MFA REST trigger without service?

74 views
Skip to first unread message

Tomi Karlstedt

unread,
Jan 12, 2023, 4:22:04 AM1/12/23
to CAS Community
Hi,

Our implementation uses the CAS login form to log users in and checks username/password from a separate service. We're adding an optional MFA for users and we want to save the chosen MFA provider per user into the same service that handles usernames and passwords.

There's a way to trigger MFA from a REST endpoint (implemented by RestEndpointMultifactorAuthenticationTrigger) which seems to suite us well. However, the current implementation of the REST MFA trigger seems to let users bypass MFA by simply not including the service parameter when logging in. To me this seems like a glaring bug in the implementation.

My question is, can we force the service parameter (server side) or set a default service somehow in the logging flow to mitigate this immediately?

Tomi

Ray Bon

unread,
Jan 12, 2023, 12:36:22 PM1/12/23
to cas-...@apereo.org
Tomi,

If MFA is optional, then it can not be enforced, so the bypass makes sense.

MFA would/should be triggered when the user visits a service (you can add MFA required to the service definition or set it globally, etc.).

You can set a default service that is redirected to after login, https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html
cas.view.default-redirect-url

There is also this property on the same page,
cas.sso.allow-missing-service-parameter

Ray

On Thu, 2023-01-12 at 00:38 -0800, 'Tomi Karlstedt' via CAS Community wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Tomi Karlstedt

unread,
Jan 13, 2023, 2:44:11 AM1/13/23
to CAS Community, Ray Bon
Thank you for the reply! I'll try it with those default service parameters.

We offer optional MFA for the users so they can use a more secure way to authenticate. If a malicious third-party can bypass MFA simply by not providing the service param, it offers no extra protection for the user. Even if MFA is optional for users, if you opt-in for it, it should be required after that. After reading some more CAS source code, it seems that the trigger mechanism does not support this and instead decides that no MFA is chosen if the REST request fails and MFA is not mandatory for all users. I'll have to see what we can do to prevent this.

Tomi
Reply all
Reply to author
Forward
0 new messages