HI all, I've moved from 6.3 to 6.5. and, I like Mike for 6.3 followed the advice of the blog mentioned. It was painless to add the property and I found instant success. ----- In 6.5, I tried to port this property to the updated namespace:
https://apereo.github.io/cas/6.5.x/installation/Configuring-SAML2-Attribute-Release.html#attribute-name-formats *cas.authn.saml-idp.core.authentication-context-class-mappings=https://refeds.org/profile/mfa->mfa-duo* It no longer seems to inject it for me. I went back to the NIH preparedness site to verify and I'm not passing the assertion. * Tried just in case it was a collection (plural name). That didn't produce a warning but it also didn't work.* cas.authn.saml-idp.core.authentication-context-class-mappings[0]=https://refeds.org/profile/mfa->mfa-duo ----- I do see that I can set it explicitly on individual service definitions, but, I would rather set it once. Is there an additional step that is needed? Do I need to set it explicitly on each service definition in v6.5.x? Thanks for your thoughts on this. On Thursday, March 11, 2021 at 10:36:15 AM UTC-6 Mike Osterman wrote: > Score! Looks like another blog that I need to be following. :) That MFA > REFEDS post looks exactly like what was being discussed at yesterday’s > office hours webinar. > > Good catch on the REFEDS Assurance profiles. I got the gist of what it was > being discussed, but the requirements seemed a little unclear. Makes sense, > as it sounds like the requirement compliance date has been announced, but > the details are still being sorted out. > > I’m still thinking we’ll switch our InCommon federation to CAS, largely > for the operational efficiency (we’re a small school) and the reduced > complexity of running a single SAML IdP, and at present, we only have one > vendor that requires InCommon. If others have gone the consolidation route > by using CAS as their InCommon SAML IdP, I’d welcome any feedback on how > that has gone for you on or off list. > > Thank you, > Mike > > On Thu, Mar 11, 2021 at 7:44 AM 'Richard Frovarp' via CAS Community < > cas-...@apereo.org> wrote: > >> I'm running my InCommon membership through Shibboleth, so I'm not looking >> for a CAS solution. However, here is what I know: >> >> 1) R&S is documented as you point out. If you are going to provide REFEDS >> R&S to REFEDS R&S SPs, you probably want to go into the InCommon Federation >> Manager and assert that you are a R&S IdP. I would also suggest you review >> your error URL, and see if you can be SIRTFI compliant, as those are >> baseline v2 requirements. Separate from NIH, but while you are in there. >> >> 2) Parts of the NIH are also going to want assurance attributes based on >> the REFEDS Assurance profiles. Once you know which assurance values you can >> assert, they are just attributes that you return to the SP, like any other >> attribute. >> >> 3) MFA will come in the form of REFEDS MFA. I found this from a couple of >> months ago that looks promising given that Misagh wrote it: >> https://fawnoos.com/2020/12/07/cas63x-saml2-mfa-refeds-duo/ >> >> On Wed, 2021-03-10 at 15:19 -0800, Mike Osterman wrote: >> >> For those that are using CAS SAML IdP as their InCommon IdP (we are >> almost there but haven't made the switch), there are some upcoming >> requirements (September 21, 2021) for users of electronic Research >> Administration (eRA): >> https://incommon.org/news/nih-application-to-require-multi-factor-authentication/ >> >> >> The REFEDS Research & Scholarship attributes support seems >> well-documented: >> >> https://apereo.github.io/cas/6.3.x/installation/Configuring-SAML2-Attribute-Release.html#refeds-research-and-scholarship >> >> The thing that I can't find in the docs is how to express the referenced >> MFA Authentication Context: >> https://refeds.org/profile/mfa >> >> We've implemented Duo, so I'm guessing that flow would be where we would >> trigger this, but again, don't find in the docs how to trigger this or if >> it's even supported by CAS's SAML IdP. >> >> I think I saw a couple names of frequent cas-user participants on the >> office hours webinar today, so I expect others are looking at this as well. >> >> Thanks, >> Mike >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1b141b9362d3bb665a031ed87bab1f94c1e57db.camel%40ndsu.edu?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0dbcc451-0678-494c-8106-f705f47a3737n%40apereo.org.
