Hello Alexis, Many thanks for the feedback. If you happen to see this, any chance you can share how did you made these two parameters cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf cas.authn.mfa.globalPrincipalAttributeValueRegex=something
Was Regex just the top entry case sensitive for cn=something, ou=... or full DN match was in order. Any chance you used different attribute outside MS-AD ldap like groupMembership for name trigger. What was the value for cas.authn.mfa.globalFailureMode= OPEN,PHANTOM, CLOSED On individual websites, what did you had to do to ensure if the above cas.authn.mfa.globalPrincipalAttributeNameTriggers/Regex does not match, it does not enforce MFA-request. Currently match or no match on globalPrincipalAttributeNameTriggers/Regex, the MFA is required from the individual site. Thanks again. On Friday, June 12, 2020 at 9:43:02 AM UTC-4 Alexis wrote: > Hello, > > I really hope you already found a solution, but if not, for my part, I did > : > > cas.authn.mfa.globalProviderId=mfa-yubikey,mfa-gauth > > And it works ! > > Regards, > > Le vendredi 20 décembre 2019 20:30:06 UTC+1, randomuser878 a écrit : >> >> Hello >> >> Using cas 6.1.2 and compiled cas-management (master branch, thanks to >> Travis et.al) for fixing the attribute and pac4J compatible changes and >> 6.x tree. >> >> Trying this: >> https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/ >> >> Assigned: cas.authn.mfa.provider-selection-enabled=true >> I also tried/set rank value the same (i.e. 100) for mfa-google and >> mfa-yubi key. >> When setup only for one MFA then I get MFA for that device. >> When choosing two mfa values, the mfa is entirely bypassed. Never see >> the selection as shown on the blog article. Shown json export from >> cas-management >> I am certain I am missing something obvious. Any clue is greatly >> appreciated. >> >> Is this implementation mandatory for this >> integration: >> cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/mfaGroovySelector.groovy >> If such, any clues how to proceed. >> >> Also did the parameter search for any additional parameter to no avail. >> gradlew runShell >> java -jar build/libs/cas-server-support-shell-6.1.2.jar >> >> cas>find --name mfa.provider >> Property: cas.authn.adaptive.risk.response.mfa-provider >> Group: cas.authn.adaptive.risk.response >> Default Value: [blank] >> Type: java.lang.String >> Summary: If an authentication attempt is deemed risky, force a >> multi-factor authentication event noted by the provider id here. >> Description: If an authentication attempt is deemed risky, force a >> multi-factor authentication event noted by the provider id here. >> Deprecated: no >> ---------------------------------------------------------------------- >> Property: cas.authn.mfa.provider-selector-groovy-script >> Group: cas.authn.mfa >> Default Value: [blank] >> Type: org.springframework.core.io.Resource >> Summary: In the event that multiple multifactor authentication providers >> are determined for a multifactor authentication transaction, by default CAS >> will attempt to sort the collection of providers based on their rank and >> will pick one with the highest priority. >> Description: In the event that multiple multifactor authentication >> providers are determined for a multifactor authentication transaction, by >> default CAS will attempt to sort the collection of providers based on their >> rank and will pick one with the highest priority. This use case may arise >> if multiple triggers are defined where each decides on a different >> multifactor authentication provider, or the same provider instance is >> configured multiple times with many instances. Provider selection may also >> be carried out using Groovy scripting strategies more dynamically. The >> following example should serve as an outline of how to select multifactor >> providers based on a Groovy script. >> Deprecated: no >> ---------------------------------------------------------------------- >> Property: cas.authn.mfa.provider-selection-enabled >> Group: cas.authn.mfa >> Default Value: false >> Type: java.lang.Boolean >> Summary: In the event that multiple multifactor authentication providers >> are determined for a multifactor authentication transaction, this setting >> will allow one to interactively choose a provider out of the list of >> available providers. >> Description: In the event that multiple multifactor authentication >> providers are determined for a multifactor authentication transaction, this >> setting will allow one to interactively choose a provider out of the list >> of available providers. A trigger may be designed to support more than one >> provider, and rather than letting CAS auto-determine the selected provider >> via scripts or ranking strategies, this method puts the choice back onto >> the user to decide which provider makes the most sense at any given time. >> Deprecated: no >> >> >> JSON output from cas-management, changed sensitive info >> { >> @class: org.apereo.cas.services.RegexRegisteredService >> serviceId: ^https://somewhere.and.nowhere(\\z|/.*) >> name: SAMPLE >> id: 1 >> expirationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy >> deleteWhenExpired: false >> notifyWhenDeleted: false >> notifyWhenExpired: false >> } >> proxyPolicy: >> { >> @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy >> } >> proxyTicketExpirationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy >> numberOfUses: 0 >> } >> serviceTicketExpirationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy >> numberOfUses: 0 >> } >> evaluationOrder: 1 >> usernameAttributeProvider: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider >> canonicalizationMode: NONE >> encryptUsername: false >> } >> logoutType: BACK_CHANNEL >> requiredHandlers: >> [ >> java.util.HashSet >> [] >> ] >> environments: >> [ >> java.util.HashSet >> [] >> ] >> attributeReleasePolicy: >> { >> @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy >> principalAttributesRepository: >> { >> @class: >> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository >> mergingStrategy: MULTIVALUED >> ignoreResolvedAttributes: false >> } >> consentPolicy: >> { >> @class: >> org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy >> enabled: true >> order: 0 >> } >> authorizedToReleaseCredentialPassword: false >> authorizedToReleaseProxyGrantingTicket: false >> excludeDefaultAttributes: false >> authorizedToReleaseAuthenticationAttributes: true >> order: 0 >> allowedAttributes: >> [ >> java.util.ArrayList >> [ >> mail >> cn >> groupMembership >> ] >> ] >> } >> multifactorPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy >> multifactorAuthenticationProviders: >> [ >> java.util.HashSet >> [ >> mfa-gauth >> mfa-yubikey >> ] >> ] >> failureMode: PHANTOM ( also tried with CLOSED to no avail) >> principalAttributeNameTrigger: groupMembership >> principalAttributeValueToMatch: cn=SOME_GROUP_DN >> bypassEnabled: false >> forceExecution: false >> bypassTrustedDeviceEnabled: false >> } >> accessStrategy: >> { >> @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy >> order: 0 >> enabled: true >> ssoEnabled: true >> delegatedAuthenticationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy >> allowedProviders: >> [ >> java.util.ArrayList >> [] >> ] >> permitUndefined: true >> exclusive: false >> } >> requireAllAttributes: true >> requiredAttributes: >> { >> @class: java.util.LinkedHashMap >> } >> rejectedAttributes: >> { >> @class: java.util.LinkedHashMap >> } >> caseInsensitive: false >> } >> properties: >> { >> @class: java.util.LinkedHashMap >> } >> contacts: >> [ >> java.util.ArrayList >> [] >> ] >> } >> >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/18cd5560-e51e-4541-8ec1-b2cf7c65900fn%40apereo.org.
