HI all, I've moved from 6.3 to 6.5. and, I like Mike for 6.3 followed the advice of the blog mentioned. It was painless to add the property and I found instant success. ----- In 6.5, I tried to port this property to the updated namespace:
https://apereo.github.io/cas/6.5.x/installation/Configuring-SAML2-Attribute-Release.html#attribute-name-formats *cas.authn.saml-idp.core.authentication-context-class-mappings=https://refeds.org/profile/mfa->mfa-duo* It no longer seems to inject it for me. I went back to the NIH preparedness site to verify and I'm not passing the assertion. * Tried just in case it was a collection (plural name). That didn't produce a warning but it also didn't work.* cas.authn.saml-idp.core.authentication-context-class-mappings[0]=https://refeds.org/profile/mfa->mfa-duo ----- I do see that I can set it explicitly on individual service definitions, but, I would rather set it once. Is there an additional step that is needed? Do I need to set it explicitly on each service definition in v6.5.x? Thanks for your thoughts on this. On Thursday, March 11, 2021 at 10:36:15 AM UTC-6 Mike Osterman wrote: > Score! Looks like another blog that I need to be following. :) That MFA > REFEDS post looks exactly like what was being discussed at yesterday’s > office hours webinar. > > Good catch on the REFEDS Assurance profiles. I got the gist of what it was > being discussed, but the requirements seemed a little unclear. Makes sense, > as it sounds like the requirement compliance date has been announced, but > the details are still being sorted out. > > I’m still thinking we’ll switch our InCommon federation to CAS, largely > for the operational efficiency (we’re a small school) and the reduced > complexity of running a single SAML IdP, and at present, we only have one > vendor that requires InCommon. If others have gone the consolidation route > by using CAS as their InCommon SAML IdP, I’d welcome any feedback on how > that has gone for you on or off list. > > Thank you, > Mike > > On Thu, Mar 11, 2021 at 7:44 AM 'Richard Frovarp' via CAS Community < > [email protected]> wrote: > >> I'm running my InCommon membership through Shibboleth, so I'm not looking >> for a CAS solution. However, here is what I know: >> >> 1) R&S is documented as you point out. If you are going to provide REFEDS >> R&S to REFEDS R&S SPs, you probably want to go into the InCommon Federation >> Manager and assert that you are a R&S IdP. I would also suggest you review >> your error URL, and see if you can be SIRTFI compliant, as those are >> baseline v2 requirements. Separate from NIH, but while you are in there. >> >> 2) Parts of the NIH are also going to want assurance attributes based on >> the REFEDS Assurance profiles. Once you know which assurance values you can >> assert, they are just attributes that you return to the SP, like any other >> attribute. >> >> 3) MFA will come in the form of REFEDS MFA. I found this from a couple of >> months ago that looks promising given that Misagh wrote it: >> https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/ >> >> On Wed, 2021-03-10 at 15:19 -0800, Mike Osterman wrote: >> >> For those that are using CAS SAML IdP as their InCommon IdP (we are >> almost there but haven't made the switch), there are some upcoming >> requirements (September 21, 2021) for users of electronic Research >> Administration (eRA): >> https://incommon.org/news/nih-application-to-require-multi-factor-authentication/ >> >> >> The REFEDS Research & Scholarship attributes support seems >> well-documented: >> >> https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Attribute-Release.html#refeds-research-and-scholarship >> >> The thing that I can't find in the docs is how to express the referenced >> MFA Authentication Context: >> https://refeds.org/profile/mfa >> >> We've implemented Duo, so I'm guessing that flow would be where we would >> trigger this, but again, don't find in the docs how to trigger this or if >> it's even supported by CAS's SAML IdP. >> >> I think I saw a couple names of frequent cas-user participants on the >> office hours webinar today, so I expect others are looking at this as well. >> >> Thanks, >> Mike >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0dbcc451-0678-494c-8106-f705f47a3737n%40apereo.org.
