I have been working on getting MFA-Duo to trigger only when a user is a
member of a specific group. I have been able to use the "
principalAttributeNameTrigger" and the "principalAttributeValueToMatch" to
match single value attributes. Is it possible to filter the mfa-duo based
on a multi-value attribute like this? The following is the service
definition I have been trying to get working and and example of the
memberOf attribute output.
Example service:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(http|https)://.*",
"name" : "HTTP and HTTPS",
"id" : 100,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-duo" ] ],
"principalAttributeNameTrigger" : "memberOf",
"principalAttributeValueToMatch" : "CN=Duo
Authentication,OU=groups,DC=example,DC=com"
}
}
Example output of memberOf attribute:
DEBUG [LdapAuthenticationHandler] - <Found principal attribute: [memberOf[CN
=Users,OU=groups,DC=example,DC=com, CN=Duo Authentication,OU=groups,DC=
example,DC=com, CN=Employee,OU=groups,DC=example,DC=com]
Thanks
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
