That’s an excellent find. I suspect bypass rules don’t account for non-interactive AuthN somehow. If you can change your config to bypass MFA based on the Ldap handler, that pretty much confirms my theory.
File an issue either way please. (And since you’re on SNAPSHOT, let’s move this to dev) --Misagh From: 'Philippe MARASSE' via CAS Community [mailto:[email protected]] Sent: Friday, November 18, 2016 4:25 AM To: CAS Community <[email protected]> Subject: [cas-user] CAS-5.1.0-SNAP MFA Bypass configuration property is confusing Hello, As issues #2126 & #2127 are solved, this morning, another issue arises : Yubikey MFA is bypassed when I use LdapAuthenticationHandler (via login form), but not when I use Spnego ?? relevant cas.properties line is : cas.authn.mfa.yubikey.bypass.authenticationHandlerName=JcifsSpnegoAuthenticationHandler As far as I understand it should bypass MFA-Yubikey when the first auth is done via SPNEGO, and enforce MFA with another type of auth. That's what I need. But on my test page, with login form I get this attribute : successfulAuthenticationHandlers: LdapAuthenticationHandler with SPNEGO : successfulAuthenticationHandlers: JcifsSpnegoAuthenticationHandler, YubiKeyAuthenticationHandler Then I modified the property to : cas.authn.mfa.yubikey.bypass.authenticationHandlerName=LdapAuthenticationHandler Now I have successfulAuthenticationHandlers: YubiKeyAuthenticationHandler, LdapAuthenticationHandler whe I use login form, fine. and successfulAuthenticationHandlers: JcifsSpnegoAuthenticationHandler with SPNEGO, perfect :-). but IMHO, bypass configuration option behavior is inverted. Regards. -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48552979-800b-f552-1189-db88268723d2%40ch-poitiers.fr <https://groups.google.com/a/apereo.org/d/msgid/cas-user/48552979-800b-f552-1189-db88268723d2%40ch-poitiers.fr?utm_medium=email&utm_source=footer> . -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/012501d241b0%24ccd44a80%24667cdf80%24%40unicon.net.
