authenticationMethod mfa-simple + LdapAuthenticationHandler

247 views
Skip to first unread message

Jorge Bastida

unread,
Nov 16, 2023, 6:52:43 AM11/16/23
to CAS Community
Good morning,

In CAS 6.3.7 when authenticating a service with mfa-simple the value of authenticationMethod was:

authenticationMethod:
 1.-LdapAuthenticationHandler
 2.- mfa-simple

However in 6.6.13 when I authenticate an identical service the value of my authenticationMethod is the following.
authenticationMethod: mfa-simple

The LdapAuthenticationHandler registry is lost, is there any way to replicate the CAS 6.3.7 behavior in 6.6.13?

Thank you very much in advance.

Meysam Shirazi

unread,
Nov 16, 2023, 2:30:31 PM11/16/23
to CAS Community, Jorge Bastida
Hi Jorge
Please share the configuration, and any log if available.

Jorge Bastida

unread,
Nov 17, 2023, 2:37:08 AM11/17/23
to CAS Community, Meysam Shirazi, Jorge Bastida
Of course

cas.properties:

...

cas.authn.mfa.simple.order=1

cas.authn.mfa.simple.token.core.timeToKillInSeconds=90

cas.authn.mfa.simple.sms.from=Company Name

cas.authn.mfa.simple.sms.text=Code: ${token}

cas.authn.mfa.simple.sms.attribute-name=irisPersonalUniqueID

...

cas.authn.ldap[0].name=LdapAuthenticationHandler

cas.authn.ldap[0].hostnameVerifier=ANY

cas.authn.ldap[0].followReferrals=true

cas.authn.ldap[0].min-pool-size=5

cas.authn.ldap[0].max-pool-size=100

cas.authn.ldap[0].validateOnCheckout=false

cas.authn.ldap[0].validatePeriodically=true

cas.authn.ldap[0].blockWaitTime=PT5S

cas.authn.ldap[0].connectTimeout=PT1M

cas.authn.ldap[0].validatePeriod=PT5M

cas.authn.ldap[0].prunePeriod=PT5M

cas.authn.ldap[0].validateTimeout=PT5S

cas.authn.ldap[0].responseTimeout=PT5S

cas.authn.ldap[0].idleTime=PT5M

cas.authn.ldap[0].poolPassivator=BIND

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].passwordPolicy.enabled=true

cas.authn.ldap[0].passwordPolicy.type=GENERIC

cas.authn.ldap[0].passwordPolicy.warnAll=false

cas.authn.ldap[0].passwordPolicy.warningDays=60

cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException

cas.authn.ldap[0].order=0

...

service.json

{

  "@class": "org.apereo.cas.services.CasRegisteredService",

  "id": 168,

  "name": “Service Name”,

  "description": "Service Description”,

  "serviceId": "^http.*://service.com/.*”,

  "evaluationOrder": 168,

  "logoutType": "BACK_CHANNEL",

  "authenticationPolicy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",

    "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LdapAuthenticationHandler", "mfa-simple" ]]

  },

  "accessStrategy": {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled": true,

    "ssoEnabled": true,

    "delegatedAuthenticationPolicy": {

      "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",

      "permitUndefined": false

    },

  "usernameAttributeProvider": {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"

  },

  "multifactorPolicy": {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "multifactorAuthenticationProviders": [

      "java.util.LinkedHashSet",

      [

        "mfa-simple"

      ]

    ],

    "forceExecution": true

  },

  "attributeReleasePolicy": {

    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy",

    "authorizedToReleaseCredentialPassword": false,

    "authorizedToReleaseProxyGrantingTicket": false

  }

}


If I access the service the value of authenticationMethod is:

 Captura de pantalla 2023-11-17 a las 8.10.04.png


the log file is very large, any particular lines?



Jorge Bastida

unread,
Nov 17, 2023, 4:02:18 AM11/17/23
to CAS Community, Jorge Bastida, Meysam Shirazi
Hello again,

Just to say that I have solved my problem by adding this property to the cas.properties

cas.authn.attribute-repository.core.merger=MULTIVALUED

thanks in any case

Meysam Shirazi

unread,
Nov 17, 2023, 8:03:23 AM11/17/23
to CAS Community, Jorge Bastida, Meysam Shirazi

Sounds great!
Update other configs with the  format of naming convention in v6.6.x

Jorge Bastida Cano

unread,
Nov 17, 2023, 9:00:03 AM11/17/23
to CAS Community, Meysam Shirazi, Jorge Bastida
Thank you,
Just a curious question, have you seen any of the above configurations that are formatted or named out of convention for 6.6.x?

Just to make sure. So that the validator passes correctly
Thanks

Meysam Shirazi

unread,
Nov 17, 2023, 12:09:55 PM11/17/23
to CAS Community, Jorge Bastida Cano, Meysam Shirazi, Jorge Bastida
You have some of them in your configuration since the standard name style shifted from camel case to dash case:
cas.authn.ldap[0].hostnameVerifier=ANY --> cas.authn.ldap[0].hostname-verifier=DEFAULT
cas.authn.ldap[0].followReferrals=true     --> cas.authn.ldap[0].follow-referrals=true
...
Due to the fact that some options are optional, default values will be loaded. Anyway, I'm not sure about the change's backward compatibility, so it's possible that your configuration will pass correctly.

Jorge Bastida

unread,
Nov 17, 2023, 1:21:45 PM11/17/23
to CAS Community, Meysam Shirazi, Jorge Bastida Cano, Jorge Bastida
Ok, thank you very much for the tip, I will check it carefully.

Regards. 

Maysam Shirazi

unread,
Nov 18, 2023, 2:25:56 AM11/18/23
to Jorge Bastida, CAS Community, Jorge Bastida Cano
Glad to be of help.

Reply all
Reply to author
Forward
0 new messages