Hee is my understanding of using MFA:
scenario 1: Disable MFA globally, and enable it at the service leve
a. configure in cas.properties
Nothing:
b. Enable 2FA at the service leve
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://demo1.mydomain.(com|com/.*)$",
"name" : "demo1",
"id" : 20001107,
"description" : "2FA demo site",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-gauth" ] ]
},
"evaluationOrder" : 1107
}
scenario 2: Enale MFA globally, and disable it for few services
a. Enable MFA globally
cas.authn.mfa.global-provider-id=mfa-gauth
b. Disable 2FA at the service leve
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://demo1.mydomain.(com|com/.*)$",
"name" : "demo1",
"id" : 20001107,
"description" : "2FA demo site",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-gauth" ] ],
"bypassEnabled" : "true"
},
"evaluationOrder" : 1107
}
scenario 3: By pass MFA by client IP
configure in cas.properties
cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3
Notes: This is a configure item of gauth, it is effect only when mfa-gauth
is selected.
scenario 4: Complex situation
For some complex usage, we can only use groovy script to archive our goal.
a. configure in cas.properties
cas.authn.mfa.groovyScript=file:/opt/castest/mfaGroovyTrigger.groovy
cat /opt/castest/mfaGroovyTrigger.groovy
import java.util.*
class SampleGroovyEventResolver {
def String run(final Object[] args) {
def service = args[0]
def registeredService = args[1]
def authentication = args[2]
def httpRequest = args[3]
def logger = args[4]
def service_id = service.id
logger.info("MFA: service id {}", service_id)
if ( service_id.startsWith("https://demo1.mydomain.com/sso";)) {
logger.info("MFA: demo1")
return "mfa-gauth"
}
if ( service_id.startsWith("https://demo2.mydomain.com";) ) {
logger.info("MFA: demo2")
def clientIP = httpRequest.getRemoteAddr()
logger.info("MFA: clientIP is: {}", clientIP)
if ( clientIP == "192.168.100.108" ) {
logger.info("MFA: {} needs 2FA", clientIP)
return "mfa-gauth"
}
}
logger.info("MFA: Default, No 2FA! ")
return null
}
}
b. No special configure is needed at the service leve
delete multifactorPolicy at the service configure
notes: we need to disable other configure
#cas.authn.mfa.global-provider-id=mfa-gauth
#cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/adcb7a2c-ff0c-4025-84e9-ceac8949bbc4n%40apereo.org.
