Hello Dimitri, Can you please help me with gauth to work globally. Here are my settings in cas.properties and I still don't see the page or option to enter the google authentication code:
cas.server.name: https://drupalvm.dev:8443 cas.server.prefix: https://drupalvm.dev:8443/cas cas.adminPagesSecurity.ip=127\.0\.0\.1 logging.config: file:/etc/cas/config/log4j2.xml *//GAUTH MFA* cas.authn.mfa.globalProviderId=mfa-gauth cas.authn.mfa.gauth.windowSize=3 cas.authn.mfa.gauth.issuer=companyname cas.authn.mfa.gauth.codeDigits=6 cas.authn.mfa.gauth.label=google authentication cas.authn.mfa.gauth.timeStepSize=30 cas.authn.mfa.gauth.rank=0 cas.authn.mfa.gauth.trustedDeviceEnabled=true *//LDAP Authentication* cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldap://1.2.3.4:389 cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].baseDn=ou=HWPeople, dc=companyname, dc=com cas.authn.ldap[0].userFilter=uid={user} cas.authn.ldap[0].bindDn=cn=Manager,dc=companyname,dc=com cas.authn.ldap[0].bindCredential=abcd cas.authn.attributeRepository.ldap.ldapUrl=ldap://1.2.3.4:389 cas.authn.attributeRepository.ldap.useSsl=false cas.authn.attributeRepository.ldap.useStartTls=false cas.authn.attributeRepository.ldap.connectTimeout=5000 cas.authn.attributeRepository.ldap.baseDn=ou=HWPeople, dc=companyname, dc=com cas.authn.attributeRepository.ldap.userFilter=uid={user} cas.authn.attributeRepository.ldap.subtreeSearch=true cas.authn.attributeRepository.ldap.bindDn=cn=Manager,dc=companyname,dc=com cas.authn.attributeRepository.ldap.bindCredential=abcd logging.level.org.apereo=DEBUG logging.level.org.ldaptiv=DEBUG *#disable test user* cas.authn.accept.users= Thanks, Sai On Thursday, April 6, 2017 at 5:05:27 AM UTC-4, Dmytro Havrylov wrote: > > Hello, > > I have a trouble configuring MFA trigger depending on Global Principal > Attribute. According to the documentation it should work like > > MFA can be triggered for all users/subjects carrying a specific attribute > that matches one of the conditions below. > > > * Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY > matches an MFA provider. This option is more relevant if you have more > than one provider configured or if you have the flexibilty of assigning > provider ids to attributes as values. > > > I have two MFA providers configured in the system: mfa-yubikey and > mfa-gauth. Both of them are working as expected if used as > cas.authn.mfa.globalProviderId (as single MFA provider). In my case I need > to choose the MFA provider according to the attribute value saved in the > LDAP. So I have following lines in the properties (the MFA provider should > be stored into the businessCategory LDAP attribute): > > "cas.authn.ldap[0].principalAttributeId": "uid", > "cas.authn.ldap[0].principalAttributePassword": "userPassword", > "cas.authn.ldap[0].principalAttributeList": > "sn,cn:commonName,givenName,yubiKeyId,businessCategory", > "cas.authn.attributeRepository.ldap.attributes.uid": "uid", > "cas.authn.attributeRepository.ldap.attributes.yubiKeyId": "yubiKeyId", > "cas.authn.attributeRepository.ldap.attributes.businessCategory": > "businessCategory", > "cas.authn.attributeRepository.ldap.defaultAttributesToRelease": > "uid,yubiKeyId,businessCategory", > "cas.authn.mfa.globalPrincipalAttributeNameTriggers": "businessCategory", > "cas.authn.mfa.globalPrincipalAttributeValueRegex": > "mfa-yubikey|mfa-gauth", > > Property cas.authn.mfa.globalProviderId is not set. > The project get's compiled and deployed without exceptions. Then I set > businessCategory attribute to the random value the MFA is not triggered at > all. This is expected, because it does not match the regexp. If I set it to > the "mfa-yubikey" then gauth gets triggered (but yubikey is expected). I > can find the following in the logs (with debug enabled): > > ... > 2017-04-03 13:18:05,808 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response > returned as result. Creating the final LDAP principal> > 2017-04-03 13:18:05,809 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP > principal for dimitri based on uid=dimitri,ou=People,dc=example,dc=com> > 2017-04-03 13:18:05,810 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved > principal id attribute dimitri> > 2017-04-03 13:18:05,810 