[cas-dev] Multiple security levels (aka the circle of trust)

[March, Andres]

Driven out of the need for "remember me" functionality, my organization
is considering adding multiple levels of trust to our CAS
implementation.  The idea is that some authentications aren't as trusted
as others.  Basically, I want them to be able to be logged into a forums
type site for a very long time between browser sessions but not into a
billing info site.  The gateway and renew flags are very useful in this
respect but we need a bit more.  We would like some low security sites
to accept an auth created from previous browser sessions but for higher
security sites to not accept it.  Obviously we would like users going
from a higher security type site to a lesser one to be auth'd.

 

There are many issues and questions around the use cases for this type
of functionality but I wanted to ask the list if any thought has put
into this type of scenario.  Since my requirements are mainly drawn from
the need to keep around the TGC for varying periods of time, I have
considered using multiple TGC cookies to accomplish this need.  In
addition to a default TGC with a browser session expiry, I could add
others based upon the service parameter passed to /login.  Lower
security services would have one or more TGC added that would be used
during subsequent /login calls for other services.  If the browser
session has ended and the client did not still have a TGC that the
passed service required, then the user would have to reauth.

 

Basically, I have to implement multiple security realms where some
realms include others.  Thoughts?

 

-----------------------------------------

Andres March

Platform - Apps Engineering

Sony Online Entertainment

desk: 858.577.3373

cell:   619.519.1519

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20061120/24cdb1c6/attachment.html