Hi Jeremy,
It is a great news about the scratch codes.
I'm not sure to understand your question about qrcode. To register a
device, it is possible and required when a service is registered on your
CAS with "Google Authentication" as MFA.
So, at the first login without a registered device, user will be ask to
scan the qrcode on the screen and save (or print) the scratch codes. After
clilk on the next button, user should enter is token in the field to finish
the registration and be redirected to the service.
Does it answer to your question Jeremy ?
My own question about this system, how to unregistered a device in case of
change of device or loss ? I don't know URL to do that...
Sincerely,
Mickaël
Le jeudi 21 février 2019 11:32:54 UTC+1, Jeremy Van Rooyen a écrit :
>
> Hi Mickaël,
>
> Thanks for your reply.
>
> So after playing around a bit more it seems like the on screen scratch
> codes is being stored in the mongodb and using that it allows me to
> authenticate perfectly.
>
> The next question is how would one register via the qrcode using the
> Google Authenticator app on phone? Or am I not understanding something?
>
> Kind Regards
> Jeremy
>
> On Tuesday, 19 February 2019 10:30:29 UTC+2, Mickaël wrote:
>>
>> Hello,
>>
>> Are you sure there is anything register in your Mongo database ? Scratch
>> codes and token are store in DB for each user in 2 different tables.
>>
>> It is strange to see that, normally "WHO" is the user, not the token :
>> *WHO: 253227*
>> *WHAT: Supplied credentials: [[token=253227]]*
>>
>> For information, I am using gauth with MariaDB without any issue.
>>
>> Mickaël
>>
>> Le jeudi 15 février 2018 09:53:52 UTC+1, Janina Byky a écrit :
>>>
>>> Hello,
>>>
>>> I'm trying to setup CAS 5.2.2 with Google Authenticator as second auth
>>> factor for specified services. CAS is running over LDAP (AD) and GAuth
>>> based on mongo. So far everything was great, build succeed, GAuth qrcode
>>> appears, user registers and now it's time for TOKEN form. I'm typing all
>>> scratch codes and those generated by Google Authenticator, but every single
>>> attempt is unsuccessful. Also there's no collection created to store tokens
>>> in mongo. Only GAuthRepository is created with proper values of registered
>>> users.
>>>
>>> *cas.properties*
>>>
>>> cas.authn.accept.users=
>>>
>>> cas.authn.ldap[0].order=0
>>> cas.authn.ldap[0].type=AUTHENTICATED
>>> cas.authn.ldap[0].ldapUrl={CUT}
>>> cas.authn.ldap[0].connectionStrategy=DEFAULT
>>> cas.authn.ldap[0].useSsl=true
>>> cas.authn.ldap[0].connectTimeout=15000
>>> cas.authn.ldap[0].subtreeSearch=true
>>> cas.authn.ldap[0].baseDn={CUT}
>>>
>>> cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(userPrincipalName={user}))
>>> cas.authn.ldap[0].bindDn={CUT}
>>> cas.authn.ldap[0].bindCredential={CUT}
>>> cas.authn.ldap[0].enhanceWithEntryResolver=true
>>> cas.authn.ldap[0].principalAttributeId=sAMAccountName
>>> cas.authn.ldap[0].principalAttributePassword=
>>> cas.authn.ldap[0].usePasswordPolicy=true
>>>
>>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,sAMAccountName,memberOf
>>> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
>>> cas.authn.ldap[0].poolPassivator=NONE
>>> cas.authn.ldap[0].minPoolSize=2
>>> cas.authn.ldap[0].maxPoolSize=15
>>>
>>>
>>> cas.authn.mfa.globalProviderId=mfa-gauth
>>> cas.authn.mfa.globalFailureMode=CLOSED
>>>
>>> cas.authn.mfa.gauth.issuer=TEST
>>> cas.authn.mfa.gauth.codeDigits=6
>>> cas.authn.mfa.gauth.timeStepSize=60
>>> cas.authn.mfa.gauth.windowSize=3
>>> cas.authn.mfa.gauth.label=TEST
>>> cas.authn.mfa.gauth.rank=0
>>>
>>> cas.authn.mfa.gauth.cleaner.enabled=true
>>> cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000
>>> cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000
>>>
>>> cas.authn.mfa.gauth.bypass.type=DEFAULT
>>>
>>> cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri}
>>> cas.authn.mfa.gauth.mongo.dropCollection=false
>>> cas.authn.mfa.gauth.mongo.collection=GAuthRepository
>>>
>>> cas.authn.mfa.gauth.mongo.tokenCollection=GoogleAuthenticatorMongoDbTokenRepository
>>>
>>>
>>>
>>> *pom.xml*
>>>
>>> <dependency>
>>> <groupId>org.apereo.cas</groupId>
>>> <artifactId>cas-server-webapp${app.server}</artifactId>
>>> <version>${cas.version}</version>
>>> <type>war</type>
>>> <scope>runtime</scope>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.apereo.cas</groupId>
>>> <artifactId>cas-server-support-ldap</artifactId>
