On 7/3/22 8:31 AM, John Gateley wrote:> The protocols were designed long before SAML and OIDC. SAML/OIDC give > you more control over authn/z > and allow easily adding in MFA or other different types of auth. To do > this right, you'd need to extend > the protocol to allow OIDC or SAML.I did find this RFC - I haven't read it, but it applies directly: https://datatracker.ietf.org/doc/html/rfc7628 j
Paul Kudla (SCOM.CA Internet Services Inc.)
2022-Jul-03 14:40 UTC
Is multi factor authentication practical/feasible?
Please note this is my opinion only It seems any kind of dual auth will need a security app running on YOUR server saving toikens, logins etc etc this is what lead to microsoft, gmail etc having their own api which will only work for them this is also (mainly because of https authing the device) what makes it hard to proxy oauth2 etc If you look at sogo's documentation they have a java server applet Still working on the install to make work with my system but in general you need your own whatever app to track oauth2 5.7. Authenticating using C.A.S. SOGo natively supports C.A.S. authentication. For activating C.A.S. authentication you need first to make sure that the SOGoAuthenticationType setting is set to cas, SOGoXSRFValidationEnabled is set to NO and that the SOGoCASServiceURL setting is configured appropriately. I myself will eventually get around to implimenting this on one of my servers ? logically i will have to track tokens etc via https like google etc basically the reality is every server will have it's own token base etc thus preventing any kind of a standard. Happy Sunday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main?1.866.411.7266 Fax?1.888.892.7266 Email?paul at scom.ca On 7/3/2022 9:50 AM, John Gateley wrote:> > > > On 7/3/22 8:31 AM, John Gateley wrote: >> The protocols were designed long before SAML and OIDC. SAML/OIDC give >> you more control over authn/z >> and allow easily adding in MFA or other different types of auth. To do >> this right, you'd need to extend >> the protocol to allow OIDC or SAML. > > I did find this RFC - I haven't read it, but it applies directly: > https://datatracker.ietf.org/doc/html/rfc7628 > > j >