[cas-user] MFA with Multiple Providers, Bugs in CAS?

Tue, 08 Mar 2022 18:40:25 -0800 

I tried all different ways to get MFA triggers to work with CAS and let the 
user decide which one to use, scenarios I tested,

Triggers:
Groovy Per Application- only works for single provider

Principal Attribute - used multi-valued attribute in ldap, set to mfa-gauth 
and mfa-webathn, but CAS will pick one and not let user decide

REST - Only works if it returns a single provider

Principal Attribute Per Application -  Only works if it returns a single 
provider

Since those trigger weren't working to let user decide the provider, I 
decided to activate globally

cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth,mfa-web-authn

and then used bypass rules such as groovy for each provider using 

cas.authn.mfa.gauth.bypass.groovy.location
cas.authn.mfa.web-authn.bypass.groovy.location

boolean run(final Object... args) {
    def authentication = args[0]
    def principal = args[1]
    def service = args[2]
    def provider = args[3]
    def logger = args[4]
    def httpRequest = args[5]

    if (service.name == "myservicename") {
        logger.info("Evaluating principal attributes 
${principal.attributes}")

        def bypass = principal.attributes['eduPersonAffiliation']
        if (bypass.contains("staff")) {
            logger.info("Bypass for principal ${principal.id} is not 
allowed")
            return true
        }
    }
    return false
}

this works to allow selection if the script returns true but if it return 
false CAS just sits at the MFA selection screen blank because no providers 
should be used. I would assume this is a bug or mis-config because if no 
providers are found it should continue to login to application.

I don't really know what else to try or how to get multiple MFA providers 
to work based on attribute and value

Any help with this would be appreciated

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0749e4ee-8a91-4082-9b04-fc14c48d7f33n%40apereo.org.

Reply via email to