Skip to content
This repository has been archived by the owner on Nov 3, 2017. It is now read-only.

YubiKey Authentication Support

Jump to bottom
Dmitriy Kopylenko edited this page Jul 16, 2013 · 10 revisions

Yubico is a cloud-based service that enables strong, easy-to-use and affordable two-factor authentication with one-time passwords through their flagship product, YubiKey. Once Yubico clientId and secretKey are obtained, then the configuration option is available to use Yubikey devices as a primary authentication source that CAS server could use to authenticate users via a simple to configure, cas-addons provided AuthenticationHandler. To configure YubiKey accounts and obtain API keys, refer to the Documentation

Configuration

The YubiKeyAuthenticationHandler may be configured as such:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas 
                           http://unicon.net/schema/cas/cas-addons.xsd">

   <bean class="net.unicon.cas.addons.authentication.strong.yubikey.YubiKeyAuthenticationHandler"
	c:clientId="${yubikey.apiKey.id}"
	c:secretKey="${yubikey.apiKey.secret}"/>

</beans>

By default, all YubiKey accounts for users are allowed to authenticate. If you wish to plug in a custom registry implementation that would determine which users are allowed to use their YubiKey accounts for authentication, you may plug in a custom implementation of the net.unicon.cas.addons.authentication.strong.yubikey.YubiKeyAccountRegistry that allows you to provide a mapping between usernames and YubiKey public keys.

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas 
                           http://unicon.net/schema/cas/cas-addons.xsd">
   
   <bean class="net.unicon.cas.addons.authentication.strong.yubikey.YubiKeyAuthenticationHandler"
	c:clientId="${yubikey.apiKey.id}"
	c:secretKey="${yubikey.apiKey.secret}"
        c:registry-ref="customYubiKeyAccountRegistry" />

</beans>

Alternative configuration using custom XML namespace element

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas 
                           http://unicon.net/schema/cas/cas-addons.xsd">
   
   <cas:yubikey-authentication-handler 
        client-id="${yubikey.apiKey.id}" 
        secret-key="${yubikey.apiKey.secret}"/>
 
</beans>

or

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas 
                           http://unicon.net/schema/cas/cas-addons.xsd">
   
   <cas:yubikey-authentication-handler 
        client-id="${yubikey.apiKey.id}" 
        secret-key="${yubikey.apiKey.secret}" 
        account-registry="customYubiKeyAccountRegistry"/>

</beans>
Clone this wiki locally