[cas-user] Re: MFA Trigger "Principal Attribute Per Application" defined but doesn't trigger

Wed, 02 Mar 2022 09:17:26 -0800 

With debug on I can see it being skipped?? Of course I have attributes 
defined and WANT it to trigger, and the attributes/values match and still 
says its skipping

DEBUG 
[org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
 
- <Locating attribute value for attribute(s): [[eduPersonAffiliation]].>
DEBUG 
[org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
 
- <Located attribute value [[staff]] for [[eduPersonAffiliation]]>
DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - 
<Attribute value [staff] is a single-valued attribute>
....
....
DEBUG 
[org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger]
 
- <Authentication policy for [^(http|https)://changed.name.com.*] has 
defined principal attribute triggers. Skipping...>

On Wednesday, March 2, 2022 at 9:19:51 AM UTC-6 John wrote:

> I have added the "Principal Attribute Per Application" MFA setting, CAS 
> 6.4.6 , and MFA never triggers, if I remove the  
> principalAttributeNameTrigger and  principalAttributeValueToMatch it works 
> just fine. I can see in the console and logs, the attribute values are 
> retrieved from ldap and doesnt trigger still. See below, the attribute  
> eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set 
> to get it working?
>
> console log:
>
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth,
>  
> mfa-webauthn], failureMode=UNDEFINED, 
> principalAttributeNameTrigger=eduPersonAffiliation, 
> principalAttributeValueToMatch=staff, bypassEnabled=false, 
> forceExecution=true, bypassTrustedDeviceEnabled=false, 
> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null, 
> script=null)
>
> audit log:
>
> "attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed 
> name\"],\"eduPersonAffiliation\":[\"staff\"],
>
> service:
>
>   "multifactorPolicy":
>   {
>     "@class": 
> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>     "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
> "mfa-gauth", "mfa-webauthn"] ],
>     "principalAttributeNameTrigger" : "eduPersonAffiliation",
>     "principalAttributeValueToMatch" : "staff",
>   },
>   
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d18130d-779a-4026-89da-00e7cadee55an%40apereo.org.

Reply via email to