>>> <version>${cas.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.apereo.cas</groupId>
>>> <artifactId>cas-server-support-saml</artifactId>
>>> <version>${cas.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.apereo.cas</groupId>
>>> <artifactId>cas-server-support-gauth</artifactId>
>>> <version>${cas.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.apereo.cas</groupId>
>>> <artifactId>cas-server-support-gauth-mongo</artifactId>
>>> <version>${cas.version}</version>
>>> </dependency>
>>>
>>>
>>> *catalina.log*
>>>
>>> 2018-02-15 09:31:13,952 DEBUG
>>> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver]
>>>
>>> - <Authentication handlers used for this transaction are
>>> [GoogleAuthenticatorAuthenticationHandler,LdapAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler]>
>>> 2018-02-15 09:31:13,953 DEBUG
>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] -
>>> <Received OTP [*253227*]>
>>> 2018-02-15 09:31:13,954 DEBUG
>>> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] -
>>> <Received principal id *[j.byky*]>
>>> 2018-02-15 09:31:13,970 DEBUG
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> <[GoogleAuthenticatorAuthenticationHandler] exception details: [Failed to
>>> authenticate code *253227*].>
>>> 2018-02-15 09:31:13,971 DEBUG
>>> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>>>
>>> - <Credential is not one of username/password and is not accepted by
>>> handler [LdapAuthenticationHandler]>
>>> 2018-02-15 09:31:13,972 ERROR
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> <*Authentication
>>> has failed. Credentials may be incorrect or CAS cannot find authentication
>>> handler that supports [[token=253227]] of type
>>> [GoogleAuthenticatorTokenCredential]*.>
>>> 2018-02-15 09:31:13,976 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>>> trail record BEGIN
>>> =============================================================
>>> *WHO: 253227*
>>> *WHAT: Supplied credentials: [[token=253227]]*
>>> ACTION: AUTHENTICATION_SUCCESS
>>> APPLICATION: CAS
>>> WHEN: Thu Feb 15 09:31:13 CET 2018
>>> CLIENT IP ADDRESS: 10.100.100.20
>>> SERVER IP ADDRESS: 10.40.0.2
>>> =============================================================
>>>
>>> >
>>> 2018-02-15 09:31:13,978 ERROR
>>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] -
>>> <1 errors, 0 successes>
>>> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0
>>> successes
>>> at
>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>>>
>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>> at
>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>>>
>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>> at
>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220)
>>>
>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>> at
>>> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>)
>>>
>>> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
>>> at
>>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
>>> ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>> at
>>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738)
>>>
>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>> at
>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
>>>
>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>> at
>>> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85)
>>>
>>> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
>>> at
>>> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:134)
>>>
>>> ~[inspektr-audit-1.8.0.GA.jar:1.8.0.GA]
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[?:1.8.0_162]
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>
>>> ~[?:1.8.0_162]
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>
>>> ~[?:1.8.0_162]
>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162]
>>> ...
>>>
>>> 2018-02-15 09:31:13,982 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
>>> trail record BEGIN
>>> =============================================================
>>> WHO: *253227*
>>> WHAT: [event=error,timestamp=Thu Feb 15 09:31:13 CET
>>> 2018,source=OneTimeTokenAuthenticationWebflowEventResolver]
>>> ACTION: AUTHENTICATION_EVENT_TRIGGERED
>>> APPLICATION: CAS
>>> WHEN: Thu Feb 15 09:31:13 CET 2018
>>> CLIENT IP ADDRESS: 10.100.100.20
>>> SERVER IP ADDRESS: 10.40.0.2
>>> =============================================================
>>>
>>>
>>>
>>> Can anybody tell me what I'm missing?
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7267926e-12cb-4c23-bc73-1da1447a2475%40apereo.org.
