FWIW, we've noted that the shib-cas plugin supports the REFEDS MFA profile, which suggests perhaps it's using the conditional expression (authn_method=mfa-duo && authnContextClass=mfa-duo) as the basis for its MFA assertions. Can anyone confirm this?
<https://github.com/Unicon/shib-cas-authn3#handling-refeds-mfa-profile> On Tue, Jul 5, 2022 at 10:11 AM Baron Fujimoto <ba...@hawaii.edu> wrote: > Are the set of CAS authentication attributes documented somewhere? If you > test logins using /cas/login, we can see, for example, the following set of > authentication attributes: > > credentialType, clientIpAddress, samlAuthenticationStatementAuthMethod, > authenticationDate, bypassMultifactorAuthentication, authenticationMethod, > authnContextClass, successfulAuthenticationHandlers, serverIpAddress, > userAgent > > Some of them are straightforward, such > as clientIpAddress, authenticationDate, serverIpAddress, userAgent; but it > would be helpful to have some formal documentation on exactly what the > others are. > > For example, suppose a client wanted to verify that MFA was actually used. > If we only supported Duo for MFA, is it sufficient to simply check, > say, successfulAuthenticationHandlers for the value > "DuoSecurityAuthenticationHandler", or do you also have to > verify bypassMultifactorAuthentication = "false"? Or is there another > "correct'' way to do this? > > Bonus: we also use the shib-cas plugin to front our Shibboleth IdP > deployment with CAS. Any pointers to how we can make use of these > authentication attributes to define comparable attributes on the Shib side > would be appreciated. > > -- > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0X7pMmK9Y_jhTstZFFJEyOi0e7b0y3%2B0CXiezRGmF81g%40mail.gmail.com.
