MFA Trusted Device on 6.x

18 views
Skip to first unread message

Matthew Gordon

unread,
May 6, 2022, 2:39:19 PMMay 6
to CAS Community
Does anyone actually have it working, even on an older version, and would not mind sharing what they had to do?

I've built CAS with:

support-ldap
support-git-service-registry
support-gauth,support-saml
support-saml-idp
support-oidc
support-couchbase-ticket-registry
support-trusted-mfa
support-trusted-mfa-rest

The configuration:
cas.authn.mfa.gauth.core.label=TEST
cas.authn.mfa.gauth.core.issuer=TESTMFA

cas.authn.mfa.trusted.crypto.encryption.key=[removed]
cas.authn.mfa.trusted.crypto.signing.key=[removed]

cas.authn.mfa.trusted.device-fingerprint.cookie.crypto.encryption.key=[removed]
cas.authn.mfa.trusted.device-fingerprint.cookie.crypto.signing.key=[removed]

cas.authn.mfa.triggers.principal.global-principal-attribute-name-triggers=memberOf
cas.authn.mfa.triggers.principal.global-principal-attribute-value-regex=.*MFA.+

cas.authn.mfa.gauth.rest.url=http://localhost/googleAuthenticator.php?

cas.authn.mfa.gauth.core.trusted-device-enabled=true
cas.authn.mfa.trusted.rest.url=http://localhost/trustedDevice.php?
cas.authn.mfa.trusted.core.auto-assign-device-name=true


cas.authn.mfa.gauth.crypto.encryption.key=[removed]
cas.authn.mfa.gauth.crypto.signing.key=[removed]
cas.authn.mfa.gauth.crypto.enabled=true

cas.authn.mfa.trusted.cleaner.schedule.enabled=false

cas.authn.mfa.trusted.device-fingerprint.cookie.comment=AUTH
cas.authn.mfa.trusted.device-fingerprint.cookie.max-age=36000
cas.authn.mfa.trusted.device-fingerprint.cookie.name=AUTH

cas.authn.mfa.trusted.device-fingerprint.client-ip.order=0
cas.authn.mfa.trusted.device-fingerprint.cookie.order=1
cas.authn.mfa.trusted.device-fingerprint.component-separator=@

cas.authn.mfa.trusted.device-fingerprint.geolocation.enabled=false
cas.authn.mfa.trusted.device-fingerprint.client-ip.enabled=true
cas.authn.mfa.trusted.device-fingerprint.cookie.enabled=true

I'm pretty much not getting anywhere with any of the advanced MFA options, and it's kinda disappointing. I've even tried the in memory trusted device option to no avail.

Thank you,
Matt

Reply all
Reply to author
Forward
0 new messages