2010-07-20 MFA Call

Attending: Scott, Howard, Joe, Jen, Susan

Review Policy definition and discussion from 7/12

• compare policy definition to MACE paccman definition if one exists. See https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary

What is interface between bus logic and UI?

Howard suggests bus logic to presentation interface is in terms of 3 questions: Am I there yet? Do I already have this credential? If I were to get this credential, would it be useful? or ask what credentials do you need?

Should a certificate be authenticated if not needed for the service? Does a policy need to answer whether a certain credential is needed? Or should CAS always look for all non-interactive credentials and validate those?

Service API function is to request access and return yes or no and return why. getServiceTicket answers yes or no and why not.   Scott prefers more logic behind the service such as what's missing. Does this change the meaning of getServiceTicket to expect result is not a service ticket?  Not really, since failure to get service ticket already is used in case of expired TGT to go ack to the top of the flow.

Howard - should flow run through all the steps to gather credentials all the time? Or will the policy give a list of needed credentials?

Scott - Should all the credentials succeed or fail as a set? Or individually? Right now they succeed or fail as a set because they have to map to the same principal. To return which failed as individuals need to have an id for each credential. Howard had suggested the identifier could be its type name.   This is ok.  Joe wonders why not use the bean instance of the configured authentication method that must match one for one with credentials.

The approach we are converging on allows the presentation to know what credentials it can get. 

CAS 3.5 Architecture

We didn't get to this really.