a tale of two factors: mfa with cas

Open Apereo - June 1-4 2015

A Tale of Two Factors:MFA with CAS

Misagh [email protected]

Introduction

Objectives

Feature Overview

Going Forward

Questions


Agenda

This session will describe the latest extensions developed to enable multifactor authentication with CAS. The presentation will involve an overview of requirements, features and technical designs and may also touch upon feasibility of further contribution to the CAS community as well as a general roadmap.


This Session

Also see: http://lanyrd.com/2014/apereo/sdbbdh/

http://lanyrd.com/2014/apereo/sdbbdh/

CAS Committer; PMC member

Software Engineer/IAM Consultant

4 years with Unicon; 6 years with Apereo

Introduction: Misagh Moayyed

https://twitter.com/misagh84

https://github.com/mmoayyed

[email protected]


Support, services, training, managed services and custom projects on and around enterprise open source in and around higher education

Identity and Access Management team working with CAS, Shibboleth, Grouper, OpenRegistry, …

Open Source Support for CAS, Shibboleth, Grouper, Sakai, uPortal, uMobile, SSP, …


Unicon

CAS extension on top of CAS 3.5.x◦ Intended to be included in your Maven overlay

Support for:◦ AuthN using multiple factors◦ RPs to understand the authenticated context.◦ RPs exerting AuthN strength requirements

Available version: 1.0.0-RC1


What is CAS MFA?


CAS MFA on Github

https://github.com/Unicon/cas-mfa


Features


No Webflow Changes! CAS MFA automagically configures itself given

the appropriate provider module.

Additional work may be required if you have heavily customized the webflow.

Use the provided “overlay” module as an example


MFA Activation Options - #1 Application [group] in JSON service registry

Pluggable. Use your own service registry impl.


MFA Activation Options - #2 User attribute:

Define in cas.properties:◦ mfa.method.userAttribute=duo-two-factor


MFA Activation Options - #3 Opt-in authN request via authn_method

parameter:

◦ /cas/login?service=…&authn_method=duo-two-factor

Supports all protocols that the CAS server supports!


Supported MFA Providers CAS MFA has built-in support for:

◦ Duo Security◦ Toopher◦ Yubi Key◦ Authy◦ Radius◦ Custom

Include the module(s) in your Maven overlay Provide MFA settings in cas.properties


Sample Overlay Configuration


Sample Module Configuration############################################ Toopher 2fa authentication provider###########################################

toopher.apiurl=https://api.toopher.com/v1/toopher.consumer.key=<key>toopher.consumer.secret=<secret>


AuthN Method in Response AuthN methods are returned to relying parties


Default MFA Method What if service registry is unable to define

authN method?

Could I force MFA for all relying parties?

Yes! Define in cas.properties:◦ mfa.default.authn.method=duo-two-factor


Greet & Recognize User Greet the user based on an attribute

Define in cas.properties:◦ screen.mfa.greeting.userAttribute=firstName


Ranking AuthN Methods Strategy to resolve collisions Numeric ranking strategy to define weight Lower rank = Higher weight


Translating AuthN Methods By default, authN methods are fixed.

If you enable MFA via Duo Security, you’d get “duo-two-factor” as the authN method

What if user/service attribute has a different value?

Create an AuthenticationMethodTranslator


Translating AuthN Methods

Or, write your own.


Going Forward


Planned Changes Support additional provider features

Location/Device aware MFA

Support CAS 4.x


Questions?

https://twitter.com/misagh84

https://github.com/mmoayyed

[email protected]

a tale of two factors: mfa with cas

Technology

rc1 open apereo

apereo https

cas mfa

forward questions open

open source support

enterprise open source

cas community

cas server