Global Principal Attribute MFA trigger is not working as expected

[Dmytro Havrylov]

Hello, 

I have a trouble configuring MFA trigger depending on Global Principal Attribute. According to the documentation it should work like

MFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.

* Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. This option is more relevant if you have more than one provider configured or if you have the flexibilty of assigning provider ids to attributes as values.

I have two MFA providers configured in the system: mfa-yubikey and mfa-gauth. Both of them are working as expected if used as cas.authn.mfa.globalProviderId (as single MFA provider). In my case I need to choose the MFA provider according to the attribute value saved in the LDAP. So I have following lines in the properties (the MFA provider should be stored into the businessCategory LDAP attribute):

"cas.authn.ldap[0].principalAttributeId": "uid",

"cas.authn.ldap[0].principalAttributePassword": "userPassword",

"cas.authn.ldap[0].principalAttributeList": "sn,cn:commonName,givenName,yubiKeyId,businessCategory",

"cas.authn.attributeRepository.ldap.attributes.uid": "uid",

"cas.authn.attributeRepository.ldap.attributes.yubiKeyId": "yubiKeyId",

"cas.authn.attributeRepository.ldap.attributes.businessCategory": "businessCategory",

"cas.authn.attributeRepository.ldap.defaultAttributesToRelease": "uid,yubiKeyId,businessCategory",

"cas.authn.mfa.globalPrincipalAttributeNameTriggers": "businessCategory",

"cas.authn.mfa.globalPrincipalAttributeValueRegex": "mfa-yubikey|mfa-gauth",

Property cas.authn.mfa.globalProviderId is not set.

The project get's compiled and deployed without exceptions. Then I set businessCategory attribute to the random value the MFA is not triggered at all. This is expected, because it does not match the regexp. If I set it to the "mfa-yubikey" then gauth gets triggered (but yubikey is expected). I can find the following in the logs (with debug enabled):

...

2017-04-03 13:18:05,808 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response returned as result. Creating the final LDAP principal>

2017-04-03 13:18:05,809 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP principal for dimitri based on uid=dimitri,ou=People,dc=example,dc=com>

2017-04-03 13:18:05,810 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved principal id attribute dimitri>

2017-04-03 13:18:05,810 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [yubiKeyId[cccscedtfar]]>

2017-04-03 13:18:05,811 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [givenName[Dimitri]]>

2017-04-03 13:18:05,812 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [businessCategory[mfa-yubikey]]>

2017-04-03 13:18:05,813 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [sn[Gavrilov]]>

2017-04-03 13:18:05,813 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found principal attribute: [cn[dimitri]]>

2017-04-03 13:18:05,814 DEBUG [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created LDAP principal for id dimitri and 6 attributes>

2017-04-03 13:18:05,816 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler successfully authenticated dimitri>

2017-04-03 13:18:05,817 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <No resolver configured for LdapAuthenticationHandler. Falling back to handler principal dimitri>

2017-04-03 13:18:05,817 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final principal resolved for this authentication event is dimitri>

2017-04-03 13:18:05,818 DEBUG [org.apereo.cas.authentication.AllAuthenticationPolicy] - <Authentication policy is satisfied.>

2017-04-03 13:18:05,819 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [dimitri] and attributes {businessCategory=mfa-yubikey, commonName=Dimitri, givenName=Dimitri, LdapAuthenticationHandler.dn=uid=dimitri,ou=People,dc=example,dc=com, sn=Gavrilov, yubiKeyId=cccscedtfar} with credentials [dimitri].>
2017-04-03 13:18:05,820 DEBUG [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(Authentication org.apereo.cas.authentication.AbstractAuthenticationManager.authenticate(AuthenticationTransaction))]>
2017-04-03 13:18:05,821 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: dimitri
WHAT: Supplied credentials: [dimitri]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Mon Apr 03 13:18:05 CEST 2017
CLIENT IP ADDRESS: 192.168.168.12
SERVER IP ADDRESS: 192.168.168.16
=============================================================


>
2017-04-03 13:18:05,822 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationTransactionManager] - <Successful authentication; Collecting authentication result [org.apereo.cas.authentication.DefaultAuthentication@9f0afc06]>
2017-04-03 13:18:05,824 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,826 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,828 DEBUG [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorMultifactorAuthenticationProvider] - <Multifactor failure mode for ^(https|imaps)://.* is defined as CLOSED>
2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,830 DEBUG [org.apereo.cas.adaptors.yubikey.YubiKeyMultifactorAuthenticationProvider] - <Provided event id mfa-yubikey is not applicable to this provider identified by {}>
2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created https://sso.example.com/cas/status/dashboard based on org.apereo.cas.authentication.principal.WebApplicationServiceFactory@489c4525>
2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Extractor generated service type org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl for: https://sso.example.com/cas/status/dashboard>
Hibernate: select googleauth0_.id as id1_0_, googleauth0_.secretKey as secretKe2_0_, googleauth0_.username as username3_0_, googleauth0_.validationCode as validati4_0_ from GoogleAuthenticatorRegistrationRecord googleauth0_ where googleauth0_.username=?

Does anyone knows how to get the Global Principal Attribute working?

Thanks

Dimitri

[Sai Mallela]

Hello Dimitri,

Can you please help me with gauth to work globally. Here are my settings in cas.properties and I still don't see the page or option to enter the google authentication code:

cas.server.name: https://drupalvm.dev:8443

cas.server.prefix: https://drupalvm.dev:8443/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1

logging.config: file:/etc/cas/config/log4j2.xml

//GAUTH MFA

cas.authn.mfa.globalProviderId=mfa-gauth

cas.authn.mfa.gauth.windowSize=3

cas.authn.mfa.gauth.issuer=companyname

cas.authn.mfa.gauth.codeDigits=6

cas.authn.mfa.gauth.label=google authentication

cas.authn.mfa.gauth.timeStepSize=30

cas.authn.mfa.gauth.rank=0

cas.authn.mfa.gauth.trustedDeviceEnabled=true

//LDAP Authentication

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].ldapUrl=ldap://1.2.3.4:389

cas.authn.ldap[0].useSsl=false

cas.authn.ldap[0].baseDn=ou=HWPeople, dc=companyname, dc=com

cas.authn.ldap[0].userFilter=uid={user}

cas.authn.ldap[0].bindDn=cn=Manager,dc=companyname,dc=com

cas.authn.ldap[0].bindCredential=abcd

cas.authn.attributeRepository.ldap.ldapUrl=ldap://1.2.3.4:389

cas.authn.attributeRepository.ldap.useSsl=false

cas.authn.attributeRepository.ldap.useStartTls=false

cas.authn.attributeRepository.ldap.connectTimeout=5000

cas.authn.attributeRepository.ldap.baseDn=ou=HWPeople, dc=companyname, dc=com

cas.authn.attributeRepository.ldap.userFilter=uid={user}

cas.authn.attributeRepository.ldap.subtreeSearch=true

cas.authn.attributeRepository.ldap.bindDn=cn=Manager,dc=companyname,dc=com

cas.authn.attributeRepository.ldap.bindCredential=abcd

logging.level.org.apereo=DEBUG

logging.level.org.ldaptiv=DEBUG

#disable test user

cas.authn.accept.users=

Thanks,
Sai

[Sai Mallela]

I got it working by adding my own gauth.json in /cas-overlay-template/src/main/resources/services

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^(https|imaps)://.*",

  "name": "oupsi",

  "id" : 100,

  "multifactorPolicy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth"] ]