CAS 6.6.0 MFA Per application trigger not working

149 views
Skip to first unread message

Diego Gimenez

unread,
Aug 18, 2023, 3:00:06 PM8/18/23
to CAS Community
Hello. As the title says I can't make an MFA trigger per service. Looks like the service can't detect such provider as shown in the following image

Ray Bon

unread,
Aug 18, 2023, 7:19:18 PM8/18/23
to cas-...@apereo.org
Diego,

Image did not come through.

Ray

On Fri, 2023-08-18 at 11:46 -0700, 'Diego Gimenez' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Diego Gimenez

unread,
Aug 23, 2023, 8:50:48 AM8/23/23
to CAS Community, Ray Bon
Hello Ray,

Sorry about that.

I attach the registered service and the providers I get from the service. I used a Groovy script to print the registered service.

I have tried using @class instead of _class and it did not made any difference, also tried to search through the CAS source code and I have the hypothesis that it might not be detecting either the policy or the providers I am using.
casRegisteredService.png
mfaProviders.png

John

unread,
Aug 23, 2023, 9:13:38 AM8/23/23
to CAS Community, diego....@unc.edu.ar, Ray Bon
You have an array set, there was a bug in earlier 6.6 versions and was fixed in a later 6.6 release. Please update to the latest 6.6.x release and it will work as it should.

Diego Gimenez

unread,
Aug 23, 2023, 11:01:04 AM8/23/23
to CAS Community, John, Diego Gimenez, Ray Bon
Hello John,

first of all, thanks for your response.

Unfortunately, it did not work. I am using the CAS overlay and set `cas.version=6.6.10` in `gradle.properties`. However, the trigger is still not working, I used a Groovy script to trigger mfa and printed the registered service as I did before. I have a question that is not directly related. Is there a way to block authentication when using Groovy to trigger the mfa? That would temporarily work. (The only method I found was to throw an exception on purpose, but that won't provide feedback to the user with what went wrong)
casRegisteredService.png.png

John

unread,
Aug 23, 2023, 12:12:06 PM8/23/23
to CAS Community, diego....@unc.edu.ar, John, Ray Bon
I tested on local dev, 6.6.10 and is working, also its not _class, it has to be @class, see below, also make sure you have ""cas.authn.mfa.core.provider-selection-enabled=true" in config

{
  "@class": "org.apereo.cas.services.CasRegisteredService",
  "serviceId": "^(https|imaps)://.*",
  "name": "Sample",
  "id": 1,
  "description": "Sample Service",
  "evaluationOrder": 10000,
  "multifactorPolicy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth", "mfa-webauthn" ] ]
  }
}

John

unread,
Aug 23, 2023, 12:12:06 PM8/23/23
to CAS Community, diego....@unc.edu.ar, John, Ray Bon
Forgot, what do you mean by this? " Is there a way to block authentication when using Groovy to trigger the mfa? " can you post what your doing in groovy to get better idea?

Diego Gimenez

unread,
Aug 23, 2023, 2:27:56 PM8/23/23
to CAS Community, John, Diego Gimenez, Ray Bon
I tried using @class instead of _class for my service and CAS will not launch, I am struggling to find a solution. Can you show me your build.gradle and your cas.properties so I can try it and see if the problem may be in any of my local build.gradle or cas.properties?

What I mean with that sentence is that I am looking for other solutions to trigger an MFA based on an specific service. The one that I thought about was using Groovy to detect certain serviceId (i.e. https/http prefix) and decide if it should actually trigger an MFA authentication or not. So the part that I am missing is how to actually block an authentication attempt (based on testing, I've reached that if you return null on a Groovy script to trigger certain MFA, the authentication will proceed, and I want to do the opposite). I know is not optimal, but given the fact that I am unable to trigger an MFA authentication by service I am looking for options! The image below shows an example of what I want to do.
MFAGroovyTrigger.png

Ray Bon

unread,
Aug 23, 2023, 3:18:44 PM8/23/23
to diego....@unc.edu.ar, cas-...@apereo.org, jbann...@gmail.com

On Wed, 2023-08-23 at 11:23 -0700, Diego Gimenez wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

I tried using @class instead of _class for my service and CAS will not launch, I am struggling to find a solution. Can you show me your build.gradle and your cas.properties so I can try it and see if the problem may be in any of my local build.gradle or cas.properties?

What I mean with that sentence is that I am looking for other solutions to trigger an MFA based on an specific service. The one that I thought about was using Groovy to detect certain serviceId (i.e. https/http prefix) and decide if it should actually trigger an MFA authentication or not. So the part that I am missing is how to actually block an authentication attempt (based on testing, I've reached that if you return null on a Groovy script to trigger certain MFA, the authentication will proceed, and I want to do the opposite). I know is not optimal, but given the fact that I am unable to trigger an MFA authentication by service I am looking for options! The image below shows an example of what I want to do.


On Wednesday, 23 August 2023 at 13:12:06 UTC-3 John wrote:
Forgot, what do you mean by this? " Is there a way to block authentication when using Groovy to trigger the mfa? " can you post what your doing in groovy to get better idea?

John

unread,
Aug 24, 2023, 12:22:44 AM8/24/23
to CAS Community, Ray Bon, John, diego....@unc.edu.ar
You shouldnt need groovy for that, what you want I believe is Failure mode, see here

""failureMode" : "CLOSED"

CLOSED = Disallow MFA and block authentication.

John

unread,
Aug 24, 2023, 12:22:44 AM8/24/23
to CAS Community, Ray Bon, John, diego....@unc.edu.ar
I wouldnt even be able to tell you why your build doesnt launch with @class because that is what it should be, maybe its VS Code issue. You can setup intellij idea community and its free. Here is the gradle build, although, can you try downgrading to 6.6.9 in gradle.properties ? just curious on the outcome.

Gradle build below, you can disregard a lot in the Core section as its only needed for local development purposes for custom stuff.


The bare bones, cas config you can see in the puppeteer test below, I would paste ours but we use the spring cloud rest config

config:

service:






On Wednesday, August 23, 2023 at 2:18:44 PM UTC-5 Ray Bon wrote:

John

unread,
Aug 24, 2023, 12:22:44 AM8/24/23
to CAS Community, Ray Bon, John, diego....@unc.edu.ar
Are you sure that CAS is even reading your service definition? because it looks off completely and doesn't pass json validation. Turn your logging in log4j xml to debug and see what it spits out,

try this as well, as the only service definition for cas,




On Wednesday, August 23, 2023 at 2:18:44 PM UTC-5 Ray Bon wrote:

Diego Gimenez

unread,
Aug 30, 2023, 10:58:49 AM8/30/23
to CAS Community, John, Ray Bon, Diego Gimenez
Hello,

first of all, thank you for your cooperation, it helped me to find out what was the actual problem. I tried using the cas.service-registry.json.location instead of the mongo db and it worked. It seems like when CAS reads a service from a mongo database, it doesn't recognize the @class attribute, and instead it needs a definition of _class to not crash. The problem is that if you define a service using _class it wont read the "multifactorPolicy", I am not 100% sure of what is happening, further testing will be done with other attributes such as i.e. "attributeReleasePolicy".

It is certainly an uncommon problem and we do not know the source of it. If you have any insight of what could it be I will thank you!
Reply all
Reply to author
Forward
0 new messages