YubiKey Authentication

Yubico is a cloud-based service that enables strong, easy-to-use and affordable two-factor authentication with one-time passwords through their flagship product, YubiKey. Once Yubico clientId and secretKey are obtained, then the configuration option is available to use YubiKey devices as a primary authentication source that CAS server could use to authenticate users. To configure YubiKey accounts and obtain API keys, refer to the documentation.

YubiKey authentication components are enabled by including the following dependencies in the Maven WAR overlay:

1
2
3
4
5
<dependency>
     <groupId>org.jasig.cas</groupId>
     <artifactId>cas-server-support-yubikey</artifactId>
     <version>${cas.version}</version>
</dependency>

Configuration

The authentication handler may be configured as such:

1
2
3
<bean class="org.jasig.cas.adaptors.yubikey.YubiKeyAuthenticationHandler"
   	c:clientId="${yubikey.apiKey.id}"
   	c:secretKey="${yubikey.apiKey.secret}"/>

By default, all YubiKey accounts for users are allowed to authenticate. If you wish to plug in a custom registry implementation that would determine which users are allowed to use their YubiKey accounts for authentication, you may plug in a custom implementation of the YubiKeyAccountRegistry that allows you to provide a mapping between usernames and YubiKey public keys.

1
2
3
4
<bean class="org.jasig.cas.adaptors.yubikey.YubiKeyAuthenticationHandler"
    c:clientId="${yubikey.apiKey.id}"
    c:secretKey="${yubikey.apiKey.secret}"
    c:registry-ref="customYubiKeyAccountRegistry" />