I'm trying to enable MFA-Duo using according to the docs at
<
https://apereo.github.io/cas/development/installation/DuoSecurity-Authentication.html>
<
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#duosecurity>
I've had partial success with an application trigger using a service
definition that includes
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
"failureMode" : "OPEN"
}
After providing my username and password to the app that uses the Java
CAS client (v3.4.2), Duo is invoked. However, after providing the Duo factor
it successfully validates the ticket but throws an exception generating the SAML
response:
DEBUG [org.apereo.cas.support.saml.web.SamlValidateController] - <Successfully validated service ticket AAE***Cq2 for service [
https://example.edu/app]>
ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service
example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...
Ultimately what we'd like to do though is invoke MFA-Duo globally, and
not via an application triggered policy. It looks like the CAS properties
listed here may be relevant, but it's not clear to me how they should
be used.
<
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#multifactor-authentication>
For example, there is a cas.authn.mfa.globalPrincipalAttributeNameTriggers
property, that seems to correspond to principalAttributeNameTrigger in the
"Principal Attribute Per Application" example, but no corresponding
principalAttributeValueToMatch documented. Merely specifying something
an attribute for .globalPrincipalAttributeNameTriggers (e.g.
cas.authn.mfa..globalPrincipalAttributeNameTriggers=uid) doesn't appear
to be sufficent to invoke MFA-Duo.
I'm not sure what the following parameters are for:
cas.authn.mfa.requestParameter
- related to the "Opt-In Request Parameter"?
cas.authn.mfa.authenticationContextAttribute=authnContextClass
cas.authn.mfa.contentType=application/cas
- are any of these related to or able to use the Authentication
attributes that are returned? (successfulAuthenticationHandlers,
authenticationMethod, samlAuthenticationStatementAuthMethod)
Aloha,
-baron
--
Baron Fujimoto <
ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
CAS gitter chatroom:
https://gitter.im/apereo/cas
CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website:
https://apereo.github.io/cas
CAS project website:
https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To post to this group, send email to
cas-...@apereo.org.
Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012025817.GV23083%40praenomen.mgt.hawaii.edu.
For more options, visit
https://groups.google.com/a/apereo.org/d/optout.