I tried to get this working last summer with no luck...I finally punted and 
used a groovy to return the appropriate MFA provider.


On Wednesday, August 14, 2019 at 12:50:13 PM UTC-5, John Bond wrote:
>
> HI all,
>
> I'm attempting to configure CAS so that the MFA provider is determined via 
> an ldap attribute.  I have the following config 
>
> ```
> server.ssl.keyStore=file:/etc/cas/thekeystore
>
> cas.server.name=https://idp.wikimedia.org:8443
> cas.server.prefix=https://idp.wikimedia.org:8443/cas
>
> cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory
> cas.authn.mfa.gauth.json.location=file:///etc/cas/config/gauthdevices.json
> cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2fdevices.json
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
> cas.serviceRegistry.json.location=file:/etc/cas/services
>
>
> cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.ldap[0].principalAttributeList=cn,memberOf,mail,businessCategory
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE
> cas.authn.ldap[0].ldapurl=ldaps://ldap-ro.eqiad.wikimedia.org:636 ldaps://
> ldap-ro.codfw.wikimedia.org:636
> cas.authn.ldap[0].useStartTLS=false
> cas.authn.ldap[0].basedn=dc=wikimedia,dc=org
> cas.authn.ldap[0].searchFilter=cn={user}
> cas.authn.ldap[0].binddn=cn=user,ou=profile,dc=wikimedia,dc=org
> cas.authn.ldap[0].bindcredential=**removed**
> cas.authn.accept.users=
> logging.level.org.apereo=DEBUG
> ```
> And my user has `businessCategory: mfa-gauth` configuered in ldap.  
> however when i try to authenticate i see the following in the debug logs
>
> ```
> 2019-08-14 17:35:06,797 DEBUG 
> [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
>  
> - <Located attribute value [[mfa-gauth]] for [[businessCategory]]>
> 2019-08-14 17:35:06,797 DEBUG 
> [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute 
> value [[mfa-gauth]] is not a single-valued attribute>
> 2019-08-14 17:35:06,799 DEBUG 
> [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Ignoring 
> [mfa-gauth] since no matching transition could be found>
> 2019-08-14 17:35:06,799 DEBUG 
> [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
>  
> - <No set of events based on the attribute(s) [[businessCategory]] could be 
> matched>  
> ```
>
> so it looks like ldap sends this value as an array and CAS doesn't like 
> that.  Is anyone able to give advice on how i could get ldap to send this 
> [or some other attribute] as a string or fix this issue on the CAS side
>
> Cheers John
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/640c568e-0e5e-4cd4-a0f5-635633a185f4%40apereo.org.

Reply via email to