CAS 6.2.5 MFA bypass per service and global http request trigger on

34 views
Skip to first unread message

Jérôme NENERT

unread,
Nov 20, 2020, 9:17:36 AM11/20/20
to cas-...@apereo.org

Hi,

A web application triggers a mfa-duo authentication with http request parameter authn_method=mfa-duo. Is it possible to bypass this application from using mfa-duo ?

We didn't set cas.authn.mfa.request-parameter so default value is on ( authn_method ). Tried to add these lines in service registry but without success :

  "multifactorPolicy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
    "bypassEnabled" : "true"
  }

Also tried cas.authn.mfa.duo[0].bypass.http-request-remote-address parameters but didn't work either.

Setting cas.authn.mfa.request-parameter to empty value worked but prevent all applications from using http request to trigger mfa-duo.

Did behaviours regardings HTTP Request triggers has changed since CAS v5.3.x ?

Best regards.

Jerome Nenert

IT Services

Université Panthéon-Assas (Paris 2)

Jérôme NENERT

unread,
Nov 23, 2020, 9:40:05 AM11/23/20
to cas-...@apereo.org

Hi,

The only solution that works for me is to use OPEN failureMode for this specific service

  "multifactorPolicy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],

     "failureMode" : "OPEN"
  }

So, what's the exact purpose of this paramater cas.authn.mfa.duo[0].bypass.http-request-remote-address ?

No other tips for preventing a service to use MFA while sending http request parameter authn_method=mfa-duo ?

Thanks for your help.

Best regards.

Jerome Nenert

IT Services

Université Panthéon-Assas (Paris 2)

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ee7ca1e-f7ca-a57f-32d0-6fb301d83ef3%40u-paris2.fr.
Reply all
Reply to author
Forward
0 new messages