Problem with Global Principal Attribute

[John Bond]

HI all,

I'm attempting to configure CAS so that the MFA provider is determined via an ldap attribute.  I have the following config 

```

server.ssl.keyStore=file:/etc/cas/thekeystore

cas.server.name=https://idp.wikimedia.org:8443

cas.server.prefix=https://idp.wikimedia.org:8443/cas

cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory

cas.authn.mfa.gauth.json.location=file:///etc/cas/config/gauthdevices.json

cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2fdevices.json

logging.config: file:/etc/cas/config/log4j2.xml

cas.serviceRegistry.json.location=file:/etc/cas/services

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.ldap[0].principalAttributeList=cn,memberOf,mail,businessCategory

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE

cas.authn.ldap[0].ldapurl=ldaps://ldap-ro.eqiad.wikimedia.org:636 ldaps://ldap-ro.codfw.wikimedia.org:636

cas.authn.ldap[0].useStartTLS=false

cas.authn.ldap[0].basedn=dc=wikimedia,dc=org

cas.authn.ldap[0].searchFilter=cn={user}

cas.authn.ldap[0].binddn=cn=user,ou=profile,dc=wikimedia,dc=org

cas.authn.ldap[0].bindcredential=**removed**

cas.authn.accept.users=

logging.level.org.apereo=DEBUG

```

And my user has `businessCategory: mfa-gauth` configuered in ldap.  however when i try to authenticate i see the following in the debug logs

```

2019-08-14 17:35:06,797 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Located attribute value [[mfa-gauth]] for [[businessCategory]]>

2019-08-14 17:35:06,797 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute value [[mfa-gauth]] is not a single-valued attribute>

2019-08-14 17:35:06,799 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Ignoring [mfa-gauth] since no matching transition could be found>

2019-08-14 17:35:06,799 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <No set of events based on the attribute(s) [[businessCategory]] could be matched>  

```

so it looks like ldap sends this value as an array and CAS doesn't like that.  Is anyone able to give advice on how i could get ldap to send this [or some other attribute] as a string or fix this issue on the CAS side

Cheers John

[John Bond]

On Wednesday, August 14, 2019 at 6:50:13 PM UTC+1, John Bond wrote:

cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory

I tried to use preferredLanguage instead of bussinessCategory which is a SINGLE-VALUE[1] attribute but this made no difference

2019-08-14 17:56:04,201 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Located attribute value [[mfa-gauth]] for [[preferredLanguage]]>                            

2019-08-14 17:56:04,202 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute value [[mfa-gauth]] is not a single-valued attribute>                                               

2019-08-14 17:56:04,204 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Ignoring [mfa-gauth] since no matching transition could be found>  

[1]https://ldapwiki.com/wiki/SINGLE-VALUE

 

[Robert Bond]

Mr. Bond,

I have not configured cas for triggering multi-factor based off a singular attribute. I have for a multi-valued memberOf attribute, It should be basically the same.

Here is my config for looking at the memberOf attributes:

# Activate MFA globally based on principal attributes

cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf

# Specify the regular expression pattern to trigger multifactor when working with a single provider.

cas.authn.mfa.globalPrincipalAttributeValueRegex=CN=mfa-eligible,OU=DuoMFA,OU=Groups,DC=nsuok,DC=edu

Here is what I think you need

# Activate MFA globally based on principal attributes

cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory

# Specify the regular expression pattern to trigger multifactor when working with a single provider.

cas.authn.mfa.globalPrincipalAttributeValueRegex=mfa-gauth

Let me know if that works for you.

Robert Bond.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d49b26-d8e9-423f-8831-4596aca3f189%40apereo.org.

--

Robert Bond
Network Administrator
(918) 444-5886
Northeastern State University

[John Bond]

Mr. Bond,

Thanks for your response.  According to the docs[1] there are two ways too use the Global Principal Attribute[1]

> Trigger MFA based on a principal attribute(s) whose value(s) matches a regex pattern. Note that this 

> behavior is only applicable if there is only a single MFA provider configured, since that would allow 

> CAS to know what provider to next activate.

I believe this is the method you have described which has the end result [in your case] that any user in 

the group 'CN=mfa-eligible,OU=DuoMFA,OU=Groups,DC=nsuok,DC=edu' will need to use the MFA 

method specific by `cas.authn.mfa.globalProviderId`

I would like to support, multiple MFA options and have the user indicate the MFA they want to use via 

LDAP.  For this i thought i could configure CAS using the second option

> Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. 

> This option is more relevant if you have more than one provider configured or if you have the flexibility

> of assigning provider ids to attributes as values.

[1]https://apereo.github.io/cas/6.0.x/mfa/Configuring-Multifactor-Authentication-Triggers.html#global-principal-attribute

On Wed, Aug 14, 2019 at 9:23 PM 'Robert Bond' via CAS Community <cas-...@apereo.org> wrote:

Here is what I think you need

# Activate MFA globally based on principal attributes

cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory

# Specify the regular expression pattern to trigger multifactor when working with a single provider.

cas.authn.mfa.globalPrincipalAttributeValueRegex=mfa-gauth

Let me know if that works for you.

I tried this and it made no difference, which surprised me as i had assumed it would complain about a missing 

cas.authn.mfa.globalProviderId.  however i wonder if simply having more then one provider disables this function.

The comment hints at this

 

[Danny]

I tried to get this working last summer with no luck...I finally punted and used a groovy to return the appropriate MFA provider.

[John Bond]

thanks danny,

I have created a PR upstrem[1] and the devs have been very responsive hopfully we can gt this fixed.

[1]https://github.com/apereo/cas/pull/4188

[charliepy harper]

Good evening sir. How are you ?
I really need your help. I was able to set up a multifactor authentication with google authenticator.
 But, the problem I currently have is that I have no idea about the contents of the gauthdevices.json file. So, at each connection, I have to register a device. 
I would be happy if I could have a quick return. Thanks for your understanding. Have a great evening.