mfa-simple email and sms selection
215 views
Skip to first unread message
Agus Santosa
Sep 7, 2024, 8:57:58 AM9/7/24
to CAS Community
Hi,
I am trying to implement mfa-simple with email and sms as available options to users.
In my property file, I have the following properties defined
cas.authn.mfa.triggers.global.global-provider-id=mfa-simple
cas.authn.mfa.simple.sms.attribute-name=phone
....
cas.authn.mfa.simple.mail.attribute-name=email
....
cas.authn.mfa.core.provider-selection.provider-selection-enabled=true
I am not sure what to provide in the "cas.authn.mfa.triggers.global.global-provider-id" property, because both email and sms are in the same "mfa-simple" provider.
Is there a way to do it without any custom codes?
Ray Bon
Sep 9, 2024, 9:15:59 PM9/9/24
to cas-...@apereo.org
Agus,
My interpretation of the docs is that if you fill in both sms and email, the user will get to choose (or cas will send to both).
Ray
On Fri, 2024-09-06 at 06:26 -0700, Agus Santosa wrote:
Ray Bon
Jan 7, 2025, 11:03:04 PM1/7/25
to cas-...@apereo.org, dinak...@gmail.com
DINAKAR,
What is the log output?
Ray
On Tue, 2025-01-07 at 13:06 -0800, DINAKAR N wrote:
please find the below configuration.1.application.propertiescas.authn.mfa.simple.token.core.time-to-kill-in-seconds=30
cas.authn.mfa.simple.token.core.token-length=6
cas.authn.mfa.simple.name=mfa-simple
cas.authn.mfa.simple.order=1
cas.authn.mfa.simple.globalPrincipalAttributeNameTriggers=memberof
cas.authn.mfa.simple.globalPrincipalAttributeValueRegex=grouptest
cas.authn.mfa.simple.mail.from=****@gmail.com
cas.authn.mfa.simple.mail.text=Hello! Your requested CAS token is %s
cas.authn.mfa.simple.mail.subject=CAS MFA Token
cas.authn.mfa.simple.mail.attributeName=mail
cas.authn.mfa.triggers.global.global-provider-id=mfa-simple
cas.authn.mfa.global-provider-id=mfa-simple
cas.authn.accept.users=null
cas.authn.jdbc.query[0].sql=****
cas.authn.jdbc.query[0].url=jdbc:mysql://*.*.*.*:3306/test
cas.authn.jdbc.query[0].dialect=org.hibernate.dialect.MySQLDialect
cas.authn.jdbc.query[0].user=****
cas.authn.jdbc.query[0].password=****
cas.authn.jdbc.query[0].ddlAuto=none
cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver
cas.authn.jdbc.query[0].fieldPassword=****
cas.authn.jdbc.query[0].passwordEncoder.type=****
cas.webflow.auto-configuration.order=0
cas.webflow.auto-configuration.enabled=true
password.management.enabled=true
spring.mail.properties.mail.smtp.starttls.enable=true
spring.mail.properties.mail.smtp.ssl.enable=true
spring.mail.properties.mail.smtp.auth=true
spring.mail.host=smtp.gmail.com
spring.mail.username=***@gmail.com
spring.mail.protocol=smtp
spring.mail.password=****
spring.mail.port=587
spring.mail.testConnection=true
spring.mail.default-encoding=UTF-8
after successfull credentials validation it's giving the following error,MFA provider unavailablePFA.
On Tuesday, September 10, 2024 at 6:45:59 AM UTC+5:30 Ray Bon wrote:
Agus,
My interpretation of the docs is that if you fill in both sms and email, the user will get to choose (or cas will send to both).
Ray
On Fri, 2024-09-06 at 06:26 -0700, Agus Santosa wrote:
Message has been deleted
Ray Bon
Jan 9, 2025, 5:30:04 PM1/9/25
to cas-...@apereo.org
DINAKAR,
It looks like line 134 in https://github.com/apereo/cas/blob/7.1.x/support/cas-server-support-simple-mfa-core/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java#L45 is
not successful.
Which should end up on line 64 of https://github.dev/apereo/cas/blob/7.1.x/support/cas-server-support-simple-mfa-core/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java
It has a trace level log. Adjust log level and see if it is printed.
Ray
On Thu, 2025-01-09 at 18:54 +0530, DINAKAR N wrote:
please find the below logs,
2025-01-09 18:53:06.376 INFO 3732 --- [io-8080-exec-10] o.a.i.a.s.Slf4jLoggingAuditTrailManager : Audit trail record BEGIN
=============================================================
WHO: dinakar
WHAT: {principal=dinakar, execution=true, provider=mfa-simple}
ACTION: MULTIFACTOR_AUTHENTICATION_BYPASS
APPLICATION: CAS
WHEN: Thu Jan 09 18:53:06 IST 2025
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
2025-01-09 18:53:06.376 DEBUG 3732 --- [io-8080-exec-10] .a.MultifactorAuthenticationBypassAction : Bypass rules determined MFA should execute for user [dinakar] and provider [mfa-simple]
2025-01-09 18:53:06.377 DEBUG 3732 --- [io-8080-exec-10] .a.MultifactorAuthenticationBypassAction : Authentication updated to forget any existing bypass for user [dinakar] for provider [mfa-simple]
2025-01-09 18:53:06.378 DEBUG 3732 --- [io-8080-exec-10] factorAuthenticationFailureModeEvaluator : Setting failure mode to [CLOSED] based on global policy
2025-01-09 18:53:06.378 DEBUG 3732 --- [io-8080-exec-10] factorAuthenticationFailureModeEvaluator : Provider failure mode [CLOSED] overriding global mode [CLOSED]
2025-01-09 18:53:06.382 DEBUG 3732 --- [io-8080-exec-10] asSimpleMultifactorAuthenticationService : Created multifactor authentication token [CASMFA-749442] for service [null]
2025-01-09 18:53:06.383 DEBUG 3732 --- [io-8080-exec-10] .w.f.CasSimpleMultifactorSendTokenAction : Using token [CASMFA-749442] created at [2025-01-09T13:23:06.382326200Z]
2025-01-09 18:53:06.386 ERROR 3732 --- [io-8080-exec-10] .w.f.CasSimpleMultifactorSendTokenAction : Communication strategies failed to submit token [CASMFA-749442] to user
On Thu, Jan 9, 2025 at 3:51 PM DINAKAR N <dinak...@gmail.com> wrote:
Ray Bon,If you have free time, please let me know will have a short callon this.
On Wed, Jan 8, 2025 at 7:45 AM Ray Bon <rb...@uvic.ca> wrote:
DINAKAR,
You may have to turn on debug or trace logging to see what it is trying to do.Check your config. It looks like it tried to send but could not.
Ray
On Wed, 2025-01-08 at 03:07 +0530, DINAKAR N wrote:
Hi Rbon,please find the following log output,
2025-01-08 03:02:43,808 ERROR [org.apereo.cas.mfa.simple.web.flow.CasSimpleMultifactorSendTokenAction] - <Communication strategies failed to submit token [CASMFA-073802] to user>
Marcin Roman
Jan 15, 2025, 10:56:34 PM1/15/25
to CAS Community, Ray Bon
This behaviour is VERY strange.
You actually have to have number of email addresses != 1 AND number of phone numbers != 1.
It means that if you have 1 email and 2 phones, then the user won't be presented with a choice.
https://github.com/apereo/cas/blob/7.1.x/support/cas-server-support-simple-mfa-core/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java
Moreover the phone number and email address isn't obsuscated well enough. It would be much more secure to label each address, ex. 'work phone', 'home phone', etc.
In my opinion it should be possible to define multiple cas.authn.mfa.simple[x] providers for each email address and phone number just like config for duo security.
You actually have to have number of email addresses != 1 AND number of phone numbers != 1.
It means that if you have 1 email and 2 phones, then the user won't be presented with a choice.
https://github.com/apereo/cas/blob/7.1.x/support/cas-server-support-simple-mfa-core/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java
Moreover the phone number and email address isn't obsuscated well enough. It would be much more secure to label each address, ex. 'work phone', 'home phone', etc.
In my opinion it should be possible to define multiple cas.authn.mfa.simple[x] providers for each email address and phone number just like config for duo security.
Reply all
Reply to author
Forward
0 new messages