6.6.13 - MFA Trusted devices / expiration
338 views
Skip to first unread message
Chris SC
Nov 3, 2023, 6:16:18 AM11/3/23
to CAS Community
Hello,
[version 6.6.13]
I'm working on the implementation of the MFA with the Google Auth. provider and Trusted Devices.
I have a question concerning the configuration of Trusted Devices.
First time the user comes to a 'Register Device' screen (after MFA Google Auth screen), with 2 fields:
1/ Name of the current device
----> I want to hide this one on the template. What is the template name please ?
2/ Duration for registered device
----> I want to hide this one too, by forcing an expiry time for everyone (30 days)
I've seen some of previous 6.6 configurations using :
cas.authn.mfa.trusted.expiration=30
cas.authn.mfa.trusted.timeUnit=DAY
But these 2 parameters are no longer available in 6.6.13.
I thought that this part was now delegated on the provider side, but I can't find anything on the Google Auth configuration.
For now, If I take a look at storage, default expiration is 1 year.
[version 6.6.13]
I'm working on the implementation of the MFA with the Google Auth. provider and Trusted Devices.
I have a question concerning the configuration of Trusted Devices.
First time the user comes to a 'Register Device' screen (after MFA Google Auth screen), with 2 fields:
1/ Name of the current device
----> I want to hide this one on the template. What is the template name please ?
2/ Duration for registered device
----> I want to hide this one too, by forcing an expiry time for everyone (30 days)
I've seen some of previous 6.6 configurations using :
cas.authn.mfa.trusted.expiration=30
cas.authn.mfa.trusted.timeUnit=DAY
But these 2 parameters are no longer available in 6.6.13.
I thought that this part was now delegated on the provider side, but I can't find anything on the Google Auth configuration.
For now, If I take a look at storage, default expiration is 1 year.
So How to set this parameter for now ?
[
{
"id": 1699003407119,
"principal": "testuser",
"deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
"recordDate": "2023-11-03T10:23:27+01:00",
"recordKey": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
"name": "charming_wilson",
"expirationDate": "2123-11-03T09:23:27.000+00:00"
}
]
Thanks for your help!
Christophe.
Current MFA trusted devices configuration :
##========================================
## MFA / Trusted Devices :
##========================================
cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
cas.authn.mfa.trusted.mongo.collection=TrustedRepository
cas.authn.mfa.trusted.mongo.drop-collection=false
cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
cas.authn.mfa.trusted.core.device-registration-enabled=true
as.authn.mfa.trusted.core.auto-assign-device-name=true
cas.authn.mfa.trusted.crypto.enabled=true
as.authn.mfa.trusted.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
cas.authn.mfa.trusted.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
[
{
"id": 1699003407119,
"principal": "testuser",
"deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
"recordDate": "2023-11-03T10:23:27+01:00",
"recordKey": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
"name": "charming_wilson",
"expirationDate": "2123-11-03T09:23:27.000+00:00"
}
]
Thanks for your help!
Christophe.
Current MFA trusted devices configuration :
##========================================
## MFA / Trusted Devices :
##========================================
cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
cas.authn.mfa.trusted.mongo.collection=TrustedRepository
cas.authn.mfa.trusted.mongo.drop-collection=false
cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
cas.authn.mfa.trusted.core.device-registration-enabled=true
as.authn.mfa.trusted.core.auto-assign-device-name=true
cas.authn.mfa.trusted.crypto.enabled=true
as.authn.mfa.trusted.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
cas.authn.mfa.trusted.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
John
Nov 3, 2023, 11:16:10 AM11/3/23
to CAS Community, Chris SC
Can also change view to something like this,
<body>
<main role="main" class="container mt-3 mb-3">
<div layout:fragment="content" id="login">
<div id="content-message" class="text-center">
<h5 th:text="#{cas.mfa.registerdevice.label.title}">Register Device</h5>
<p th:text="#{cas.mfa.registerdevice.label.intro}">Please name the current device.</p>
</div>
<form method="post" id="registerform" th:object="${mfaTrustRecord}" th:action="@{/login}">
<div class="row mb-3">
<input type="hidden" id="deviceName" name="deviceName" th:field="*{deviceName}" />
<div id="expirationField" style="display:none">
<input type="hidden" id="expiration" name="expiration" value="60" />
<input type="hidden" id="timeUnit" name="timeUnit" value="DAYS" />
</div>
<script>document.getElementById("deviceName").value = randomWord();</script>
</div>
<div class="my-2 float-end">
<button class="btn btn-primary" accesskey="s">
<span th:text="#{cas.mfa.registerdevice.button.register}">Register</span>
</button>
<button class="btn btn-secondary novalidate" accesskey="k" formnovalidate onclick="$('#eventId').val('skip');">
<span th:text="#{cas.mfa.registerdevice.button.skip}">Skip</span>
</button>
<input type="hidden" id="eventId" name="_eventId" value="submit" />
<input type="hidden" name="geolocation" />
<input type="hidden" name="execution" th:value="${flowExecutionKey}" />
</div>
</form>
</div>
</main>
</body>
John
Nov 3, 2023, 11:16:10 AM11/3/23
to CAS Community, Chris SC
Set these 2 divs to display: none and also set duration you want.
Device Name
Duration
On Friday, November 3, 2023 at 5:16:18 AM UTC-5 Chris SC wrote:
Anthony Oslund
Nov 3, 2023, 6:19:18 PM11/3/23
to CAS Community, Chris SC
We are using simple MFA, but as far as the expiration (need to re-MFA) goes the following may help.
Researched every possible expiration property and found they were ignored.
If you take a close look at the "expirationDate": "2123-11-03T09:23:27.000+00:00" from your note, this is set to expire 100 years in the future. No matter what we configured it always set the expiration to 100 years in the future.
Due to this and other issues with caching with JDBC we settled on caching (including MFA) to couchDb. Had never used couchDb before, but it literally took 10-15 minutes to install and config.
If you search for "MFA expiration with couchDb" in this list it explains the solution we ended up using to be able to expire MFA. Not perfect, but very workable.
On Friday, November 3, 2023 at 5:16:18 AM UTC-5 Chris SC wrote:
Chris SC
Nov 6, 2023, 5:04:36 AM11/6/23
to CAS Community, Anthony Oslund, Chris SC
I understand better now :-) the expiration for trusted device is +100 years, with a solution with couchDB.
Thanks for pointing out the template and 'divs' in question.
Christophe.
Reply all
Reply to author
Forward
0 new messages