How to enable/disable MFA in CAS

429 views

Skip to first unread message

unread,

Nov 30, 2021, 9:02:56 PM11/30/21

to CAS Community

Hee is my understanding of using MFA:

scenario 1: Disable MFA globally, and enable it at the service leve

a. configure in cas.properties

Nothing:

b. Enable 2FA at the service leve

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://demo1.mydomain.(com|com/.*)$",

  "name" : "demo1",

  "id" : 20001107,

  "description" : "2FA demo site",

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"

},

  "multifactorPolicy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ]

},

  "evaluationOrder" : 1107

}

scenario 2: Enale MFA globally, and disable it for few  services

a. Enable MFA globally

cas.authn.mfa.global-provider-id=mfa-gauth

b. Disable 2FA at the service leve

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://demo1.mydomain.(com|com/.*)$",

  "name" : "demo1",

  "id" : 20001107,

  "description" : "2FA demo site",

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"

},

  "multifactorPolicy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ],

    "bypassEnabled" : "true"

},

  "evaluationOrder" : 1107

}

scenario 3: By pass MFA by client IP

configure in cas.properties

cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3

Notes: This is a configure item of gauth, it is effect only when mfa-gauth is selected.

scenario 4: Complex situation

For some complex usage, we can only use groovy script to archive our goal.

a. configure in cas.properties

cas.authn.mfa.groovyScript=file:/opt/castest/mfaGroovyTrigger.groovy

cat /opt/castest/mfaGroovyTrigger.groovy

import  java.util.*

class SampleGroovyEventResolver {

    def String run(final Object[] args) {

        def service = args[0]

        def registeredService = args[1]

        def authentication = args[2]

        def httpRequest = args[3]

        def logger = args[4]

        def service_id =  service.id

        logger.info("MFA:  service id {}", service_id)

        if ( service_id.startsWith("https://demo1.mydomain.com/sso")) {

           logger.info("MFA: demo1")

           return "mfa-gauth"

}

        if ( service_id.startsWith("https://demo2.mydomain.com") ) {

           logger.info("MFA: demo2")

           def clientIP = httpRequest.getRemoteAddr()

           logger.info("MFA: clientIP is: {}", clientIP)

           if ( clientIP == "192.168.100.108" ) {

                 logger.info("MFA: {} needs 2FA", clientIP)

                 return "mfa-gauth"

}

}

        logger.info("MFA:  Default, No 2FA! ")

        return null

}

}

b. No special configure is needed at the service leve

delete multifactorPolicy at the service configure

notes: we need to disable other configure

#cas.authn.mfa.global-provider-id=mfa-gauth

#cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3

Reply all

Reply to author

Forward

0 new messages