Google Autenticator Error

[Shawn Cutting]

I am trying to get CAS 5.3.9 working with Google Authenticator MFA, but I am getting the following error:

Error: Exception thrown executing org.apereo.cas.trusted.web.flow.MultifactorAuthenticationVerifyTrustAction@7b20419f in state 'verifyTrustedDevice' of flow 'mfa-gauth' -- action execution attributes were 'map['resolvedAuthenticationEvents' -> set[mfa-gauth]]'

The config is below:

cas.server.name: https://********
cas.server.prefix: ${cas.server.name}/cas

cas.logout.followServiceRedirects=true

cas.view.templatePrefixes[0]=file:///etc/cas/templates

logging.config=file:/etc/cas/config/log4j2.xml

cas.serviceRegistry.json.location=file:/etc/cas/services

cas.authn.accept.users=

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://*********
cas.authn.ldap[0].bindDn=*********
cas.authn.ldap[0].bindCredential=*********
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].poolPassivator=BIND
cas.authn.ldap[0].baseDn=*********
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=(*********)
cas.authn.ldap[0].principalAttributeId=cn
cas.authn.ldap[0].principalAttributeList=*********

cas.authn.attributeRepository.ldap[0].attributes.sAMAccountName=UDC_IDENTIFIER
cas.authn.attributeRepository.ldap[0].attributes.mail=email
cas.authn.attributeRepository.ldap[0].attributes.givenName=firstName
cas.authn.attributeRepository.ldap[0].attributes.sn=lastName
cas.authn.attributeRepository.ldap[0].attributes.cn=user
cas.authn.attributeRepository.ldap[0].attributes.memberOf=memberOf

### Authy setup
cas.authn.mfa.authy.apiKey=*********
cas.authn.mfa.authy.apiUrl=*********
cas.authn.mfa.authy.phoneAttribute=mobile
cas.authn.mfa.authy.mailAttribute=extenstionattribute1
cas.authn.mfa.authy.countryCode=1
cas.authn.mfa.authy.forceVerification=true
cas.authn.mfa.authy.trustedDeviceEnabled=false
cas.authn.mfa.authy.name=castest

### Google Authenticator setup

#cas.authn.mfa.globalProviderId=mfa-gauth

cas.authn.mfa.gauth.issuer=Messiah_College_CAS
cas.authn.mfa.gauth.label=Username
cas.authn.mfa.gauth.windowSize=3
cas.authn.mfa.gauth.codeDigits=6
cas.authn.mfa.gauth.timeStepSize=30
cas.authn.mfa.gauth.rank=0
cas.authn.mfa.gauth.trustedDeviceEnabled=true
cas.authn.mfa.gauth.name=castest
cas.authn.mfa.gauth.json.location=file:/etc/cas/config/gauth.json
#cas.authn.mfa.gauth.rest.endpointUrl=https://*********/processGauth.php

cas.authn.mfa.gauth.crypto.encryption.key=*********
cas.authn.mfa.gauth.crypto.encryption.keySize=256
cas.authn.mfa.gauth.crypto.signing.key=*********
cas.authn.mfa.gauth.crypto.signing.keySize=512
cas.authn.mfa.gauth.crypto.enabled=true

#cas.authn.mfa.gauth.cleaner.enabled=true
#cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000
#cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000

cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication
cas.authn.mfa.trusted.deviceRegistrationEnabled=true
cas.authn.mfa.trusted.expiration=30
cas.authn.mfa.trusted.timeUnit=DAYS
cas.authn.mfa.trusted.json.location=file:/etc/cas/config/trusted-dev.json
#cas.authn.mfa.trusted.rest.endpoint=https://*********/trustedBrowser/index.php
cas.authn.mfa.trusted.crypto.encryption.key=*********
cas.authn.mfa.trusted.crypto.encryption.keySize=256
cas.authn.mfa.trusted.crypto.signing.key=*********
cas.authn.mfa.trusted.crypto.signing.keySize=512
cas.authn.mfa.trusted.crypto.enabled=true
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=*********
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.keySize=256
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=*********
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.keySize=512
cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.enabled=true

cas.tgc.crypto.encryption.key=*********
cas.tgc.crypto.encryption.keySize=256
cas.tgc.crypto.signing.key=*********
cas.tgc.crypto.signing.keySize=512
cas.tgc.crypto.enabled=true

cas.webflow.crypto.signing.key=*********
cas.webflow.crypto.signing.keySize=512
cas.webflow.crypto.encryption.key=*********
cas.webflow.crypto.encryption.keySize=16
cas.webflow.crypto.enabled=true

cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=false

cas.monitor.freeMemThreshold=10

cas.ticket.st.numberOfUses=1
cas.ticket.st.timeToKillInSeconds=300
cas.ticket.tgt.maxTimeToLiveInSeconds=36000
cas.ticket.tgt.timeToKillInSeconds=28000
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=36000
# cas.ticket.tgt.rememberMe.enabled=false
# cas.ticket.tgt.rememberMe.timeToKillInSeconds=1

cas.interrupt.rest.url=https://*********/interrupts/process.php
cas.interrupt.rest.method=GET

My ultimate goal is to get this to work using a REST call so that I can store the user and device information (I have asked that in a different thread) but at this point, I am not sure why the JSON file-based is throwing the error. Any thoughts would be greatly appreciated!

Thanks,
Shawn

[Shawn Cutting]

I was able to figure out how to get the Google Authenticator working with a REST call (to dynamically return the correctly formatted JSON information), but I am still unable to use REST to store/register a new code for a user (I am not sure how to send teh POST data to store the information).  Any help would be appreciated.

Thanks!

Shawn

[Shawn Cutting]

It seems that I am back where I started, but I think I know what the culprit is.  I am trying to use a REST call to store the trusted devices og Google Authenticator, but simply building the "cas-server-support-trusted-mfa-rest" into the overlay causes the gauth to not function at all.

If anyone has had any success with REST and google authenticator/trusted devices, I could sure use the help.




Shawn