cas mfa 2014 update
TRANSCRIPT
Introduction
Objectives
Architecture Overview
Going Forward
Questions and Discussion
Open Apereo - June 1-4 2014
This session will describe the latest extensions developed to enable multifactor authentication with CAS. The presentation will involve an overview of requirements, features and technical designs and may also touch upon feasibility of further contribution to the CAS community as well as a general roadmap.
Open Apereo - June 1-4 2014
CAS Committer and PMC member
3 years with Unicon; 5 years with JasigApereo
Technical lead for Unicon’s Open Source Support for CAS
Open Apereo - June 1-4 2014
https://twitter.com/misagh84
https://github.com/mmoayyed
Support, services, training, managed services and custom projects on and around enterprise open source in and around higher education
Identity and Access Management team working with CAS, Shibboleth, Grouper, OpenRegistry, …
Open Source Support for CAS, Shibboleth, Grouper, Sakai, uPortal, uMobile, SSP, …
Open Apereo - June 1-4 2014
Additional steps to authenticate users ◦ Something you know/have/are?
Strategies to communicate the extra step
Configuration of authentication context fulfillment
Strategies to validate the authenticated assertion
Open Apereo - June 1-4 2014
CAS extension on top of CAS 3.5.2
Support authentication using multiple factors
Support for relying parties to understand the authenticated context.
Support for relying parties exerting authentication strength requirements
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
https://github.com/Unicon/cas-mfa
Open Apereo - June 1-4 2014
Architecture Overview
Via authn_method parameter: ◦ /cas/login?service=…&authn_method=strong_two_factor
CAS MFA Argument Extractor:
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
CAS uses Spring Webflow to direct the login flow AuthN methods are then specified as subflows ◦ Primary AuthN handler to execute ◦ Invoke the appropriate subflow
Subflows define how authentication should take place for the Nth factor
Subflows can be chained!
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Every subflow contains two files:
◦ mfa_flowid_servlet.xml
◦ mfa_flowid_webflow.xml
mfa_strong_two_factor_webflow.xml:
Open Apereo - June 1-4 2014
Achieve MFA by chaining subflows
For example, hulk_strong_mfa may be: ◦ First, authN via LDAP
◦ Then, authN via PIN
◦ Then, authN via blood sample…
◦ Then…
Note: authentication methods cannot change the primary authentication method.
Disclaimer: There is no BloodSampleAuthenticationHandler in CAS!
Open Apereo - June 1-4 2014
Whence you authenticate, CAS does not care
Neither does CAS MFA extension!
Use available authN handlers, or write your own
mfa_strong_two_factor_servlet.xml:
Open Apereo - June 1-4 2014
Remembering & Validating AuthN Context
Open Apereo - June 1-4 2014
AuthN methods are remembered as Authentication attributes
This is achieved via RememberAuthenticationMethodMetaDataPopulator.java
Open Apereo - June 1-4 2014
AuthN methods are returned to relying parties
Open Apereo - June 1-4 2014
AuthN methods are single exact tokens remembered by CAS.
No strategy to rank or combine, or substitute, yet!
CAS will delegate to: ◦ Primary AuthN flow if no SSO session
◦ MFA AuthN subflow, if authN method mismatch
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Going Forward
Open Apereo - June 1-4 2014
AuthN methods via JSON service registry
AuthN methods via principal attribute
Ability to rank authN methods
Support for Duo Security MFA ◦ Remain vendor agnostic
Enhancements to Java CAS Client ◦ Support existing applications
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
Open Apereo - June 1-4 2014
https://github.com/Unicon/cas-mfa
Open Apereo - June 1-4 2014
https://twitter.com/misagh84
https://github.com/mmoayyed