I'm trying to enable MFA-Duo using according to the docs at
<https://apereo.github.io/cas/development/installation/DuoSecurity-Authentication.html>
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#duosecurity>
I've had partial success with an application trigger using a service
definition that includes
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-duo" ] ],
"failureMode" : "OPEN"
}
After providing my username and password to the app that uses the Java
CAS client (v3.4.2), Duo is invoked. However, after providing the Duo factor
it successfully validates the ticket but throws an exception generating the SAML
response:
DEBUG [org.apereo.cas.support.saml.web.SamlValidateController] - <Successfully
validated service ticket AAE***Cq2 for service [https://example.edu/app]>
ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error
generating SAML response for service example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to
java.lang.String
at
org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60)
~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at
org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104)
~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...
Ultimately what we'd like to do though is invoke MFA-Duo globally, and
not via an application triggered policy. It looks like the CAS properties
listed here may be relevant, but it's not clear to me how they should
be used.
<https://apereo.github.io/cas/development/installation/Configuration-Properties.html#multifactor-authentication>
For example, there is a cas.authn.mfa.globalPrincipalAttributeNameTriggers
property, that seems to correspond to principalAttributeNameTrigger in the
"Principal Attribute Per Application" example, but no corresponding
principalAttributeValueToMatch documented. Merely specifying something
an attribute for .globalPrincipalAttributeNameTriggers (e.g.
cas.authn.mfa..globalPrincipalAttributeNameTriggers=uid) doesn't appear
to be sufficent to invoke MFA-Duo.
I'm not sure what the following parameters are for:
cas.authn.mfa.requestParameter
- related to the "Opt-In Request Parameter"?
cas.authn.mfa.authenticationContextAttribute=authnContextClass
cas.authn.mfa.contentType=application/cas
- are any of these related to or able to use the Authentication
attributes that are returned? (successfulAuthenticationHandlers,
authenticationMethod, samlAuthenticationStatementAuthMethod)
Aloha,
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012025817.GV23083%40praenomen.mgt.hawaii.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
