Some more information on the issue: In the logs it shows what looks like a successful login, but the user is not prompted for MFA-Duo when they are a member of the group, and on the client I get the following error response from the CAS server.
INVALID_AUTHENTICATION_CONTEXT The validation request for ST-*************** cannot be satisfied. The request is either unrecognized or unfulfilled. Logs: ============================================================= WHO: klintholmes WHAT: Supplied credentials: [klintholmes] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Tue Sep 20 17:50:24 2016 CLIENT IP ADDRESS: 0.0.0.0 SERVER IP ADDRESS: 0.0.0.0 ============================================================= > 2016-09-20 17:50:24,206 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintholmes WHAT: TGT-**********************************************vunDf0ZKib-137 ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Tue Sep 20 17:50:24 2016 CLIENT IP ADDRESS: 0.0.0.0 SERVER IP ADDRESS: 0.0.0.0 ============================================================= > 2016-09-20 17:50:24,239 INFO [CentralAuthenticationServiceImpl] - <Granted ticket [ST-***************] for service [https://service] and principal [klintholmes]> 2016-09-20 17:50:24,241 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintholmes WHAT: ST-****************** for https://service. ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Tue Sep 20 17:50:24 2016 CLIENT IP ADDRESS: 0.0.0.0 SERVER IP ADDRESS: 0.0.0.0 ============================================================= > 2016-09-20 17:50:24,401 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: klintholmes WHAT: ST-************** ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Tue Sep 20 17:50:24 2016 CLIENT IP ADDRESS: 0.0.0.0 SERVER IP ADDRESS: 0.0.0.0 ============================================================= On Tuesday, September 20, 2016 at 4:24:47 PM UTC-6, Klint wrote: > > I have been working on getting MFA-Duo to trigger only when a user is a > member of a specific group. I have been able to use the " > principalAttributeNameTrigger" and the "principalAttributeValueToMatch" > to match single value attributes. Is it possible to filter the mfa-duo > based on a multi-value attribute like this? The following is the service > definition I have been trying to get working and and example of the > memberOf attribute output. > > Example service: > > { > > "@class" : "org.apereo.cas.services.RegexRegisteredService", > > "serviceId" : "^(http|https)://.*", > > "name" : "HTTP and HTTPS", > > "id" : 100, > > "attributeReleasePolicy" : { > > "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" > > }, > > "multifactorPolicy" : { > > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", > > "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ > "mfa-duo" ] ], > > "principalAttributeNameTrigger" : "memberOf", > > "principalAttributeValueToMatch" : "CN=Duo > Authentication,OU=groups,DC=example,DC=com" > > } > > } > > Example output of memberOf attribute: > > DEBUG [LdapAuthenticationHandler] - <Found principal attribute: [memberOf[ > CN=Users,OU=groups,DC=example,DC=com, CN=Duo Authentication,OU=groups,DC= > example,DC=com, CN=Employee,OU=groups,DC=example,DC=com] > > > Thanks > -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+unsubscr...@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.