...
Here is one way that we might wish to define our levels of authentication in a root policy on the server. These are subject to change based on research and evaluation by our IT security expert.
Description | Level | Authentication Handler Ordered List | ||
---|---|---|---|---|
ldap_strong_google | (LDAP username&password, strong password policy) + (Google Authenticator) | 45 | ldap(password_strength>=12), google_auth | |
ldap_strong_sms | (LDAP username&password, strong password policy) + (SMS) | 44 | ldap(password_strength>=12), sms_code | |
ldap_medium_google | (LDAP username&password, medium password policy) + (Google Authenticator) | 35 | ldap(password_strength>=8), google_auth | |
ldap_medium_sms | (LDAP username&password, medium password policy) + (SMS) | 34 | ldap(password_strength>=8), sms_code | |
ldap_strong | LDAP username&password, strong password policy | 33 | ldap | _medium_(password_strength>=12) |
ldap_medium_lan | (LDAP username&password, medium password policy) + (on the company LAN) | 32 | ldap(password_strength>=8), local_ip_addr | |
ldap_medium | LDAP username&password, medium password policy | 30 | ldap(password_strength>=8) | |
trusted_partner | Trusted Partner* | 20 | partner_cas_client | |
ldap_weak | LDAP username&password, weak password policy | 10 | ldap | |
10 | facebook_oauth | |||
10 | twitter_oauth |
*Our "Trusted Partner" is running a CAS server and we'll be using a CAS client to provide a form of federation, similar to "connect using facebook".
...
Authentication Handler | Interaction | Type | Precedence | Name | Interaction View | ||
---|---|---|---|---|---|---|---|
LDAP | Basic Login | user-interactive | 8 | ldap | login.jsp | ||
TrustedPartner | TrustedPartner CAS redirect and validate | user-interactive | 7 | partner_cas_client | partner_cas.jsp | ||
Facebook OAuth redirect and validate | user-interactive | 6 | facebook_oauth | initiate_facebook.jsp | |||
Twitter OAuth redirect and validate | user-interactive | 5 | twitter_oauth | initiate_twitter.jsp | |||
Google Authenticator | Google Authenticator Screen | user-interactive | 4 | google_auth | google_auth.jsp | ||
SMS Code | SMS Code Screen | user-interactive | 3 | sms_code | sms_code.jsp | ||
RememberMe | RememberMe Cookie Fetcher | system-interactive (silent) | 2 | SPNEGO | SPNEGO Protocol Handler | systemremember_me_cookie | |
Company LAN | IP Lookup | system-interactive (silent) | 1 | local_ip_addr |
Other Possible Requirements
...
- A "server policy" is defined that maps names and numbers to combinations of authentication handlers
- Each "authentication handler" has an "interaction" registered which determines how credentials are gathered. It could be user-interactive (show a screen) or automatic (fetch a cookie).
- There should be some kind of precedence to determine which interactions are default.
- When a request for authentication, the following happens:
- The server determines the LOA policy for this service
- Look in the service registry to see if the service is registered and has an LOA policy defined.
- Look for an LOA parameter. The LOA parameter is a comma separated list of all LOA values that are acceptable. A numeric value means: "every LOA with this value or higher". A named value means: "also this individual level even if it is numerically lower". Only one number should be included in the list, but the list can have multiple named levels.
- If both a pre-registered LOA requirement and a parameter exist, combine them in a way that makes sense and is secure. (that "way" is to be determined)
- This combination could be labeled the "client LOA policy"... it defines what levels of assurance are deemed acceptable to the client
- Check the user's current status (list of all handlers that have already successfully authenticated) and determine if the user already satisfies the "client policy". If so, generate the service ticket and redirect the user back to the service immediately.
- Otherwise... The server determines which interaction(s)it needs to show to the user
- Find all rows in the "server policy" table that will satisfy the service's LOA requirements. Each row contains a list of authentication handlers that must be satisfied, possibly each with some attributes.
- For each row, determine if the user has already authenticated using any of the authentication handlers required for that row. If the user already authenticated with this method, but the attributes aren't satisfied, remove this row from the list of possibilities and also make a note about the unsatisfied attribute(s).
- If no rows are found, show the user an error message. The error message may include information regarding the unsatisfied attributes (such as "your password strength is too weak")
- Make a list of possible authentication handler chains based on the lists of authentication handlers for each row. Remove all already-authenticated handlers from the chains. Remove any empty chains.
- Look at the first authentication handler that remains in each chain. Look up the interaction that is registered for that action.
- Perform all automatic interactions (like fetching a cookie).
- If multiple user-interactions exist, choose the "default"
- Make a list of all alternate interactions, and put that list into the HttpServletResponse. Every interaction's JSP should include a standard snippet of code that displays these options, allowing the user can pick one of these alternatives if desired.
- Probably: Make a list of the first authentication handler in each chain and put that list into the HttpServletResponse. This is important if you have a single interaction that is designed to be used with multiple authentication handlers, such as a login screen that includes an optional "connect with Facebook" button. The interaction's JSP will probably want to take this list into account when showing or hiding various options.
- Display the interaction's JSP page
- Note that some interactions, even user-interactive ones, might not need to show a JSP page by default. For example, an OAuth interaction could immediately redirect the user to the OAuth server's login page. However, this would present a problem if there are any alternate interactions, because the user would not have been given the chance to choose one of the alternates. In this case, a JSP probably should to be displayed to give the user the choice.
- Follow the interaction's code.
- Once the interaction has been completed, go back to step "a" until either 1) LOA is fulfilled (see step "b"); or 2) no rows can be found that will satisfy the policy (see step c. iii.)
- The server adds all relevant LOA data to the user's session authentication object's, generates the service ticket, and later includes those LOA details in the ticket validation response.
- The server determines the LOA policy for this service
...