It's been a few days, does anyone have questions we can answer or
otherwise help move this along?
I've reviewed the whitepaper and I believe there are some interesting
intersections between your work and CAS features of general interest to
the community. I'll generalize the features as I see them:
- Per-service dynamic attribute release with support for principal and
attribute transformation.
- Multifactor authentication.
API support for the latter is on the roadmap for 4.0, and ideally your
work would leverage that API. It's not clear to me how or whether a
service can request a particular authentication credential or attribute
set from CAS, but that's an interesting problem for which we do not yet
have a solution. If you've implemented that feature, I'd appreciate an
outline of your solution.
Your existing support for supporting authentication by what are
effectively interchangeable credentials is a convenience to users, but
it appears to come at the cost -of security. In particular, credentials
are not interchangeable with respect to level of identity assurance. I
believe releasing attributes bound to a credential of higher LOA (e.g.
X.509 cert) for an SSO session started with a credential of lower LOA
(e.g. user/pass) results in a spurious attribute assertion. I'm not
aware of any research or literature on the matter, but if anyone is
aware I'd appreciate a pointer to a reference; alternatively an informed
confirmation or rebuttal would be helpful.
I'm eager to review the details of how you've implemented dynamic
attribute release, but the structure of the source on github is a
roadblock. One simple change would facilitate review: make the root
directory a parent project of the submodules. The CAS server codebase
is structured this way and it may provide a helpful reference. Once
that change is made, I'll import the project into my IDE and do a
thoughtful code review.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
