Brian, if I have understood things correctly I think you're doing this the hard way: I suspect the sort of thing you're after can be handled with bypass options in CAS where you skip MFA if a particular attribute is found on the authenticated user (ldap group is blah). If a match is found, bypass will kick in and if not, CAS should be able to trigger MFA. There is also the built-in ability to check with Duo directly to see if the user has in fact registered for MFA/Duo and does have an account.
--Misagh > From: "Man H" <info.ings...@gmail.com> > To: cas-user@apereo.org > Sent: Tuesday, February 6, 2018 10:56:18 AM > Subject: Re: [cas-user] Multiple Duo Instances > So in my opinion you have a globaltriggerpolicy mfa-duo and eg a groovy > trigger > for employees. > https://apereo.github.io/cas/5.2.x/installation/Configuring-Multifactor-Authentication-Triggers.html > 2018-02-06 12:18 GMT-03:00 brian mancuso < snidd...@gmail.com > : >> I'm open to any solution that simplifies things and meets the needs. When I'd >> read the documentation, it seemed custom triggers were the way to go here. >> To give a little more information, I have students and employees that both >> need >> to login via CAS to several systems. For some of those systems, we need to >> require employees that login to use DUO while students will have the option, >> but not be required. Other systems won't require DUO for either group unless >> they're already enrolled. >> On Tuesday, February 6, 2018 at 9:59:02 AM UTC-5, Manfredo Hopp wrote: >>> Couldn't this be achieved through custom authentication handler? >>> El martes, 6 de febrero de 2018, brian mancuso < snid...@gmail.com > >>> escribió: >>>> We would like to allow users in a specific ldap group the ability to >>>> optionally >>>> bypass Duo for a given service if the user is not signed up for a 2fa >>>> account. >>>> Essentially there would be these two cases for a user: >>>> - 2fa always required >>>> - 2fa optionally required (but always required if the user has a Duo >>>> account) >>>> I have two duo instances defined in the cas.properties file: mfa-duo, >>>> mfa-duo-force. The first is in bypass mode while the latter doesn't allow >>>> any >>>> bypass. >>>> Then my other classes are thus: >>>> spring.factories >>>> org . springframework . boot . autoconfigure . EnableAutoConfiguration = >>>> org . >>>> apereo . cas . custom . config . >>>> SelectiveDuoWebflowEventResolverConfiguration >>>> I then put together a custom trigger that will determine if a user is >>>> required >>>> to use DUO or not: >>>> SelectiveDuoWebflowEventResolver.java >>>> package org.apereo.cas.custom.mfa; >>>> import com.google.common.collect.ImmutableSet; >>>> import java.util.Map; >>>> import java.util.Optional; >>>> import java.util.Set; >>>> import org.apereo.cas.CentralAuthenticationService; >>>> import org.apereo.cas.authentication.Authentication; >>>> import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan; >>>> import org.apereo.cas.authentication.AuthenticationSystemSupport; >>>> import org.apereo.cas.authentication.principal.Principal; >>>> import org.apereo.cas.services.MultifactorAuthenticationProvider; >>>> import org.apereo.cas.services.MultifactorAuthenticationProviderSelector; >>>> import org.apereo.cas.services.RegisteredService; >>>> import org.apereo.cas.services.ServicesManager; >>>> import org.apereo.cas.ticket.registry.TicketRegistrySupport; >>>> import >>>> org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver; >>>> import org.apereo.cas.web.support.WebUtils; >>>> import org.slf4j.Logger; >>>> import org.slf4j.LoggerFactory; >>>> import org.springframework.web.util.CookieGenerator; >>>> import org.springframework.webflow.execution.Event; >>>> import org.springframework.webflow.execution.RequestContext; >>>> public class SelectiveDuoWebflowEventResolver extends >>>> AbstractCasWebflowEventResolver { >>>> private static final Logger LOGGER = >>>> LoggerFactory.getLogger(SelectiveDuoWebflowEventResolver.class); >>>> public SelectiveDuoWebflowEventResolver(AuthenticationSystemSupport >>>> authenticationSystemSupport, CentralAuthenticationService >>>> centralAuthenticationService, ServicesManager servicesManager, >>>> TicketRegistrySupport ticketRegistrySupport, CookieGenerator >>>> warnCookieGenerator, AuthenticationServiceSelectionPlan >>>> authenticationSelectionStrategies, >>>> MultifactorAuthenticationProviderSelector >>>> selector) { >>>> super(authenticationSystemSupport, centralAuthenticationService, >>>> servicesManager, ticketRegistrySupport, warnCookieGenerator, >>>> authenticationSelectionStrategies, selector); >>>> } >>>> @Override >>>> public Set<Event> resolveInternal(RequestContext context) { >>>> final RegisteredService service = WebUtils.getRegisteredService(context); >>>> final Authentication authentication = WebUtils.getAuthentication(context); >>>> Set<String> attributeKeys = authentication.getAttributes().keySet(); >>>> for (String s : attributeKeys) { >>>> System.out.println("s: " + s + " " + >>>> authentication.getAttributes().get(s)); >>>> } >>>> Principal principal = authentication.getPrincipal(); >>>> attributeKeys = principal.getAttributes().keySet(); >>>> for (String s : attributeKeys) { >>>> System.out.println("p: " + s + " " + principal.getAttributes().get(s)); >>>> } >>>> if (userRequiresDUO()) { >>>> LOGGER.warn("Forcing MFA"); >>>> Optional<MultifactorAuthenticationProvider> mfaDuoForced = >>>> this.getMultifactorAuthenticationProviderFromApplicationContext("mfa-duo-force"); >>>> MultifactorAuthenticationProvider forcedProvider = mfaDuoForced.get(); >>>> final Map eventAttributes >>>> = buildEventAttributeMap(authentication.getPrincipal(), >>>> service, >>>> forcedProvider); >>>> final Event event >>>> = validateEventIdForMatchingTransitionInContext(forcedProvider.getId(), >>>> context, eventAttributes); >>>> return ImmutableSet.of(event); >>>> } else { >>>> LOGGER.warn("Not forcing MFA"); >>>> Optional<MultifactorAuthenticationProvider> mfaDuo = >>>> this.getMultifactorAuthenticationProviderFromApplicationContext("mfa-duo"); >>>> MultifactorAuthenticationProvider bypassableProvider = mfaDuo.get(); >>>> final Map eventAttributes >>>> = buildEventAttributeMap(authentication.getPrincipal(), >>>> service, >>>> bypassableProvider); >>>> final Event event >>>> = validateEventIdForMatchingTransitionInContext(bypassableProvider.getId(), >>>> context, eventAttributes); >>>> return ImmutableSet.of(event); >>>> } >>>> } >>>> } >>>> SelectiveDuoWebflowEventResolverConfiguration.java >>>> package org.apereo.cas.custom.config; >>>> import javax.annotation.PostConstruct; >>>> import org.apereo.cas.CentralAuthenticationService; >>>> import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan; >>>> import org.apereo.cas.authentication.AuthenticationSystemSupport; >>>> import org.apereo.cas.configuration.CasConfigurationProperties; >>>> import org.apereo.cas.custom.mfa.SelectiveDuoWebflowEventResolver; >>>> import org.apereo.cas.services.MultifactorAuthenticationProviderSelector; >>>> import org.apereo.cas.services.ServicesManager; >>>> import org.apereo.cas.ticket.registry.TicketRegistrySupport; >>>> import >>>> org.apereo.cas.web.flow.authentication.RankedMultifactorAuthenticationProviderSelector; >>>> import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver; >>>> import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver; >>>> import org.springframework.beans.factory.annotation.Autowired; >>>> import org.springframework.beans.factory.annotation.Qualifier; >>>> import >>>> org.springframework.boot.context.properties.EnableConfigurationProperties; >>>> import org.springframework.cloud.context.config.annotation.RefreshScope; >>>> import org.springframework.context.an notation.Bean; >>>> import org.springframework.context.an notation.Configuration; >>>> import org.springframework.web.util.CookieGenerator; >>>> @Configuration("selectiveDuoWebflowEventResolverConfiguration") >>>> @EnableConfigurationProperties(CasConfigurationProperties.class) >>>> public class SelectiveDuoWebflowEventResolverConfiguration { >>>> @Autowired >>>> @Qualifier("initialAuthenticationAttemptWebflowEventResolver") >>>> private CasDelegatingWebflowEventResolver initialEventResolver; >>>> @Autowired >>>> @Qualifier("centralAuthenticationService") >>>> private CentralAuthenticationService centralAuthenticationService; >>>> @Autowired >>>> @Qualifier("defaultAuthenticationSystemSupport") >>>> private AuthenticationSystemSupport authenticationSystemSupport; >>>> @Autowired >>>> @Qualifier("defaultTicketRegistrySupport") >>>> private TicketRegistrySupport ticketRegistrySupport; >>>> @Autowired >>>> @Qualifier("servicesManager") >>>> private ServicesManager servicesManager; >>>> @Autowired(required = false) >>>> @Qualifier("multifactorAuthenticationProviderSelector") >>>> private final MultifactorAuthenticationProviderSelector >>>> multifactorAuthenticationProviderSelector = new >>>> RankedMultifactorAuthenticationProviderSelector(); >>>> @Autowired >>>> @Qualifier("warnCookieGenerator") >>>> private CookieGenerator warnCookieGenerator; >>>> @Autowired >>>> @Qualifier("authenticationServiceSelectionPlan") >>>> private AuthenticationServiceSelectionPlan >>>> authenticationRequestServiceSelectionStrategies; >>>> @RefreshScope >>>> @Bean >>>> public CasWebflowEventResolver selectiveDuoWebflowEventResolver() { >>>> return new SelectiveDuoWebflowEventResolver(authenticationSystemSupport, >>>> centralAuthenticationService, >>>> servicesManager, ticketRegistrySupport, warnCookieGenerator, >>>> authenticationRequestServiceSelectionStrategies, >>>> multifactorAuthenticationProviderSelector); >>>> } >>>> @PostConstruct >>>> public void initialize() { >>>> initialEventResolver.addDelegate(selectiveDuoWebflowEventResolver()); >>>> } >>>> } >>>> This is driving me nuts because in the documentation it just states that >>>> you are >>>> allowed to use multiple DUO instances. But I'm getting an error that >>>> transitions aren't defined for the mfa-duo-force instance: >>>> 2018-02-01 10:25:29,433 WARN >>>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - >>>> <Transition definition cannot be found for event [mfa-duo-force|mfa-duo]> >>>> If anyone has any information on how I can get this working or if I'm >>>> approaching this all wrong, please let me know. Thanks in advance! >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "CAS >>>> Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email >>>> to cas-user+u...@apereo.org . >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/263f6a6c-9f2b-446f-9707-3c23b96a3f65%40apereo.org >>>> . >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS >> Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email >> to cas-user+unsubscr...@apereo.org . >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea1c8c9e-e871-458c-bb74-38e3ed896421%40apereo.org >> . > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups "CAS > Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email > to cas-user+unsubscr...@apereo.org . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid4RVozXqMAivmt%2BTFbduDud8054NkJFEdO8CM0tY6rTA%40mail.gmail.com > . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2142386954.14022195.1517944489816.JavaMail.zimbra%40unicon.net.
