Specific Authentication Type required

An application requires a specific type of authentication and interacts with CAS so that a user acquires the necessary level of authentication to access the application.  The application does not require proxy authentication.
In this use case, a user attempts to access an application that requires a specific type of authentication (i.e. Safeword or RSA). This is not a case of multiple factors since only one specific factor is required, but it will utilize similar logic to be more specific in selecting the authentication credential than the current "use the first one that works" approach.

It appears that this use case can be satisfied without extending the CAS protocol.

Actors

• User / Browser
• CAS Authentication (aka CAS authN)
• CAS validation
• Application

Pre-Conditions

• PRE1: CAS is configured to support multiple authentication types (multiple authentication handlers).
• PRE2: This application is configured in the CAS service registry including the type of authentication required.
• PRE3: The default type of Authentication such as "NetidPassword" which is assumed when no other type is specified, and all existing services are assumed to require the default Authentication unless configured otherwise.

Flow

1. User / Browser request goes to the applicaiton with no service ticket.
2. Application redirects browser to CAS authN
3. CAS authN uses service string in URL to look up service in service manager registry and discovers PRE2
4. CAS uses authN flow to meet required type of auhtN
5. On success, CAS sends response with service ticket and service url to browser
6. browser sends request to application with ticket.
7. Application sends ticket to CAS validation
8. CAS validation looks up service in service manager registry, discovers type of authentication required and verifies that authN is valid
9. CAS validation returns CAS 2 protocol response
10. User is able to use the application