We are using simple MFA, but as far as the expiration (need to re-MFA) goes
the following may help.
Researched every possible expiration property and found they were ignored.
If you take a close look at the "expirationDate":
"2123-11-03T09:23:27.000+00:00" from your note, this is set to expire 100
years in the future. No matter what we configured it always set the
expiration to 100 years in the future.
Due to this and other issues with caching with JDBC we settled on caching
(including MFA) to couchDb. Had never used couchDb before, but it
literally took 10-15 minutes to install and config.
If you search for "MFA expiration with couchDb" in this list it explains
the solution we ended up using to be able to expire MFA. Not perfect, but
very workable.
On Friday, November 3, 2023 at 5:16:18 AM UTC-5 Chris SC wrote:
> Hello,
> [version 6.6.13]
> I'm working on the implementation of the MFA with the Google Auth.
> provider and Trusted Devices.
> I have a question concerning the configuration of Trusted Devices.
>
> First time the user comes to a 'Register Device' screen (after MFA Google
> Auth screen), with 2 fields:
> 1/ Name of the current device
> ----> I want to hide this one on the template. What is the template name
> please ?
>
> 2/ Duration for registered device
> ----> I want to hide this one too, by forcing an expiry time for everyone
> (30 days)
>
> I've seen some of previous 6.6 configurations using :
> cas.authn.mfa.trusted.expiration=30
> cas.authn.mfa.trusted.timeUnit=DAY
>
> But these 2 parameters are no longer available in 6.6.13.
> I thought that this part was now delegated on the provider side, but I
> can't find anything on the Google Auth configuration.
>
> For now, If I take a look at storage, default expiration is 1 year.
> So How to set this parameter for now ?
>
> [
> {
> "id": 1699003407119,
> "principal": "testuser",
> "deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
> "recordDate": "2023-11-03T10:23:27+01:00",
> "recordKey":
> "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
> "name": "charming_wilson",
> "expirationDate": "2123-11-03T09:23:27.000+00:00"
> }
> ]
>
>
> Thanks for your help!
> Christophe.
>
>
> Current MFA trusted devices configuration :
> ##========================================
> ## MFA / Trusted Devices :
> ##========================================
>
> cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
> cas.authn.mfa.trusted.mongo.collection=TrustedRepository
> cas.authn.mfa.trusted.mongo.drop-collection=false
>
> cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
> cas.authn.mfa.trusted.core.device-registration-enabled=true
> as.authn.mfa.trusted.core.auto-assign-device-name=true
>
> cas.authn.mfa.trusted.crypto.enabled=true
> as.authn.mfa.trusted.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
> cas.authn.mfa.trusted.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
>
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
>
> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/64c05eb3-22c2-41f4-9d2d-ba420e28397dn%40apereo.org.
