Recommendations on mfa-gauth registration and removal strategies
149 views
Skip to first unread message
Y G
May 24, 2024, 7:54:09 AM5/24/24
to CAS Community
Hello everyone,
After spending a week or two in documentation, thoroughly reading and learning about setting up CAS, i finally have the confidence and courage to register and write here.
I'd like to have some recommendations about setting up and removing gauth registration for a user, upon request.
1. I was thinking about gauth registration, i could do this by writing a small app, with service registry setting on cas to force mfa-gauth which first makes the user login with username and password, and then gauth registration details (qr and scratch codes) page appear, and user just registers there. For next logins on the other services, if user has a record of gauth (i.e looking up in the google_authenticator_registration_record table with username - on a JPA provided gauth-mfa) i'll provide some triggerring attributes on the principal. Is this thinking ok?
After spending a week or two in documentation, thoroughly reading and learning about setting up CAS, i finally have the confidence and courage to register and write here.
I'd like to have some recommendations about setting up and removing gauth registration for a user, upon request.
1. I was thinking about gauth registration, i could do this by writing a small app, with service registry setting on cas to force mfa-gauth which first makes the user login with username and password, and then gauth registration details (qr and scratch codes) page appear, and user just registers there. For next logins on the other services, if user has a record of gauth (i.e looking up in the google_authenticator_registration_record table with username - on a JPA provided gauth-mfa) i'll provide some triggerring attributes on the principal. Is this thinking ok?
2. I haven't figured out a way for users with gauth to unregister/disable/delete the gauth functionality, any recommendations for this? Another mini-app that deletes the reg-record of username and scratch codes?
Thank you and best regards.
YG
Ray Bon
May 24, 2024, 11:39:38 PM5/24/24
to cas-...@apereo.org
Yusuf,
Is this what you are looking for, https://apereo.github.io/cas/7.0.x/registration/Account-Management-Overview.html#multifactor-registered-devices
Ray
On Fri, 2024-05-24 at 02:15 -0700, Y G wrote:
Y G
May 25, 2024, 10:30:37 AM5/25/24
to CAS Community, Ray Bon
Thank you for the reference,
i'll start checking this out...
25 Mayıs 2024 Cumartesi tarihinde saat 06:39:38 UTC+3 itibarıyla Ray Bon şunları yazdı:
Y G
Nov 27, 2025, 10:10:11 AM (11 days ago) Nov 27
to CAS Community, Y G, Ray Bon
Hello again,
As it was my first post here, I wanted to share my solution for this... My case was, for the JPA backed totp mfa-gauth config, i was wondering how to handle the removal of the registered user gauth configs, since registration can be handled inside CAS.
I see that CAS has some actuator endpoints for the handling(i.e: fetch and delete user configs) of the mfa-gauth operations. I've read from docs, configured it and used the GET and DELETE /cas/actuator/gauthCredentialRepository/{username} to fetch and remove user configs. I've put a button in my app, in user's settings page, logged in user's mfa-gauth config would be fetched from the GET endpoint and shown, and when that button is pressed, user's mfa-gauth config would be removed by calling the CAS actuator endpoint.
Thank you and have a nice day.
25 Mayıs 2024 Cumartesi tarihinde saat 17:30:37 UTC+3 itibarıyla Y G şunları yazdı:
Reply all
Reply to author
Forward
0 new messages