MFA Trigger "Principal Attribute Per Application" defined but doesn't trigger
68 views
Skip to first unread message
John
Mar 2, 2022, 10:19:51 AM3/2/22
to CAS Community
I have added the "Principal Attribute Per Application" MFA setting, CAS 6.4.6 , and MFA never triggers, if I remove the
principalAttributeNameTrigger and principalAttributeValueToMatch it works just fine. I can see in the console and logs, the attribute values are retrieved from ldap and doesnt trigger still. See below, the attribute
eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set to get it working?
console log:
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth, mfa-webauthn], failureMode=UNDEFINED, principalAttributeNameTrigger=eduPersonAffiliation, principalAttributeValueToMatch=staff, bypassEnabled=false, forceExecution=true, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null)
audit log:
"attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed name\"],\"eduPersonAffiliation\":[\"staff\"],
service:
"multifactorPolicy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth", "mfa-webauthn"] ],
"principalAttributeNameTrigger" : "eduPersonAffiliation",
"principalAttributeValueToMatch" : "staff",
},
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth, mfa-webauthn], failureMode=UNDEFINED, principalAttributeNameTrigger=eduPersonAffiliation, principalAttributeValueToMatch=staff, bypassEnabled=false, forceExecution=true, bypassTrustedDeviceEnabled=false, bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, script=null)
audit log:
"attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed name\"],\"eduPersonAffiliation\":[\"staff\"],
service:
"multifactorPolicy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth", "mfa-webauthn"] ],
"principalAttributeNameTrigger" : "eduPersonAffiliation",
"principalAttributeValueToMatch" : "staff",
},
John
Mar 2, 2022, 12:17:24 PM3/2/22
to CAS Community, John
With debug on I can see it being skipped?? Of course I have attributes defined and WANT it to trigger, and the attributes/values match and still says its skipping
DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Locating attribute value for attribute(s): [[eduPersonAffiliation]].>
DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Located attribute value [[staff]] for [[eduPersonAffiliation]]>
DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute value [staff] is a single-valued attribute>
....
....
DEBUG [org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger] - <Authentication policy for [^(http|https)://changed.name.com.*] has defined principal attribute triggers. Skipping...>
DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Located attribute value [[staff]] for [[eduPersonAffiliation]]>
DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute value [staff] is a single-valued attribute>
....
....
DEBUG [org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger] - <Authentication policy for [^(http|https)://changed.name.com.*] has defined principal attribute triggers. Skipping...>
John
Mar 3, 2022, 7:49:02 PM3/3/22
to CAS Community, John
This works fine when only one provider is defined but when you have multiple like
[ "mfa-gauth", "mfa-webauthn"] it doesn't trigger, changing to either
[ "mfa-gauth"] or
[ "mfa-webauthn"] triggers it. Are MFA triggers only allowed to return one provider? It works with multiple providers when no trigger is set so is this a bug?
Reply all
Reply to author
Forward
0 new messages