FWIW, we've noted that the shib-cas plugin supports the REFEDS MFA profile, which suggests perhaps it's using the conditional expression (authn_method=mfa-duo && authnContextClass=mfa-duo) as the basis for its MFA assertions. Can anyone confirm this?
<https://github.com/Unicon/shib-cas-authn3#handling-refeds-mfa-profile> On Tue, Jul 5, 2022 at 10:11 AM Baron Fujimoto <[email protected]> wrote: > Are the set of CAS authentication attributes documented somewhere? If you > test logins using /cas/login, we can see, for example, the following set of > authentication attributes: > > credentialType, clientIpAddress, samlAuthenticationStatementAuthMethod, > authenticationDate, bypassMultifactorAuthentication, authenticationMethod, > authnContextClass, successfulAuthenticationHandlers, serverIpAddress, > userAgent > > Some of them are straightforward, such > as clientIpAddress, authenticationDate, serverIpAddress, userAgent; but it > would be helpful to have some formal documentation on exactly what the > others are. > > For example, suppose a client wanted to verify that MFA was actually used. > If we only supported Duo for MFA, is it sufficient to simply check, > say, successfulAuthenticationHandlers for the value > "DuoSecurityAuthenticationHandler", or do you also have to > verify bypassMultifactorAuthentication = "false"? Or is there another > "correct'' way to do this? > > Bonus: we also use the shib-cas plugin to front our Shibboleth IdP > deployment with CAS. Any pointers to how we can make use of these > authentication attributes to define comparable attributes on the Shib side > would be appreciated. > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0X7pMmK9Y_jhTstZFFJEyOi0e7b0y3%2B0CXiezRGmF81g%40mail.gmail.com.
