I believe there's some promise in leveraging the renew parameter for facilitating multi-factor authentication use cases; in particular, the case where a service demands a level of assurance that the existing SSO session does not meet. In the traditional renew case the client demands that the user reauthenticate in order to obtain a service ticket. Adding an additional requirement that the authentication meet a particular LOA seems a natural extension to the traditional sense of renew.
In performing code review for estimating the work required to implement this scheme, I noted that the authentication created by a successful renew attempt is simply discarded. [1] That's a fairly large obstacle to overcome. I would like to propose a couple options to facilitate access to this authentication, which would presumably be used by other server-side components to determine whether the authentication meets the LOA demands set by the client. 1. Change the signature of grantServiceTicket(...) to return a ServiceTicket type. That way the overloaded version that takes a Credentials argument could return an AuthenticatedServiceTicket type or similar that would contain the successful authentication from which it was issued. 2. Add the authentication to the existing TicketGrantingTicket in a well-defined manner such that other components could know with confidence which one was issued most recently. (Guess we could iterate over authentications and look at authenticationDate if nothing else.) I can imagine a value in tracking all authentications that have occurred on a TGT, which option #2 would facilitate, but I can also imagine the effort to implement it would be greater since it would likely require touching some of the ticket storage backends. Looking forward to feedback, particularly other options for achieving the goal of getting at the renewed authentication. M [1] https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org/jasig/cas/CentralAuthenticationServiceImpl.java, lines 222-234 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
