I have added the "Principal Attribute Per Application" MFA setting, CAS
6.4.6 , and MFA never triggers, if I remove the
principalAttributeNameTrigger and principalAttributeValueToMatch it works
just fine. I can see in the console and logs, the attribute values are
retrieved from ldap and doesnt trigger still. See below, the attribute
eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set
to get it working?
console log:
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth,
mfa-webauthn], failureMode=UNDEFINED,
principalAttributeNameTrigger=eduPersonAffiliation,
principalAttributeValueToMatch=staff, bypassEnabled=false,
forceExecution=true, bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
script=null)
audit log:
"attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed
name\"],\"eduPersonAffiliation\":[\"staff\"],
service:
"multifactorPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-gauth", "mfa-webauthn"] ],
"principalAttributeNameTrigger" : "eduPersonAffiliation",
"principalAttributeValueToMatch" : "staff",
},
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/617c920e-64d3-4f83-965d-a2167e7f8dfen%40apereo.org.
