I have been working on getting MFA-Duo to trigger only when a user is a 
member of a specific group. I have been able to use the "
principalAttributeNameTrigger" and the "principalAttributeValueToMatch" to 
match single value attributes. Is it possible to filter the mfa-duo based 
on a multi-value attribute like this? The following is the service 
definition I have been trying to get working and and example of the 
memberOf attribute output.

Example service:


 "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^(http|https)://.*",

  "name" : "HTTP and HTTPS",

  "id" : 100,

  "attributeReleasePolicy" : {

    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"


  "multifactorPolicy" : {

    "@class" : 

    "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ 
"mfa-duo" ] ],

    "principalAttributeNameTrigger" : "memberOf",

    "principalAttributeValueToMatch" : "CN=Duo 



Example output of memberOf attribute:

DEBUG [LdapAuthenticationHandler] - <Found principal attribute: [memberOf[CN
=Users,OU=groups,DC=example,DC=com, CN=Duo Authentication,OU=groups,DC=
example,DC=com, CN=Employee,OU=groups,DC=example,DC=com]


You received this message because you are subscribed to the Google Groups "CAS 
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-dev+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.

Reply via email to