Please use one of the methods listed below."
- The user types her corporate username and password to login.
- Before generating the service ticket, the CAS server computes the LOA and double-checks to ensure that the user's current LOA (now 30) is sufficient for the service.
- As the CAS client is validating the service ticket, it receives metadata about the method of authentication (authproviders="facebook, ldap", namedLOAs="facebook, ldap_medium") and the computed LOA (30).
...
twitter_oauth |
*Our "Trusted Partner" is running a CAS server and we'll be using a CAS client to provide a form of federation, similar to "connect using facebook".
Interactions for Authentication Handlers
Each handler has an interaction that is used to gather credentials for that handler.
Authentication Handler | Interaction | Type | Precedence | Name | Interaction View |
---|---|---|---|---|---|
LDAP | Basic Login | user-interactive | 8 | ldap | login.jsp |
TrustedPartner | TrustedPartner CAS redirect and validate | user-interactive | 7 | partner_cas_client | partner_cas.jsp |
Facebook OAuth redirect and validate | user-interactive | 6 | facebook_oauth | initiate_facebook.jsp | |
Twitter OAuth redirect and validate | user-interactive | 5 | twitter_oauth | initiate_twitter.jsp | |
Google Authenticator | Google Authenticator Screen | user-interactive | 4 | google_auth | google_auth.jsp |
SMS Code | SMS Code Screen | user-interactive | 3 | sms_code | sms_code.jsp |
RememberMe | RememberMe Cookie Fetcher | system-interactive (silent) | 2 | remember_me_cookie | |
Company LAN | IP Lookup | system-interactive (silent) | 1 | local_ip_addr |
Other Possible Requirements
We are also considering other requirements.
- For some services, if the request not coming from an IP within the user's home country, require Google Authenticator or SMS code in addition to LDAP.
- For some services, require user to register device/browser (like the way Facebook works). Maybe require extra authentication (like email code or secret Q&A) if registering a new machine. This might replace the "on the company LAN" LOA constraint.
- Add the ability for users to generate a temporary-use token that can be given out (e.g. to allow tech-support staff to temporarily login as the user). This type of credential would have an LOA equal to the authentication method that was used to generate the token... up to a maximum probably equivalent to a medium-strenth password. Some services (such as password reset) would need to be able to opt-out of supporting this feature. If the LOA subsystem is flexible enough, it could easily support this kind of feature.
LOA logic that should be handled by interrupt screens and triggered by the user's role
- If user is an employee, require at least medium password policy (otherwise, only require the weak password policy)
- If user is given mega-admin access to HR or Financials, require strong password policy
- If user is given normal departmental access to HR or Financials, require registration of SMS cell number or Google Authenticator
- If user is placed in the "executives" group, require strong password policy
- If user is an employee, recommend (or maybe require) registration of SMS cell number or Google Authenticator
Scenarios and Implementation
An HR employee outside the LAN accesses event registration to register for an event, then accesses the social networking site, then accesses employee portal, then accesses PeopleSoft HR.
- An HR employee (using a computer outside of the organization's LAN) accesses the event registration system.
- The event registration system redirects them to CAS, and includes "loa=10". (Alternatively, the service might have been pre-registered with the server with an LOA attribute set to "10".)
- The CAS server determines that the user's current LOA (not logged in = 0) is insufficient.
- The CAS server looks up in the LOA policy table and discovers that all possibilities will satisfy this requirement.
- The CAS server looks at the first authentication handler for each LOA row (this matters for rows that specify multiple authentication handlers). It finds: "LDAP", "Trusted Partner", "Facebook", and "Twitter".
- The CAS server looks up the "interaction" settings for each of these authentication handlers. It chooses "basic login" because it has the highest precedence. When showing the login page as part of the interaction, the system injects the list of alternative interactions
- The CAS server shows the basic login JSP page (as defined by the interaction). The JSP page includes a fragment that lists the alternative interactions with links and images (e.g. "Connect with Facebook" showing the Facebook logo).