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found > principal attribute: [yubiKeyId[cccscedtfar]]> > 2017-04-03 13:18:05,811 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found > principal attribute: [givenName[Dimitri]]> > 2017-04-03 13:18:05,812 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found > principal attribute: [businessCategory[mfa-yubikey]]> > 2017-04-03 13:18:05,813 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found > principal attribute: [sn[Gavrilov]]> > 2017-04-03 13:18:05,813 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found > principal attribute: [cn[dimitri]]> > 2017-04-03 13:18:05,814 DEBUG > [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created LDAP > principal for id dimitri and 6 attributes> > 2017-04-03 13:18:05,816 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <LdapAuthenticationHandler successfully authenticated dimitri> > 2017-04-03 13:18:05,817 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <No > resolver configured for LdapAuthenticationHandler. Falling back to handler > principal dimitri> > 2017-04-03 13:18:05,817 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final > principal resolved for this authentication event is dimitri> > 2017-04-03 13:18:05,818 DEBUG > [org.apereo.cas.authentication.AllAuthenticationPolicy] - <Authentication > policy is satisfied.> > 2017-04-03 13:18:05,819 INFO [org.apereo.cas.authentication. > PolicyBasedAuthenticationManager] - <Authenticated principal [dimitri] and > attributes {businessCategory=mfa-yubikey, commonName=Dimitri, givenName= > Dimitri, LdapAuthenticationHandler.dn=uid=dimitri,ou=People,dc=example,dc= > com, sn=Gavrilov, yubiKeyId=cccscedtfar} with credentials [dimitri].> > 2017-04-03 13:18:05,820 DEBUG [org.apereo.cas.audit.spi. > ThreadLocalPrincipalResolver] - <Resolving principal at audit point [ > execution(Authentication org.apereo.cas.authentication. > AbstractAuthenticationManager.authenticate(AuthenticationTransaction))]> > 2017-04-03 13:18:05,821 INFO [org.apereo.inspektr.audit.support. > Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN > ============================================================= > WHO: dimitri > WHAT: Supplied credentials: [dimitri] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Mon Apr 03 13:18:05 CEST 2017 > CLIENT IP ADDRESS: 192.168.168.12 > SERVER IP ADDRESS: 192.168.168.16 > ============================================================= > > > > > 2017-04-03 13:18:05,822 DEBUG [org.apereo.cas.authentication. > DefaultAuthenticationTransactionManager] - <Successful authentication; > Collecting authentication result [org.apereo.cas.authentication. > DefaultAuthentication@9f0afc06]> > 2017-04-03 13:18:05,824 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,826 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,828 DEBUG [org.apereo.cas.adaptors.gauth. > GoogleAuthenticatorMultifactorAuthenticationProvider] - <Multifactor > failure mode for ^(https|imaps)://.* is defined as CLOSED> > 2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - < > Evaluating request to determine if warning cookie should be generated> > 2017-04-03 13:18:05,830 DEBUG [org.apereo.cas.adaptors.yubikey. > YubiKeyMultifactorAuthenticationProvider] - <Provided event id mfa-yubikey > is not applicable to this provider identified by {}> > 2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support. > DefaultArgumentExtractor] - <Created https:// > sso.example.com/cas/status/dashboard based on > org.apereo.cas.authentication.principal.WebApplicationServiceFactory@489c4525> > 2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support. > DefaultArgumentExtractor] - <Extractor generated service type org.apereo. > cas.authentication.principal.SimpleWebApplicationServiceImpl for: https:// > sso.example.com/cas/status/dashboard> > Hibernate: select googleauth0_.id as id1_0_, googleauth0_.secretKey as > secretKe2_0_, googleauth0_.username as username3_0_, > googleauth0_.validationCode > as validati4_0_ from GoogleAuthenticatorRegistrationRecord googleauth0_ > where googleauth0_.username=? > > > Does anyone knows how to get the Global Principal Attribute working? > > Thanks > Dimitri > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3b5384f-5e3b-4e49-b97a-f8e153407687%40apereo.org.
