...
Here is one way that we might wish to define our levels of authentication in a root policy on the server. These are subject to change based on research and evaluation by our IT security expert.
| Description | Level | Authentication Handler Ordered List | ||
|---|---|---|---|---|
| ldap_strong_google | (LDAP username&password, strong password policy) + (Google Authenticator) | 45 | ldap(password_strength>=12), google_auth | |
| ldap_strong_sms | (LDAP username&password, strong password policy) + (SMS) | 44 | ldap(password_strength>=12), sms_code | |
| ldap_medium_google | (LDAP username&password, medium password policy) + (Google Authenticator) | 35 | ldap(password_strength>=8), google_auth | |
| ldap_medium_sms | (LDAP username&password, medium password policy) + (SMS) | 34 | ldap(password_strength>=8), sms_code | |
| ldap_strong | LDAP username&password, strong password policy | 33 | ldap | _medium_lan(password_strength>=12) |
| ldap_medium_lan | (LDAP username&password, medium password policy) + (on the company LAN) | 32 | ldap(password_strength>=8), local_ip_addr | |
| ldap_medium | LDAP username&password, medium password policy | 30 | ldap(password_strength>=8) | |
| trusted_partner | Trusted Partner* | 20 | partner_cas_client | |
| ldap_weak | LDAP username&password, weak password policy | 10 | ldap | |
| 10 | facebook_oauth | |||
| 10 | twitter_oauth |
*Our "Trusted Partner" is running a CAS server and we'll be using a CAS client to provide a form of federation, similar to "connect using facebook".
...
| Authentication Handler | Interaction | Type | Precedence | Name | Interaction View | |
|---|---|---|---|---|---|---|
| LDAP | Basic Login | user-interactive | 8 | ldap | login.jsp | |
| TrustedPartner | TrustedPartner CAS redirect and validate | user-interactive | 7 | partner_cas_client | partner_cas.jsp | |
| Facebook OAuth redirect and validate | user-interactive | 6 | facebook_oauth | initiate_facebook.jsp | ||
| Twitter OAuth redirect and validate | user-interactive | 5 | twitter_oauth | initiate_twitter.jsp | ||
| Google Authenticator | Google Authenticator Screen | user-interactive | 4 | google_auth | google_auth.jsp | |
| SMS Code | SMS Code Screen | user-interactive | 3 | sms_code | sms_code.jsp | |
| RememberMe | RememberMe Cookie Fetcher | system-interactive (silent) | 2 | SPNEGO | SPNEGO Protocol Handlerremember_me_cookie | |
| Company LAN | IP Lookup | system-interactive (silent) | 1 | local_ip_addr |
Other Possible Requirements
...