cas5 MFA for SAML2 SP

75 views
Skip to first unread message

K S

unread,
Nov 17, 2016, 12:17:59 PM11/17/16
to CAS Community
Can MFA can be triggered for a specific SAML2 SP inside the CAS service registry. I am using following JSON but it's not triggering the DUO login . I am able to login to SP though.

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  name: SAMLService
  id: 10000023
  description: SAML Client Metadata
  evaluationOrder: 10
  logoutType: BACK_CHANNEL
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    principalAttributesRepository:
    {
      @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
      expiration: 2
      timeUnit: HOURS
    }
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: false
  }
  multifactorPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    multifactorAuthenticationProviders:
    [
      java.util.HashSet
      [
        mfa-duo
      ]
    ]
    failureMode: CLOSED
    principalAttributeNameTrigger: eduPersonAffiliation
    principalAttributeValueToMatch: alum
  }
  accessStrategy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    enabled: true
    ssoEnabled: true
    requireAllAttributes: true
    caseInsensitive: false
  }
  metadataLocation: /home/cas/spring-security-saml.xml
  metadataMaxValidity: 0
  signAssertions: false
  signResponses: true
  encryptAssertions: false
  metadataCriteriaRoles: SPSSODescriptor
  metadataCriteriaRemoveEmptyEntitiesDescriptors: true
  metadataCriteriaRemoveRolelessEntityDescriptors: true
}


K S

unread,
Nov 17, 2016, 12:34:48 PM11/17/16
to CAS Community
I was able to trigger it using the Opt-In Request Parameter but is there a way to do it using entityID in SAML2 SP service registry JSON ?

Misagh Moayyed

unread,
Nov 17, 2016, 1:04:19 PM11/17/16
to cas-...@apereo.org

No. That would be a feature request followed by an issue on Github :)

 

--Misagh

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/708c1df4-56bb-4e38-81a4-aec7bc687170%40apereo.org.

Reply all
Reply to author
Forward
0 new messages