Versions Compared

Old Version 4

changes.mady.by.user Ann West (internet2.edu)

Saved on

compared with

New Version 5

changes.mady.by.user Ann West (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

CAS is the authentication provider for our IdP, so all authentication methods map to a single login handler. We use the IdP's delegated authentication handler, i.e. RemoteUser, to integrate with CAS.

Code Block
XMLXML
titleIdP Login Handler Configuration (handler.xml)
XML
  <!-- Remote User handler for CAS support -->
  <LoginHandler xsi:type="RemoteUser">
    <AuthenticationMethod>
      urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
    </AuthenticationMethod>
    <AuthenticationMethod>
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    </AuthenticationMethod>
    <AuthenticationMethod>
      http://id.incommon.org/assurance/bronze-test
    </AuthenticationMethod>
    <AuthenticationMethod>
      http://id.incommon.org/assurance/silver-test
    </AuthenticationMethod>
  </LoginHandler>

...

The key component of CAS-IdP integration from the perspective of InCommon Assurance is a custom servlet filter that maps a SAML AuthenticationMethod attribute sent by CAS into an AuthnContext to be asserted by the IdP. The source for this component, AssertionAttributeAuthenticationMethodFilter, is available for review.

XML
Code Block
XML
titleServlet Configuration for AssertionAttributeAuthenticationMethodFilter (web.xml)
XML
  <filter>
    <filter-name>AssertionAttributeAuthenticationMethodFilter</filter-name>
    <filter-class>
      edu.vt.middleware.shib.cas.AssertionAttributeAuthenticationMethodFilter
    </filter-class>
    <init-param>
      <param-name>authMethodAttribute</param-name>
      <param-value>samlAuthenticationStatement::authMethod</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>AssertionAttributeAuthenticationMethodFilter</filter-name>
    <url-pattern>/Authn/RemoteUser</url-pattern>
  </filter-mapping>

...

We had already invested a significant amount of engineering effort on supporting multiple credentials in our CAS SSO solution prior to the InCommon Assurance program. We leveraged this existing assurance infrastructure to bridge our internal credential LOA values onto InCommon Assurance identifiers. The SAML 1.1 support in CAS provided a convenient mechanism to indicate authentication method to clients, in this case the IdP. It was simply a matter of specifying how InCommon Assurance identifiers map onto particular authentication credentials. The following configuration snippet demonstrates this:

XML
Code Block
XML
titleCAS Deployer Configuration (deployerConfigContext.xml)
XML
  <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
  <snip/>
    <!--
    Populates the Authentication object with data about the authenticated
    principal or other circumstances of the authentication event.
    The Authentication object is an attribute or the TGT, so data in the
    Authentication can be provided to CAS clients at service ticket validation
    time.
    -->
    <property name="authenticationMetaDataPopulators">
      <list>
        <bean id="nistLevelPopulator"
              class="edu.vt.middleware.cas.authentication.metadata.LevelOfAssuranceMetaDataPopulator"
              p:attributeName="LOA">
          <property name="calculators">
            <list>
              <ref bean="usernameNistLevelCalculator"/>
              <ref bean="pdcNistLevelCalculator"/>
            </list>
          </property>
        </bean>
        <bean id="eduPersonAssurancePopulator"
              class="edu.vt.middleware.cas.authentication.metadata.LevelOfAssuranceMetaDataPopulator"
              p:attributeName="samlAuthenticationStatementAuthMethod">
          <property name="calculators">
            <list>
              <ref bean="usernameEduPersonAssuranceCalculator"/>
              <ref bean="pdcEduPersonAssuranceCalculator"/>
            </list>
            </property>
        </bean>
      </list>
    </property>
  <snip/>
  </bean>

  <!--
    URNs taken from
    http://www.oasis-open.org/committees/download.php/28706/sstc-saml-loa-authncontext-profile-draft-01.pdf
  -->
  <bean id="usernameNistLevelCalculator"
        class="edu.vt.middleware.cas.authentication.metadata.AuthIdLevelOfAssuranceCalculator"
        p:guestAccountLevel="urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1"
        p:pidAccountLevel="urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2" />

  <bean id="pdcNistLevelCalculator"
        class="edu.vt.middleware.cas.authentication.metadata.PDCLevelOfAssuranceCalculator"
        p:defaultLevel="urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1">
    <property name="oidLevelMap">
      <!-- Must list in order of descending value -->
      <map>
        <!-- Medium Silver -->
        <entry key="1.3.6.1.4.1.6760.5.2.2.5.1" value="urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4" />

        <!-- Medium Bronze -->
        <entry key="1.3.6.1.4.1.6760.5.2.2.4.1" value="urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4" />

        <!-- Basic -->
        <entry key="1.3.6.1.4.1.6760.5.2.2.3.1" value="urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2" />
      </map>
    </property>
  </bean>

  <bean id="usernameEduPersonAssuranceCalculator"
        class="edu.vt.middleware.cas.authentication.metadata.AuthIdLevelOfAssuranceCalculator"
        p:guestAccountLevel="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
        p:pidAccountLevel="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

  <bean id="pdcEduPersonAssuranceCalculator"
        class="edu.vt.middleware.cas.authentication.metadata.PDCLevelOfAssuranceCalculator"
        p:defaultLevel="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified">
    <property name="oidLevelMap">
      <!-- Must list in order of descending value -->
      <map>
        <!-- Medium Silver -->
        <entry key="1.3.6.1.4.1.6760.5.2.2.5.1" value="http://id.incommon.org/assurance/silver" />

        <!-- Medium Bronze -->
        <entry key="1.3.6.1.4.1.6760.5.2.2.4.1" value="http://id.incommon.org/assurance/bronze" />
      </map>
    </property>
  </bean>

  <snip/>

...