- The user selects "Login with Facebook", enters her Facebook info, and proceeds.
- Before generating the service ticket, the CAS server computes the LOA and double-checks to ensure that the user's current LOA (now 10) is sufficient for the service (either as communicated via redirect parameter or as registered in the service registry).
- As the CAS client is validating the service ticket, it receives metadata about the method of authentication (authproviders="facebook", namedLOAs="facebook") and the computed LOA (10). The CAS client also has the ability to verify that the authentication details (including computed LOA and specific authprovider info) is acceptable.
- In the same session, the same user accesses the social networking site.
- The employee portal redirects the user to the CAS server. The site is pre-registered with an LOA attribute of "10".
- The CAS server determines that the user's current LOA (10) is sufficient.
- The CAS server generates a service ticket and immediately sends the user back.
- The service ticket is validated, the site accepts the LOA metadata, and the user uses the site.
- In the same session, the same user accesses the employee portal.
- The employee portal redirects the user to the CAS server, and includes "loa=20"
- The CAS server determines that the user's current LOA (10) is insufficient.
- The CAS server looks up in the LOA policy table and finds the list of rows that will satisfy this requirement.
- The CAS server looks at the first authentication handler for each LOA row (this matters for rows that specify multiple authentication handlers). It finds: "LDAP" and "Trusted Partner"
- The CAS server looks up the "interaction" settings for each of these authentication handlers, and discovers that all four list "standard login page" as their interaction. When showing the login page as part of the interaction, the system injects the list of alternate interactions.
- The CAS server shows the standard login page (as defined by the interaction), and this page displays the username/password form as well as a link to login with "Trusted Partner." The "Facebook" and "Twitter" links are NOT included because they are not on the list of alternate interactions.
- The user types her corporate username and password to login.
- Before generating the service ticket, the CAS server computes the LOA and double-checks to ensure that the user's current LOA (now 30) is sufficient for the service.
- As the CAS client is validating the service ticket, it receives metadata about the method of authentication (authproviders="facebook, ldap", namedLOAs="facebook, ldap_medium") and the computed LOA (30).
- In the same session, the same user accesses PeopleSoft HR.
- In this case, PeopleSoft is protected by the CAS servlet filter. The filter redirects the user through the CAS server for initial authentication. The filter doesn't know who the person is yet, so it uses its lowest requirement, which is: "loa=30"
- This LOA requirement is sufficient, so the CAS server generates the service ticket, which is accepted by the servlet filter.
- PeopleSoft looks up the user's role and determines that they have the ability to manage employees, so they must conform to "Policy B."
- PeopleSoft redirects the user to the CAS server, and includes "loa=34,ldap_medium_lan". (This means that any LOA of 34 and above, plus the special exception of ldap_medium_lan" are all acceptable.)
- The server looks up in the LOA policy and finds the rows that will satisfy this requirement.
- The CAS server determines that the user is incapable of fulfilling the requirements for "ldap_strong, ldap_strong_sms, and ldap_strong_google" because the user's current password strength is only medium, so it eliminates those possibilities.
- The CAS server eliminates the "ldap_medium_lan" possibility, since the "LAN" authentication handler uses an automatic system interaction and therefore would have already been accepted if possible. (Basically, the user is once again incapable of fulfilling this requirement, so there's no point in asking them about it.)
- The CAS server is left with two possible rows in the policy table: "ldap_medium_google" and "ldap_medium_sms"
- The CAS server determines that the user has already fulfilled the "ldap" requirement for these rows.
- The CAS server looks at the first unfulfilled authentication handler for each row. It finds: "sms" and "google".
- The server finds the two interactions for these two authentication handlers and chooses the one with highest precedence, which in this case is the "google authenticator" screen. Again, the JSP page includes a snippet of code that shows the list of alternative interactions, which in this case is just a link for the SMS Code interaction.
