Cas 6.1.2, anyone had a luck using MFA selection menu as shown on the cas blog

randomuser878

unread,

Dec 20, 2019, 2:30:06 PM12/20/19

to CAS Community

Hello

Using cas 6.1.2 and compiled cas-management (master branch, thanks to Travis et.al) for fixing the attribute and pac4J compatible changes and 6.x tree.

Trying this: https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/

Assigned: cas.authn.mfa.provider-selection-enabled=true
I also tried/set rank value the same (i.e. 100) for mfa-google and mfa-yubi key.

When setup only for one MFA then I get MFA for that device.
When choosing two mfa values, the mfa is entirely bypassed. Never see the selection as shown on the blog article. Shown json export from cas-management
I am certain I am missing something obvious. Any clue is greatly appreciated.

Is this implementation mandatory for this integration: cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/mfaGroovySelector.groovy
If such, any clues how to proceed.

Also did the parameter search for any additional parameter to no avail.

gradlew runShell

java -jar build/libs/cas-server-support-shell-6.1.2.jar

cas>find --name mfa.provider

Property: cas.authn.adaptive.risk.response.mfa-provider

Group: cas.authn.adaptive.risk.response

Default Value: [blank]

Type: java.lang.String

Summary: If an authentication attempt is deemed risky, force a multi-factor authentication event noted by the provider id here.

Description: If an authentication attempt is deemed risky, force a multi-factor authentication event noted by the provider id here.

Deprecated: no

----------------------------------------------------------------------

Property: cas.authn.mfa.provider-selector-groovy-script

Group: cas.authn.mfa

Default Value: [blank]

Type: org.springframework.core.io.Resource

Summary: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, by default CAS will attempt to sort the collection of providers based on their rank and will pick one with the highest priority.

Description: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, by default CAS will attempt to sort the collection of providers based on their rank and will pick one with the highest priority. This use case may arise if multiple triggers are defined where each decides on a different multifactor authentication provider, or the same provider instance is configured multiple times with many instances. Provider selection may also be carried out using Groovy scripting strategies more dynamically. The following example should serve as an outline of how to select multifactor providers based on a Groovy script.

Deprecated: no

----------------------------------------------------------------------

Property: cas.authn.mfa.provider-selection-enabled

Group: cas.authn.mfa

Default Value: false

Type: java.lang.Boolean

Summary: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, this setting will allow one to interactively choose a provider out of the list of available providers.

Description: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, this setting will allow one to interactively choose a provider out of the list of available providers. A trigger may be designed to support more than one provider, and rather than letting CAS auto-determine the selected provider via scripts or ranking strategies, this method puts the choice back onto the user to decide which provider makes the most sense at any given time.

Deprecated: no

JSON output from cas-management, changed sensitive info

{

@class: org.apereo.cas.services.RegexRegisteredService

serviceId: ^https://somewhere.and.nowhere(\\z|/.*)

name: SAMPLE

id: 1

expirationPolicy:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy

deleteWhenExpired: false

notifyWhenDeleted: false

notifyWhenExpired: false

}

proxyPolicy:

{

@class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy

}

proxyTicketExpirationPolicy:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy

numberOfUses: 0

}

serviceTicketExpirationPolicy:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy

numberOfUses: 0

}

evaluationOrder: 1

usernameAttributeProvider:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider

canonicalizationMode: NONE

encryptUsername: false

}

logoutType: BACK_CHANNEL

requiredHandlers:

[

java.util.HashSet

[]

]

environments:

[

java.util.HashSet

[]

]

attributeReleasePolicy:

{

@class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy

principalAttributesRepository:

{

@class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository

mergingStrategy: MULTIVALUED

ignoreResolvedAttributes: false

}

consentPolicy:

{

@class: org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy

enabled: true

order: 0

}

authorizedToReleaseCredentialPassword: false

authorizedToReleaseProxyGrantingTicket: false

excludeDefaultAttributes: false

authorizedToReleaseAuthenticationAttributes: true

order: 0

allowedAttributes:

[

java.util.ArrayList

[

mail

cn

groupMembership

]

}

multifactorPolicy:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy

multifactorAuthenticationProviders:

[

java.util.HashSet

[

mfa-gauth

mfa-yubikey

]

failureMode: PHANTOM ( also tried with CLOSED to no avail)

principalAttributeNameTrigger: groupMembership

principalAttributeValueToMatch: cn=SOME_GROUP_DN

bypassEnabled: false

forceExecution: false

bypassTrustedDeviceEnabled: false

}

accessStrategy:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy

order: 0

enabled: true

ssoEnabled: true

delegatedAuthenticationPolicy:

{

@class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy

allowedProviders:

[

java.util.ArrayList

[]

]

permitUndefined: true

exclusive: false

}

requireAllAttributes: true

requiredAttributes:

{

@class: java.util.LinkedHashMap

}

rejectedAttributes:

{

@class: java.util.LinkedHashMap

}

caseInsensitive: false

}

properties:

{

@class: java.util.LinkedHashMap

}

contacts:

[

java.util.ArrayList

[]

]

}

Alexis

unread,

Jun 12, 2020, 9:43:02 AM6/12/20

to CAS Community

Hello,

I really hope you already found a solution, but if not, for my part, I did :

cas.authn.mfa.globalProviderId=mfa-yubikey,mfa-gauth

And it works !

Regards,

randomuser878

unread,

Jul 10, 2020, 3:58:21 PM7/10/20

to CAS Community, Alexis

Hello Alexis,

Many thanks for the feedback.
If you happen to see this, any chance you can share how did you made these two parameters
cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf
cas.authn.mfa.globalPrincipalAttributeValueRegex=something

Was Regex just the top entry case sensitive for cn=something, ou=... or full DN match was in order.
Any chance you used different attribute outside MS-AD ldap like groupMembership for name trigger.
What was the value for cas.authn.mfa.globalFailureMode= OPEN,PHANTOM, CLOSED
On individual websites, what did you had to do to ensure if the above cas.authn.mfa.globalPrincipalAttributeNameTriggers/Regex does not match, it does not enforce MFA-request.
Currently match or no match on globalPrincipalAttributeNameTriggers/Regex, the MFA is required from the individual site.

Thanks again.

Reply all

Reply to author

Forward