Hi, Thanks for your answer. So far we don't rely on surrogate, just using a simple LDAP backend. But it's nice to now there are some constraints and bypasses. Yes, injecting some parameters to make service names more dynamic is a good idea. Regards
Le 22-Jul-2023 06:34:41 +0200, tosl...@smythco.com a crit: Recently deployed a solution that segregates traffic originating externally versus internally. The deployment is also using MFA. In this case authenticating name/pass against DBMS. External/Internal each handled by its own service with a different pool of users allowed to authenticate for each service. Each pool has an extra property that denotes "internal" vs "external". Possible to examine this internal vs external property within groovy script to trigger use of different MFA providers, or in our case to only trigger it for external. Found 2 workable solutions for segregating external vs external traffic in regards to services. Both make use of regex in relation to the service id. This is a relatively straightforward setup if using distinct domains for internal vs external traffic. Also possible (but more difficult) with single domain name using proxy pre-detection of internal vs external traffic and embedding extra parameter for external (public) traffic within service parameter In either case, External vs Internal service is selected based on serviceid regex approach. Both are possible, but due to legacy requirements we used the second option. Def recommend the first option if that is a fit for your environment. Much more straightforward. Note that if also planning on using simple DBMS surrogate that it is not compatible with simple MFA. Activation of simple MFA through groovy will not chain to surrogate process and will currently bypass surrogate process. For our purposes use MFA externally and only allow surrogates internally so was not an issue. Went the route above for MFA, rather than detecting internal/external in groovy MFA script, as needed to apply internal/external concept to areas other than just MFA. TONY OSLUND FROM: cas-user@apereo.org on behalf of John DATE: Friday, July 21, 2023 at 1:34 PM TO: CAS Community CC: spfma...@e.mail.fr SUBJECT: [cas-user] Re: [CAS 6.6.8] Custom MFA triggers EXTERNAL SENDER - This email is coming from an external sender outside of Smyth. This is slimmed down using the groovy script trigger, cas.authn.mfa.groovy-script.location from here, https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Groovy.html . I left in the bits pertaining basically to your case, gets the clients ip address and compares against a cidr list using springs IpAddressMatcher function. There is a little more in it, we also modified the groovy trigger to accept an array, and not just mfa-composite. If you want to see the change, its a single file change, easy. Just need to get it better and submit pull request. On Friday, July 21, 2023 at 1:58:27 AM UTC-5 spfma...@e.mail.fr wrote: Hi, I would like to implement some conditional MFA scenarios (using a different provider depending on the network is the first one), but reading https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html does not provide a lot of help. Is there some code snippet available somewhere I could use as an example ? Regards ------------------------------------------------------------------------------------------------- FreeMail powered by mail.fr -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aefaeec6-6f7c-444f-9575-d22dd50f8121n%40apereo.org. ------------------------------------------------------------------------------------------------- FreeMail powered by mail.fr -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a2bf276a95e26d9598eb17bc0f3074ed3672c325%40mail.de.
