/
Possible Changes to CAS 2 Protocol for Multifactor + Proxy use case

Possible Changes to CAS 2 Protocol for Multifactor + Proxy use case

Oct 20, 2010

Multifactor Authentication (MFA) to CAS is the focus of this discussion

Susan talked about Scott's CAS internals changes to facilitate MFA.

Susan talked about the proposed, or missing, UI changes to CAS to prompt users for the credential(s) missing that a service they have tried to access requires. Proxying services, like uPortal, may be satisfied as far as their level of authentication, but downstream services that uPortal authenticates them to may not be satisfied with that level.

Andrew echoed the same use case with a more concrete example. He then proceeded to point out that the CAS protocol has a method of conveying to the service that possesses a PGT that it has not authenticated "hard enough" to obtain a PT to the other service.

Marvin said that moving the responsibility to the service to determine what its minimum level of authentication is and to deal with the insufficient level may be too onerous on the individual service providers.

The concept of having the same application allowing two or more levels of authentication was brought up. Howard weighed in to discuss having to extend the CAS protocol to introduce the distinction between service identifier and the URL to redirect to after the login.

Susan and Andrew talked about the possibility of a proxying service, like uPortal, appending to its service URL a list of additional services to which proxy authentication would be anticipated to, so that CAS could assure the sufficient level of authentication. Howard added that, with n-th-level proxy authentication, predicting all the anticipated levels of authority may not be practical.

Andrew described a proposed scenario in which the user on the initial authentication could be informed that if the user were to present more credentials, the user's future experience accessing the service could be richer.

The group collectively agreed that there are theoretical use cases that may be too complex to really consider in a real-world CAS implementation.

Susan said that extending the CAS 2 protocol to be able to handle these use cases may not be appropriate. Perhaps using SAML2 protocol is the right "solution" to such use cases.

At the end Adam threw in the issue where proxy CAS and CAS attribute release are mutually-exclusive because proxy CAS cannot be used with SAML, which, in turn is required (or recommended), for attribute release.