7.0.4 SAML and Duo Bypass
70 views
Skip to first unread message
Al Brussey Jr.
Jun 17, 2024, 11:21:06 PM (12 days ago) Jun 17
to CAS Community
Not sure if this is a weird local config or some sort of bug.
I have these set globally in cas.properties.
cas.authn.mfa.duo[0].bypass.principal-attribute-name=mfaDisable
cas.authn.mfa.duo[0].bypass.principal-attribute-value=nomfa
cas.authn.mfa.duo[0].bypass.principal-attribute-value=nomfa
When SAML IdP support is included in the WAR overlay with:
implementation "org.apereo.cas:cas-server-support-saml-idp",
I get a NullPointerException after the Duo Push when the mfaDisable attribute is null.
and I include it in the list of released attributes in the service definition like this:
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn", "uid", "displayName", "memberOf", "mfaDisable", "sAMAccountName", "departmentNumber" ] ]
}
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" : [ "java.util.ArrayList", [ "cn", "mail", "sn", "uid", "displayName", "memberOf", "mfaDisable", "sAMAccountName", "departmentNumber" ] ]
}
If I remove it from this list, there is no exception. The departmentNumber attribute is also null and does not trigger the exception.
If the mfaDisable attribute has a value, the exception is not triggered.
Also, if I remove SAML IdP support from the WAR overlay, it does not trigger an exception.
My workaround for now is to remove the mfaDisable attribute while keeping SAML support.
Any ideas?
Ray Bon
Jun 22, 2024, 11:30:18 PM (7 days ago) Jun 22
to CAS Community
Al,
I think the null pointer is on the bypass check rather than something about the list of attributes.
It is possible that SAML IdP adds a slightly different flow; maybe it does not check for null.
Can you use a groovy script?
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Al Brussey Jr. <a...@mindcrash.com>
Sent: 17 June 2024 12:18
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] 7.0.4 SAML and Duo Bypass
Sent: 17 June 2024 12:18
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] 7.0.4 SAML and Duo Bypass
|
You don't often get email from a...@mindcrash.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a94963c7-dcdc-4353-a83d-242dafd29be7n%40apereo.org.
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a94963c7-dcdc-4353-a83d-242dafd29be7n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages