CAS 6.2.7 & 6.3.0 - global mfa - it's on all the time

149 views
Skip to first unread message

Andrew Marker

unread,
Feb 2, 2021, 2:34:28 PM2/2/21
to CAS Community
Hey, 

I'm moving from 5.3.x to 6.2.7 and I'm stymied in my progress by something I hope is obvious.  Since it is happening in both 6.2.7 and 6.3.0, I'm hoping it is just miss configuration on my part and I'm hoping to get some guidance.

Below are the relevant configurations ported from v5.3. Most notably I had to convert all these properties from camelCase to hyphenated-lowercase.  The issue is that, it does not seem to respect the trigger attributes as 5.3 does.  My assumption is that only folk in a group called multifactor-authentication will be prompted for DUO.

If I enable global mfa, by setting the provider id, all requests including delegate auth are transitioned to the duo workflow:  They either are asked to setup mfa on a phone, or it just fails (delegate without enough info).  Currently I only have one MFA provider.

# Duo Security
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[0].name=Duo Security
cas.authn.mfa.duo[0].duo-secret-key=myFirstSupaSekritKey
cas.authn.mfa.duo[0].duo-application-key=mySecondSupaSekritKey
cas.authn.mfa.duo[0].duo-integration-key=myTirdSupaSekritKey
cas.authn.mfa.duo[0].duo-api-host=api-8675309.duosecurity.com

#Global MFA
cas.authn.mfa.request-parameter=authn_method
cas.authn.mfa.global-provider-id=mfa-duo
cas.authn.mfa.global-failure-mode=OPEN
cas.authn.mfa.global-principal-attribute-name-triggers=isMemberOf
cas.authn.mfa.global-principal-attribute-value-regex=.*cn=multifactor-authentication.*

Ray Bon

unread,
Feb 2, 2021, 2:55:15 PM2/2/21
to cas-...@apereo.org
Andrew,

The 6.x series of cas properties should be camelCase (the docs have not been updated).

Ray

On Tue, 2021-02-02 at 11:34 -0800, Andrew Marker wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. 
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Andrew Marker

unread,
Feb 2, 2021, 5:17:11 PM2/2/21
to CAS Community, Ray Bon
Thanks Ray.

It seems as though some (at least) have overrides in place for the use of either. That would be super confusing if some have overrides and others do not.
 For example: These both work in 6.2.7 in 6.3.
  • cas.theme.defaultThemeName
  • cas.theme.default-theme-name

  • cas.authn.mfa.globalProviderId
  • cas.authn.mfa.global-provider-id
So far I'm not having luck with either when it comes to the following, or my regex is not valid in the context of this property.  It's strictly in my case a multi-value attribute, however assuming it was a string, I am hoping my initial regex would work in the context of a string or string array "under the covers".
  • cas.authn.mfa.globalPrincipalAttributeNameTriggers
  • cas.authn.mfa.globalPrincipalAttributeValueRegex

I imagine this is working for others?  I pre-production, I can experiment with service by service, but there are many rules in production and I guess that would strictly still work.

Again I am grateful for the guidance you've elected to provide.

Ray Bon

unread,
Feb 2, 2021, 5:50:48 PM2/2/21
to atma...@gmail.com, cas-...@apereo.org
Andrew,

This logger will tell you what attributes are found:

        <!-- DEBUG Found principal attributes [...] for [username]
                   Attribute policy [???] allows release of [...] for [username]
                   Final collection of attributes allowed are: [...] -->
        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

P.S. It may be that spring is doing some extra processing of the properties. I will have test this.

Misagh Moayyed

unread,
Feb 5, 2021, 12:16:04 PM2/5/21
to CAS Community
On Tuesday, February 2, 2021 at 11:34:28 PM UTC+4 Andrew Marker wrote:
Hey, 

I'm moving from 5.3.x to 6.2.7 and I'm stymied in my progress by something I hope is obvious.  Since it is happening in both 6.2.7 and 6.3.0, I'm hoping it is just miss configuration on my part and I'm hoping to get some guidance.

Below are the relevant configurations ported from v5.3. Most notably I had to convert all these properties from camelCase to hyphenated-lowercase. 

That's great. Do note that this is generally a good idea to do in 6.3.x, and it only affects settings that conditionally enable "Spring Beans". Otherwise, cas-this and casThis and cas_this are all the same. Best to go for "kebab-case" anyway.
 
The issue is that, it does not seem to respect the trigger attributes as 5.3 does.  My assumption is that only folk in a group called multifactor-authentication will be prompted for DUO.

No. The "cas.authn.mfa.global-provider-id=mfa-duo" activated mfa for everything and everyone, regardless.

From the docs: "MFA can be triggered for all applications and users regardless of individual settings. This setting holds the value of an MFA provider that shall be activated for all requests, regardless.". 

So if you want MFA to be triggered for a select group, I would remove that and look for debug logs that show how your attribute and its value as a pattern is processed.

Reply all
Reply to author
Forward
0 new messages