Hello, I'll try to be clearer :-), for example, a user wants to use our healthcare software : - if he's connected from LAN, SPNEGO auth will be required & sufficient to grant access to the service. - if he's connected from the Internet, connection will be granted only with login/password + OTP (SMS, mail, yubikey, ... we've not chosen yet).
I already have modified login webflow to trigger SPNEGO only on our LAN, so login/password is only triggered from the Internet. Then... I don't know, yet, how to perform MFA only for Internet users and some services. Regards. Le 06/10/2016 à 13:19, Misagh Moayyed a écrit : > > What exactly do these points mean? > > > If you mean to say, multiple MFA options are assigned to a user, and > you wish to rank them by weight, that’s already supported. > > > -- > Misagh > > From: Philippe MARASSE <[email protected]> > <mailto:[email protected]> > Reply: Philippe MARASSE <[email protected]> > <mailto:[email protected]> > Date: October 5, 2016 at 3:46:46 PM > To: [email protected] <[email protected]> <mailto:[email protected]> > Subject: Re: [cas-user] Level of identity assurance implementation in > CAS 5.0 > >> No idea, really ? >> >> It's mentioned in section MFA of >> https://apereo.github.io/cas/4.2.x/planning/Security-Guide.html >> >> but not anymore on v5 >> https://apereo.github.io/cas/development/planning/Security-Guide.html ?? >> >> Regards. >> >> Le 29/09/2016 à 14:43, Philippe MARASSE a écrit : >> > Hello, >> > >> > I'm wondering if CAS is able to do service-based LOA, eg, internal >> users >> > use SPNEGO and external users use Login/Password, and if requested by >> > service : MFA with Yubikey or other not yet implemented mean (OTP via >> > SMS, OTP via FreeOTP, etc.). Ideally, I would set a level by service : >> > - access to Webmail with required level of 15 points >> > - access to Personal informations with required level of 20 points >> > >> > And successful authentication would be granted by handler : >> > - SPNEGO : 25 points >> > - Login/Password : 15 points >> > - MFA yubikey : 10 points >> > - ... >> > >> > So internal users would always gain access with SPNEGO, and external >> > users will be requested login/password only for Webmail, and >> > login/password + MFA for Personal Informations. >> > >> > Is it already possible with CASv5 ? >> > >> > I think it will need some development though, in this case, I'll need >> > directions :-) >> > >> > Regards. >> > >> >> -- br/>Philippe MARASSE < >> >> Responsable pôle Infrastructures - DSIO >> Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Cœur br/>86021 Poitiers CCedex >> Tel : 05.49.44.57.19 >> >> >> -- br/>You received this message because you are subscribed tto the >> Google Groups "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at >> https://groups.google.com/a/apereo.org/group/cas-user/. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a2a19d6-5d9d-a453-c953-156eb585da03%40ch-poitiers.fr. >> For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e0535790-b029-7196-32cd-d1d66dc1ba24%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
smime.p7s
Description: Signature cryptographique S/MIME
