[cas-user] Enforce MFA without authentication (active SSO session)
9 views
Skip to first unread message
tjan...@gmail.com
May 7, 2024, 6:53:15 PMMay 7
to CAS Community
Hello!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf943dab-98a0-43bc-8357-380993c70f9cn%40apereo.org.
I'm trying to trigger MFA even if the user is authenticated and the TGT participates in the existing SSO session, but somehow the behavior is inconsistent. I'm using OAuth authorization code flow and already somehow managed to execute a flow where after a call to /authorize, the user was NOT requested to authenticate (due to active SSO), but still the MFA policy was triggered as expected.
Now I'm unable to reproduce that. Instead whenever I send a request to /authorize, I get redirected to the service redirect URL with an OAuth code in the query parameters. Instead I would like the MFA provider to get triggered on each call to /authorize for this specific service.
In the service configuration I have defined:
"multifactorPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"script": "classpath:groovy/forceMfaPolicy.groovy",
"bypassEnabled": "false",
"forceExecution": "true"
}
What might be the correct way to enforce MFA even if an SSO session is active and being participated in?
Thank you!
Tom
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf943dab-98a0-43bc-8357-380993c70f9cn%40apereo.org.
Ray Bon
May 7, 2024, 8:39:52 PMMay 7
to cas-...@apereo.org
Tom,
Could it be that the groovy script is returning null or a value that cas does not understand?
Ray
On Tue, 2024-05-07 at 06:49 -0700, tjan...@gmail.com wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
tjan...@gmail.com
May 8, 2024, 2:23:49 AMMay 8
to CAS Community, Ray Bon
Hi, thanks for the response!
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/322d64e1-caf0-41a0-a7d9-c783b3166d4cn%40apereo.org.
Actually what seems to happen is that when /authorize is called, the CAS OAuth20HandlerInterceptorAdapter.preHandle() is invoked which in turn invokes the pac4j SecurityInterceptor. Eventually the org.pac4j.core.engine.DefaultSecurityLogic gets called and it checks (via DefaultAuthorizationChecker) if an active pac4j profile can be found in the session store. It seems like if I call /authorize within some time (~10min?) after a successful login to CAS, then there is an active profile in the session and the authentication & authorization is considered valid and access is granted.
However after waiting for some time, when I call /authorize, then there is no profile in the session store and eventually we end up in the MFA step.
Is anyone able to explain how this works and if there is some way to affect the profile expiration in the session store, so that the pac4j engine would NOT consider the request authorized? I suppose we would want to otherwise keep the default functionality, but for some specific oauth clients we would want MFA be triggered on EVERY request to /authorize.
I might be completely lost too, would be happy to receive some insight on this if someone is aware :)
Many thanks!
Tom
Ray Bon
May 8, 2024, 1:42:21 PMMay 8
to cas-...@apereo.org, tjan...@gmail.com
Tom,
Our setup is a bit different. We use this for services that require MFA
"multifactorPolicy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders":
[
"java.util.HashSet",
[
"mfa-duo"
]
],
"failureMode": "CLOSED",
"principalAttributeNameTrigger": "",
"principalAttributeValueToMatch": "",
"forceExecution": true
},
It triggers right away; But we only have one MFA provider.
Although those properties are not in the docs, they are in the class, https://github.com/apereo/cas/blob/7.0.x/core/cas-server-core-services-api/src/main/java/org/apereo/cas/services/DefaultRegisteredServiceMultifactorPolicy.java
Ray
On Tue, 2024-05-07 at 22:40 -0700, tjan...@gmail.com wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hi, thanks for the response!
Actually what seems to happen is that when /authorize is called, the CAS OAuth20HandlerInterceptorAdapter.preHandle() is invoked which in turn invokes the pac4jSecurityInterceptor. Eventually the org.pac4j.core.engine.DefaultSecurityLogicgets called and it checks (via DefaultAuthorizationChecker) if an active pac4j profile can be found in the session store. It seems like if I call /authorize within some time (~10min?) after a successful login to CAS, then there is an active profile in the session and the authentication & authorization is considered valid and access is granted.
Reply all
Reply to author
Forward
0 new messages