CAS 5 RC4: MFA-Duo /samlValidate error

80 views
Skip to first unread message

Baron Fujimoto

unread,
Oct 11, 2016, 10:58:36 PM10/11/16
to CAS Users
I'm trying to enable MFA-Duo using according to the docs at

<https://apereo.github.io/cas/development/installation/DuoSecurity-Authentication.html>
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#duosecurity>

I've had partial success with an application trigger using a service
definition that includes

"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
"failureMode" : "OPEN"
}

After providing my username and password to the app that uses the Java
CAS client (v3.4.2), Duo is invoked. However, after providing the Duo factor
it successfully validates the ticket but throws an exception generating the SAML
response:

DEBUG [org.apereo.cas.support.saml.web.SamlValidateController] - <Successfully validated service ticket AAE***Cq2 for service [https://example.edu/app]>
ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...

Ultimately what we'd like to do though is invoke MFA-Duo globally, and
not via an application triggered policy. It looks like the CAS properties
listed here may be relevant, but it's not clear to me how they should
be used.

<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#multifactor-authentication>

For example, there is a cas.authn.mfa.globalPrincipalAttributeNameTriggers
property, that seems to correspond to principalAttributeNameTrigger in the
"Principal Attribute Per Application" example, but no corresponding
principalAttributeValueToMatch documented. Merely specifying something
an attribute for .globalPrincipalAttributeNameTriggers (e.g.
cas.authn.mfa..globalPrincipalAttributeNameTriggers=uid) doesn't appear
to be sufficent to invoke MFA-Duo.

I'm not sure what the following parameters are for:

cas.authn.mfa.requestParameter
- related to the "Opt-In Request Parameter"?
cas.authn.mfa.authenticationContextAttribute=authnContextClass
cas.authn.mfa.contentType=application/cas
- are any of these related to or able to use the Authentication
attributes that are returned? (successfulAuthenticationHandlers,
authenticationMethod, samlAuthenticationStatementAuthMethod)

Aloha,
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

Misagh Moayyed

unread,
Oct 12, 2016, 6:23:06 AM10/12/16
to CAS Users
ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...


This is a bug. Please file an issue.

Ultimately what we'd like to do though is invoke MFA-Duo globally, and 
not via an application triggered policy. It looks like the CAS properties 
listed here may be relevant, but it's not clear to me how they should 
be used. 

Global triggers, that are not tied to principal or services, are not possible explicitly. Please file a feature request.

Baron Fujimoto

unread,
Oct 12, 2016, 5:15:32 PM10/12/16
to CAS Users, Misagh Moayyed
On Wed, Oct 12, 2016 at 01:45:32PM +0330, Misagh Moayyed wrote:
>ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
>java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
>at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
>at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
>...
>
>
>This is a bug. Please file an issue.

Filed <https://github.com/apereo/cas/issues/2039>

Appears fixed in more recent RC4-SNAPSHOT release.

>Ultimately what we'd like to do though is invoke MFA-Duo globally, and 
>not via an application triggered policy. It looks like the CAS properties 
>listed here may be relevant, but it's not clear to me how they should 
>be used. 
>Global triggers, that are not tied to principal or services, are not possible explicitly. Please file a feature request.

We might be able to make something work if it's tied to a principal, but
again, I'm not sure how to do this. The docs say, "MFA can be triggered
for all users/subjects carrying a specific attribute that matches
configured attribute value. The attribute value is a regex pattern and
must match the provider id of an available MFA provider described above."

They don't provide an example of this though, and if it's the in the
cas.properties docs, the most likely candidate appears to be
cas.authn.mfa.globalPrincipalAttributeNameTriggers. The commented out
sample provided there does not appear to be set to something I can see
matches a regex pattern and provider id.

Misagh Moayyed

unread,
Oct 12, 2016, 5:58:21 PM10/12/16
to CAS Users
We might be able to make something work if it's tied to a principal, but 
again, I'm not sure how to do this. The docs say, "MFA can be triggered 
for all users/subjects carrying a specific attribute that matches 
configured attribute value. The attribute value is a regex pattern and 
must match the provider id of an available MFA provider described above." 

What this means is, you configure CAS to trigger based on an attribute “x”, that is resolved for the principal, whose value is for instance “mfa-duo”, or “mfa-.+”.

Also, I was wrong. Global triggers are supported; just weren’t documented then:

https://apereo.github.io/cas/development/installation/Configuring-Multifactor-Authentication.html#global 

https://apereo.github.io/cas/development/installation/Configuration-Properties.html#multifactor-authentication 

There is a setting for a global provider id. Set it to the provider id of choice, “mfa-duo”.



Reply all
Reply to author
Forward
0 new messages