Upload
misagh-moayyed
View
171
Download
0
Tags:
Embed Size (px)
Citation preview
This session will describe the latest extensions developed to enable multifactor authentication with CAS. The presentation will involve an overview of requirements, features and technical designs and may also touch upon feasibility of further contribution to the CAS community as well as a general roadmap.
Open Apereo - June 1-4 2015
This Session
Also see: http://lanyrd.com/2014/apereo/sdbbdh/
CAS Committer; PMC member
Software Engineer/IAM Consultant
4 years with Unicon; 6 years with Apereo
Introduction: Misagh Moayyed
https://twitter.com/misagh84
https://github.com/mmoayyed
Open Apereo - June 1-4 2015
Support, services, training, managed services and custom projects on and around enterprise open source in and around higher education
Identity and Access Management team working with CAS, Shibboleth, Grouper, OpenRegistry, …
Open Source Support for CAS, Shibboleth, Grouper, Sakai, uPortal, uMobile, SSP, …
Open Apereo - June 1-4 2015
Unicon
CAS extension on top of CAS 3.5.x◦ Intended to be included in your Maven overlay
Support for:◦ AuthN using multiple factors◦ RPs to understand the authenticated context.◦ RPs exerting AuthN strength requirements
Available version: 1.0.0-RC1
Open Apereo - June 1-4 2015
What is CAS MFA?
Open Apereo - June 1-4 2015
No Webflow Changes! CAS MFA automagically configures itself given
the appropriate provider module.
Additional work may be required if you have heavily customized the webflow.
Use the provided “overlay” module as an example
Open Apereo - June 1-4 2015
MFA Activation Options - #1 Application [group] in JSON service registry
Pluggable. Use your own service registry impl.
Open Apereo - June 1-4 2015
MFA Activation Options - #2 User attribute:
Define in cas.properties:◦ mfa.method.userAttribute=duo-two-factor
Open Apereo - June 1-4 2015
MFA Activation Options - #3 Opt-in authN request via authn_method
parameter:
◦ /cas/login?service=…&authn_method=duo-two-factor
Supports all protocols that the CAS server supports!
Open Apereo - June 1-4 2015
Supported MFA Providers CAS MFA has built-in support for:
◦ Duo Security◦ Toopher◦ Yubi Key◦ Authy◦ Radius◦ Custom
Include the module(s) in your Maven overlay Provide MFA settings in cas.properties
Open Apereo - June 1-4 2015
Sample Module Configuration############################################ Toopher 2fa authentication provider###########################################
toopher.apiurl=https://api.toopher.com/v1/toopher.consumer.key=<key>toopher.consumer.secret=<secret>
Open Apereo - June 1-4 2015
Default MFA Method What if service registry is unable to define
authN method?
Could I force MFA for all relying parties?
Yes! Define in cas.properties:◦ mfa.default.authn.method=duo-two-factor
Open Apereo - June 1-4 2015
Greet & Recognize User Greet the user based on an attribute
Define in cas.properties:◦ screen.mfa.greeting.userAttribute=firstName
Open Apereo - June 1-4 2015
Ranking AuthN Methods Strategy to resolve collisions Numeric ranking strategy to define weight Lower rank = Higher weight
Open Apereo - June 1-4 2015
Translating AuthN Methods By default, authN methods are fixed.
If you enable MFA via Duo Security, you’d get “duo-two-factor” as the authN method
What if user/service attribute has a different value?
Create an AuthenticationMethodTranslator
Open Apereo - June 1-4 2015
Planned Changes Support additional provider features
Location/Device aware MFA
Support CAS 4.x
Open Apereo - June 1-4 2015
Questions?
https://twitter.com/misagh84
https://github.com/mmoayyed