- Because the user does not have a smartphone, she clicks the link to use the SMS Code option instead of google authenticator. The system sends the code to her pre-registered cell number and waits then displays a screen asking for the code (as part of the interaction).
- The user receives the message and types the code into the screen. It is validated.
- Before generating the service ticket, the CAS server computes the LOA and double-checks to ensure that the user's current LOA (now 34) is sufficient for the service.
- As the CAS client is validating the service ticket, it receives metadata about the method of authentication (authproviders="facebook,ldap, sms", namedLOAs="facebook, ldap_medium, ldap_medium_sms") and the computed LOA (34). The CAS filter places this information in a place where the PeopleSoft code can get it (probably an HTTP header). The PeopleSoft code once again looks up the user's role and checks to ensure that the LOA data is now acceptable.
Implementation
On the CAS Server
- A "server policy" is defined that maps names and numbers to combinations of authentication handlers
- Each "authentication handler" has an "interaction" registered which determines how credentials are gathered. It could be user-interactive (show a screen) or automatic (fetch a cookie).
- There should be some kind of precedence to determine which interactions are default.
- When a request for authentication, the following happens:
- The server determines the LOA policy for this service
- Look in the service registry to see if the service is registered and has an LOA policy defined.
- Look for an LOA parameter. The LOA parameter is a comma separated list of all LOA values that are acceptable. A numeric value means: "every LOA with this value or higher". A named value means: "also this individual level even if it is numerically lower". Only one number should be included in the list, but the list can have multiple named levels.
- If both a pre-registered LOA requirement and a parameter exist, combine them in a way that makes sense and is secure. (that "way" is to be determined)
- This combination could be labeled the "client LOA policy"... it defines what levels of assurance are deemed acceptable to the client
- Check the user's current status (list of all handlers that have already successfully authenticated) and determine if the user already satisfies the "client policy". If so, generate the service ticket and redirect the user back to the service immediately.
- Otherwise... The server determines which interaction(s)it needs to show to the user
- Find all rows in the "server policy" table that will satisfy the service's LOA requirements. Each row contains a list of authentication handlers that must be satisfied, possibly each with some attributes.
- For each row, determine if the user has already authenticated using any of the authentication handlers required for that row. If the user already authenticated with this method, but the attributes aren't satisfied, remove this row from the list of possibilities and also make a note about the unsatisfied attribute(s).
- If no rows are found, show the user an error message. The error message may include information regarding the unsatisfied attributes (such as "your password strength is too weak")
- Make a list of possible authentication handler chains based on the lists of authentication handlers for each row. Remove all already-authenticated handlers from the chains. Remove any empty chains.
- Look at the first authentication handler that remains in each chain. Look up the interaction that is registered for that action.
- Perform all automatic interactions (like fetching a cookie).
- If multiple user-interactions exist, choose the "default"
- Make a list of all alternate interactions, and put that list into the HttpServletResponse. Every interaction's JSP should include a standard snippet of code that displays these options, allowing the user can pick one of these alternatives if desired.
- Probably: Make a list of the first authentication handler in each chain and put that list into the HttpServletResponse. This is important if you have a single interaction that is designed to be used with multiple authentication handlers, such as a login screen that includes an optional "connect with Facebook" button. The interaction's JSP will probably want to take this list into account when showing or hiding various options.
- Display the interaction's JSP page
- Note that some interactions, even user-interactive ones, might not need to show a JSP page by default. For example, an OAuth interaction could immediately redirect the user to the OAuth server's login page. However, this would present a problem if there are any alternate interactions, because the user would not have been given the chance to choose one of the alternates. In this case, a JSP probably should to be displayed to give the user the choice.
- Follow the interaction's code.
- Once the interaction has been completed, go back to step "a" until either 1) LOA is fulfilled (see step "b"); or 2) no rows can be found that will satisfy the policy (see step c. iii.)
- The server adds all relevant LOA data to the user's session authentication object's, generates the service ticket, and later includes those LOA details in the ticket validation response.
- The server determines the LOA policy for this service