How to enable MFA by service rather than globally

[Dave B]

Running latest CAS 5.3 and just implemented MFA.  My goal is to have MFA disabled globally but able to be turned on based only on inclusion service registry.

However, I can not get MFA to work on any service unless cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. 

With the settings below, ALL services, regardless of inclusion of "multifactorPolicy", require MFA.  My only option is to explicitly exclude (bypass) all other services for which I don't want to require MFA.

Is this intended behavior? 

Relevant config:

cas.properties:

cas.authn.mfa.globalProviderId=mfa-gauth

cas.authn.mfa.globalFailureMode=CLOSED

  "multifactorPolicy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ],

    "failureMode" : "CLOSED"

   },

Thanks for any help!

-Dave

[Matthew Uribe]

Hi Dave,

I'm still on CAS 5.2, so perhaps things have changed, but I'm doing exactly what you describe with Duo.

In my cas.properties:

#Configure Duo authentication properties

cas.authn.mfa.globalFailureMode:           OPEN

# Aims Two-Factor

cas.authn.mfa.duo[0].duoApiHost:           such.and.such

cas.authn.mfa.duo[0].duoIntegrationKey:    D...........A5

cas.authn.mfa.duo[0].duoSecretKey:         N.....................E5

cas.authn.mfa.duo[0].trustedDeviceEnabled: false

cas.authn.mfa.duo[0].duoApplicationKey:    01234567890

cas.authn.mfa.duo[0].id:                   mfa-duo

Then in service registry:

  "multifactorPolicy" : {

    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ]

  }

Services which don't include a multifactorPolicy don't require MFA.

Matt

[David Curry]

I think the problem is this line:

cas.authn.mfa.globalProviderId=mfa-gauth

According to the documentation, that enables MFA for all services, regardless of any other settings. Since you don't want that, you should probably turn it off.

We have basically the same settings that Matt just posted here, and like his setup, it only does MFA on the few services where we've explicitly told it to.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org.

[Dave B]

Thank you both for the replies!

It makes sense that "cas.authn.mfa.globalProviderId=mfa-gauth" is the problem, only if I comment it out, then I can't seem to get the service registry entry I pasted earlier to force MFA, though debug logs show some stuff about mfa-gauth in the DefaultAuthenticationEventExecutionPlan which indicates to me it's at least... considered(?), but nothing telling.

I have no other cas.authn.mfa configuration directives in cas.properties at this point except for

cas.authn.mfa.gauth.label

cas.authn.mfa.gauth.issuer

I wonder if it's possible I'm hitting some kind of default bypass condition? Any other ideas?

Thanks again,

Dave

[Travis Schmidt]

Just to cover all the bases, you have verified that CAS is validating against the service you set the MFA for and is not getting hit by some other service entry that matches the service you are trying to log into?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1bcee0d-d6e3-4727-bfb9-1400cb3fb396%40apereo.org.

[Daniel Ellentuck]

Hi Dave,

Check out "Bypass Per Service" at: https://apereo.github.io/cas/5.3.x/installation/Configuring-Multifactor-Authentication-Bypass.html#bypass-per-service

    Dan

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ef5cec95-795c-4288-b8e2-183550ecda62%40apereo.org.

[Dave B]

Travis,

Yes, I have a few services now - one that should be (but isn't) forcing MFA, one that explicitly bypasses it, and one 'default', which takes on the global configuration.

And as an added double-check I still have the serviceUI enabled on the front page. 

-Dave

[Dave B]

Dan,

Thanks - yes, bypassing each of the non-MFA-eligible services is my fallback plan if I can't figure this one out. Was hoping not to have to do that though!

-Dave

[Dmitriy Kopylenko]

You could always do a custom Groovy script trigger which will be executed and its outcome examined by CAS for each authentication transaction to decide whether to trigger any mfa transaction or not: https://apereo.github.io/cas/5.3.x/installation/Configuring-Multifactor-Authentication-Triggers.html#groovy

Cheers,

D.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1cdccda-4908-4849-991f-8fa85a8f8713%40apereo.org.

[Dave B]

In testing, I have found that without "cas.authn.mfa.globalProviderId=mfa-gauth" set in cas.properties, the only way I can activate the MFA gauth flow is to set triggers, like:

cas.authn.mfa.globalPrincipalAttributeNameTriggers=something

cas.authn.mfa.globalPrincipalAttributeValueRegex=something

So, unless I have something misconfigured, I assume that the presence of multifactorPolicy with multifactorAuthenicationProviders specified in a service registry entry is not sufficient to "trigger" the MFA flow.  At least in my case.  

[Travis Schmidt]

Are you using latest 5.3.3 relaease or 5.3.4-SNAPSHOT?  If you put logs in debug do you see an entry like this?

2018-09-22 11:22:10,821 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Attempting to resolve authentication event using resolver [RegisteredServiceMultifactorAuthenticationPolicyEventResolver]>

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d50562a2-ba8b-455f-8e46-bef22f222888%40apereo.org.

[Dave B]

Travis,

It looks like I'm on 5.3.3 stable release.

Nothing exactly like that or quite like that at all in the debug logs, though to be fair I'm not so great at reading this kind of log output -- without enabling mfa-gauth globally, it references gauth as an authentication handler, but it never seems to get called. Passes LDAP and finishes workflow.

With gauth enabled globally, I will get:

DEBUG [org.apereo.cas.authentication.AbstractMultifactorAuthenticationProvider] - <Using global multi-factor failure mode for [AbstractRegisteredService(serviceId=[...]

[...]

WHAT: [event=mfa-gauth,timestamp=Sat Sep 22 14:45:33 EDT 2018,source=GlobalMultifactorAuthenticationPolicyEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

It really doesn't seem to care about the service registry asking for mfa-gauth - though other values there are respected (such as bypass when global mfa-gauth is enabled).

Thanks for the help! 

-Dave

[Dave B]

Well, I really appreciate the help from everyone, and it's time to own up to an embarrassing mistake.

   "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ],

should be "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ],

Ouch.

Thank you again everyone. 

-Dave

On Friday, September 21, 2018 at 2:56:53 PM UTC-4, Dave B wrote: