CAS 6.x + 2FA/MFA with Google Authenticator
621 views
Skip to first unread message
Bartosz Nitkiewicz
Mar 23, 2021, 4:31:32 AM3/23/21
to CAS Community
Hi,
I'm wondering how to set up 2FA/MFA with Google Authenticator?
For now I have configured my CAS server to authenticate user through LDAP and successfully managed to make SAML work with one of my application.
I have to set up CAS for possibility to enable MFA for a specific LDAP user. Whether it's achievable. Should I enable another service to save this info (user enable/disable MFA).
Philippe MARASSE
Mar 23, 2021, 9:50:55 AM3/23/21
to cas-...@apereo.org
Hi,
Here we use 2FA, either U2F or TOTP/Gauth, to grant access to a specific service. The 2FA is mandatory but the method is given by a LDAP attribute.
What is your use case ? 2FA for all services triggered by a LDAP attribute (I believe it's possible in service configuration) ?
Regards.
Here we use 2FA, either U2F or TOTP/Gauth, to grant access to a specific service. The 2FA is mandatory but the method is given by a LDAP attribute.
What is your use case ? 2FA for all services triggered by a LDAP attribute (I believe it's possible in service configuration) ?
Regards.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ac21753-2b33-44ca-aec5-84d2d0fa5865n%40apereo.org.
-- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19
Bartosz Nitkiewicz
Mar 23, 2021, 10:23:24 AM3/23/21
to cas-...@apereo.org
Hello,
We thought about another authentication step for users to access some services. The problem is that it can't be mandatory. User can turn 2FA on and off. It could be possible by one of LDAP extended attributes. Then if user has this attribute set to, let's say true, then CAS will use 2FA method. If not just regular LDAP authentication.
I know it is possible to use different authentication methods depends on service.
I'm wondering if it is possible. And how to setup CAS for it.
We thought about another authentication step for users to access some services. The problem is that it can't be mandatory. User can turn 2FA on and off. It could be possible by one of LDAP extended attributes. Then if user has this attribute set to, let's say true, then CAS will use 2FA method. If not just regular LDAP authentication.
I know it is possible to use different authentication methods depends on service.
I'm wondering if it is possible. And how to setup CAS for it.
Ray Bon
Mar 23, 2021, 12:58:52 PM3/23/21
to cas-...@apereo.org
Bartosz,
There are a number of options for triggering MFA, https://apereo.github.io/cas/6.3.x/mfa/Configuring-Multifactor-Authentication-Triggers.html.
Ray
On Tue, 2021-03-23 at 14:23 +0000, Bartosz Nitkiewicz wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Philippe MARASSE
Mar 23, 2021, 1:05:15 PM3/23/21
to cas-...@apereo.org
In service definition, something like
this exists :
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
mfa-gauth
]
]
failureMode: UNDEFINED
principalAttributeNameTrigger: mfaTrigger
principalAttributeValueToMatch: "true"
bypassEnabled: false
}
If I'm not mistaken, 2FA will trigger only if user has an attribute named "mfaTrigger" with the value "true" (both are customizable of course). And the only 2FA asked will be gauth.
For a more complex use case, you can use a groovy script to inspect user attributes and take the appropriate decision.
Regards.
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
mfa-gauth
]
]
failureMode: UNDEFINED
principalAttributeNameTrigger: mfaTrigger
principalAttributeValueToMatch: "true"
bypassEnabled: false
}
If I'm not mistaken, 2FA will trigger only if user has an attribute named "mfaTrigger" with the value "true" (both are customizable of course). And the only 2FA asked will be gauth.
For a more complex use case, you can use a groovy script to inspect user attributes and take the appropriate decision.
Regards.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5a83e90e-b6c3-4bdb-917d-d59141c2d6f2%40nitkiewicz.eu.
Bartosz Nitkiewicz
Mar 26, 2021, 7:03:50 AM3/26/21
to CAS Community, Philippe MARASSE
Finally everything is working as expected. I've moved whole cas.properties config to Vault, set up Redis to store Google Auth registered devices.
Now, I'm wondering how to make possible for end user add another device? How to remove registered device? Any hints?
Thanks in advance
Regards
Reply all
Reply to author
Forward
0 new messages