[cas-user] CAS 5 RC4: MFA-Duo /samlValidate error
36 views
Skip to first unread message
Baron Fujimoto
Oct 11, 2016, 10:58:26 PM10/11/16
to CAS Users
I'm trying to enable MFA-Duo using according to the docs at
<https://apereo.github.io/cas/development/installation/DuoSecurity-Authentication.html>
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#duosecurity>
I've had partial success with an application trigger using a service
definition that includes
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
"failureMode" : "OPEN"
}
After providing my username and password to the app that uses the Java
CAS client (v3.4.2), Duo is invoked. However, after providing the Duo factor
it successfully validates the ticket but throws an exception generating the SAML
response:
DEBUG [org.apereo.cas.support.saml.web.SamlValidateController] - <Successfully validated service ticket AAE***Cq2 for service [https://example.edu/app]>
ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...
Ultimately what we'd like to do though is invoke MFA-Duo globally, and
not via an application triggered policy. It looks like the CAS properties
listed here may be relevant, but it's not clear to me how they should
be used.
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#multifactor-authentication>
For example, there is a cas.authn.mfa.globalPrincipalAttributeNameTriggers
property, that seems to correspond to principalAttributeNameTrigger in the
"Principal Attribute Per Application" example, but no corresponding
principalAttributeValueToMatch documented. Merely specifying something
an attribute for .globalPrincipalAttributeNameTriggers (e.g.
cas.authn.mfa..globalPrincipalAttributeNameTriggers=uid) doesn't appear
to be sufficent to invoke MFA-Duo.
I'm not sure what the following parameters are for:
cas.authn.mfa.requestParameter
- related to the "Opt-In Request Parameter"?
cas.authn.mfa.authenticationContextAttribute=authnContextClass
cas.authn.mfa.contentType=application/cas
- are any of these related to or able to use the Authentication
attributes that are returned? (successfulAuthenticationHandlers,
authenticationMethod, samlAuthenticationStatementAuthMethod)
Aloha,
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012025817.GV23083%40praenomen.mgt.hawaii.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
<https://apereo.github.io/cas/development/installation/DuoSecurity-Authentication.html>
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#duosecurity>
I've had partial success with an application trigger using a service
definition that includes
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
"failureMode" : "OPEN"
}
After providing my username and password to the app that uses the Java
CAS client (v3.4.2), Duo is invoked. However, after providing the Duo factor
it successfully validates the ticket but throws an exception generating the SAML
response:
DEBUG [org.apereo.cas.support.saml.web.SamlValidateController] - <Successfully validated service ticket AAE***Cq2 for service [https://example.edu/app]>
ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...
Ultimately what we'd like to do though is invoke MFA-Duo globally, and
not via an application triggered policy. It looks like the CAS properties
listed here may be relevant, but it's not clear to me how they should
be used.
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#multifactor-authentication>
For example, there is a cas.authn.mfa.globalPrincipalAttributeNameTriggers
property, that seems to correspond to principalAttributeNameTrigger in the
"Principal Attribute Per Application" example, but no corresponding
principalAttributeValueToMatch documented. Merely specifying something
an attribute for .globalPrincipalAttributeNameTriggers (e.g.
cas.authn.mfa..globalPrincipalAttributeNameTriggers=uid) doesn't appear
to be sufficent to invoke MFA-Duo.
I'm not sure what the following parameters are for:
cas.authn.mfa.requestParameter
- related to the "Opt-In Request Parameter"?
cas.authn.mfa.authenticationContextAttribute=authnContextClass
cas.authn.mfa.contentType=application/cas
- are any of these related to or able to use the Authentication
attributes that are returned? (successfulAuthenticationHandlers,
authenticationMethod, samlAuthenticationStatementAuthMethod)
Aloha,
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012025817.GV23083%40praenomen.mgt.hawaii.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Misagh Moayyed
Oct 12, 2016, 6:23:07 AM10/12/16
to CAS Users
ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...
This is a bug. Please file an issue.
Ultimately what we'd like to do though is invoke MFA-Duo globally, and
not via an application triggered policy. It looks like the CAS properties
listed here may be relevant, but it's not clear to me how they should
be used.
Global triggers, that are not tied to principal or services, are not possible explicitly. Please file a feature request.
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57fe0d44.52690fa6.8f80%40unicon.net.CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Baron Fujimoto
Oct 12, 2016, 5:15:24 PM10/12/16
to CAS Users, Misagh Moayyed
On Wed, Oct 12, 2016 at 01:45:32PM +0330, Misagh Moayyed wrote:
>ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
>java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
>at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
>at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
>...
>
>
>This is a bug. Please file an issue.
Filed <https://github.com/apereo/cas/issues/2039>
>ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
>java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
>at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
>at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
>...
>
>
>This is a bug. Please file an issue.
Appears fixed in more recent RC4-SNAPSHOT release.
>Ultimately what we'd like to do though is invoke MFA-Duo globally, and
>not via an application triggered policy. It looks like the CAS properties
>listed here may be relevant, but it's not clear to me how they should
>be used.
>Global triggers, that are not tied to principal or services, are not possible explicitly. Please file a feature request.
again, I'm not sure how to do this. The docs say, "MFA can be triggered
for all users/subjects carrying a specific attribute that matches
configured attribute value. The attribute value is a regex pattern and
must match the provider id of an available MFA provider described above."
They don't provide an example of this though, and if it's the in the
cas.properties docs, the most likely candidate appears to be
cas.authn.mfa.globalPrincipalAttributeNameTriggers. The commented out
sample provided there does not appear to be set to something I can see
matches a regex pattern and provider id.
Aloha,
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012211516.GC23083%40praenomen.mgt.hawaii.edu.
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Misagh Moayyed
Oct 12, 2016, 5:58:10 PM10/12/16
to CAS Users
We might be able to make something work if it's tied to a principal, but
again, I'm not sure how to do this. The docs say, "MFA can be triggered
for all users/subjects carrying a specific attribute that matches
configured attribute value. The attribute value is a regex pattern and
must match the provider id of an available MFA provider described above."
What this means is, you configure CAS to trigger based on an attribute “x”, that is resolved for the principal, whose value is for instance “mfa-duo”, or “mfa-.+”.
Also, I was wrong. Global triggers are supported; just weren’t documented then:
There is a setting for a global provider id. Set it to the provider id of choice, “mfa-duo”.
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57feb1e9.401e3e5d.5303%40unicon.net.CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Reply all
Reply to author
Forward
0 new messages