Hee is my understanding of using MFA: scenario 1: Disable MFA globally, and enable it at the service leve a. configure in cas.properties Nothing:
b. Enable 2FA at the service leve { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://demo1.mydomain.(com|com/.*)$", "name" : "demo1", "id" : 20001107, "description" : "2FA demo site", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" }, "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ] }, "evaluationOrder" : 1107 } scenario 2: Enale MFA globally, and disable it for few services a. Enable MFA globally cas.authn.mfa.global-provider-id=mfa-gauth b. Disable 2FA at the service leve { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://demo1.mydomain.(com|com/.*)$", "name" : "demo1", "id" : 20001107, "description" : "2FA demo site", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" }, "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-gauth" ] ], "bypassEnabled" : "true" }, "evaluationOrder" : 1107 } scenario 3: By pass MFA by client IP configure in cas.properties cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3 Notes: This is a configure item of gauth, it is effect only when mfa-gauth is selected. scenario 4: Complex situation For some complex usage, we can only use groovy script to archive our goal. a. configure in cas.properties cas.authn.mfa.groovyScript=file:/opt/castest/mfaGroovyTrigger.groovy cat /opt/castest/mfaGroovyTrigger.groovy import java.util.* class SampleGroovyEventResolver { def String run(final Object[] args) { def service = args[0] def registeredService = args[1] def authentication = args[2] def httpRequest = args[3] def logger = args[4] def service_id = service.id logger.info("MFA: service id {}", service_id) if ( service_id.startsWith("https://demo1.mydomain.com/sso")) { logger.info("MFA: demo1") return "mfa-gauth" } if ( service_id.startsWith("https://demo2.mydomain.com") ) { logger.info("MFA: demo2") def clientIP = httpRequest.getRemoteAddr() logger.info("MFA: clientIP is: {}", clientIP) if ( clientIP == "192.168.100.108" ) { logger.info("MFA: {} needs 2FA", clientIP) return "mfa-gauth" } } logger.info("MFA: Default, No 2FA! ") return null } } b. No special configure is needed at the service leve delete multifactorPolicy at the service configure notes: we need to disable other configure #cas.authn.mfa.global-provider-id=mfa-gauth #cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3 -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/adcb7a2c-ff0c-4025-84e9-ceac8949bbc4n%40apereo.org.