add
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-authentication</artifactId>
<version>${cas.version}</version>
</dependency>
with:
cas.authn.mfa.duo[0].bypass.type=GROOVY
cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy
you should get
2018-02-09 19:10:39,145 DEBUG
[org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
- <Evaluating multifactor authentication bypass properties for principal
[casuser], service [null] and provider
[DefaultDuoMultifactorAuthenticationProvider] via Groovy script [URL
[file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
2018-02-09 17:11 GMT-03:00 Brian Davidson <[email protected]>:
> Just to add a bit to what Brian M. provided (I’m also a Brian, and a
> co-worker of Brian M’s):
>
> We have Duo MFA working if we comment out:
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/
> cas/selectiveDuo.groovy
>
> We did find that CAS was unable to check to see if the user exists in Duo
> if we used the “CAS” integration in Duo. But it works if we set up the
> integration as “Auth API”.
>
> We haven’t touched webflow. With the groovy script in place,
>
> When we enable GROOVY bypass script, we get:
>
> 2018-02-09 15:04:55,638 DEBUG
> [org.springframework.webflow.engine.impl.FlowExecutionImpl]
> - <Attempting to handle
> [org.springframework.webflow.execution.FlowExecutionException:
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root
> cause [java.io.NotSerializableException: org.springframework.core.io.
> UrlResource]>
>
> As well as the stack trace Brian M. provided.
>
> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece
> yesterday. Dug through source code to find that. We’re happy to provide
> updates to the documentation once we get this working.
>
> Thanks for the help!
>
> On Feb 9, 2018, at 10:14 AM, brian mancuso <[email protected]> wrote:
>
> Anything that says "REMOVED" is just stuff I pulled out before posting it.
> I didn't want to post any private/sensitive information.
>
> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>>
>> What do you mean by REMOVED in properties .
>>
>> El viernes, 9 de febrero de 2018, brian mancuso <[email protected]>
>> escribió:
>>
>>> Hey all,
>>>
>>> I was originally trying to setup some custom triggers to determine who
>>> should use MFA and who is allowed to bypass. I have since been directed
>>> towards Groovy to simplify things, but I'm still having some trouble.
>>>
>>> At this point, the Groovy script's purpose is strictly to test if a
>>> certain user will bypass MFA while others will not. Here's my setup:
>>>
>>> */etc/cas/config/cas.properties*
>>>
>>> ##
>>> # Duo security 2fa authentication provider
>>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
>>> #
>>> cas.authn.mfa.duo[0].rank=0
>>> cas.authn.mfa.duo[0].duoApiHost=REMOVED
>>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
>>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
>>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
>>> cas.authn.mfa.duo[0].id=mfa-duo
>>> cas.authn.mfa.globalProviderId=mfa-duo
>>> cas.authn.mfa.globalFailureMode=OPEN
>>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/
>>> selectiveDuo.groovy
>>>
>>>
>>> */etc/cas/selectiveDuo.groovy*
>>>
>>> def boolean run(final Object... args) {
>>> def authentication = args[0]
>>> def principal = args[1]
>>> def service = args[2]
>>> def provider = args[3]
>>> def logger = args[4]
>>> def httpRequest = args[5]
>>>
>>> logger.info("Evaluating principal attributes
>>> ${principal.attributes}")
>>>
>>> def bypass = principal.attributes['uid']
>>> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
>>> logger.info("Skipping bypass for principal ${principal.id}")
>>> return false
>>> }
>>>
>>> return true
>>> }
>>>
>>>
>>> When I try to login though, whenever a user would be sent to DUO, I get
>>> a 500 error:
>>>
>>>
>>> <https://lh3.googleusercontent.com/-bqF7r6WYFDU/Wn2r6Zgza6I/AAAAAAAASso/CtOtDNX7IF0Y2Ua0Eb8GyWbXuYdCSbEJgCLcBGAs/s1600/Screen%2BShot%2B2018-02-09%2Bat%2B9.10.22%2BAM.png>
>>>
>>> Here's a small snippet from the output:
>>>
>>> 2018-02-09 09:04:05,717 DEBUG
>>> [org.apereo.cas.web.FlowExecutionExceptionResolver]
>>> - <Ignoring the received exception due to a type mismatch>
>>> org.springframework.webflow.execution.FlowExecutionException: Exception
>>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>>> at
>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re
>>> sume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.executor.FlowExecutorImpl.resume
>>> Execution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[?:1.8.0_151]
>>>
>>> Caused by:
>>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
>>> Error encoding flow execution
>>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionReposito
>>> ry.getKey(ClientFlowExecutionRepository.java:114)
>>> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.as
>>> signKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>>
>>> Caused by: java.io.NotSerializableException: org.springframework.core.io
>>> .UrlResource
>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
>>> ~[?:1.8.0_151]
>>> at
>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>>> ~[?:1.8.0_151]
>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>>> ~[?:1.8.0_151]
>>> at
>>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
>>> ~[?:1.8.0_151]
>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
>>> ~[?:1.8.0_151]
>>> at
>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>>> ~[?:1.8.0_151]
>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>>> ~[?:1.8.0_151]
>>>
>>> 2018-02-09 09:04:05,717 ERROR
>>> [org.springframework.boot.web.support.ErrorPageFilter]
>>> - <Forwarding to error page from request [/login] due to exception
>>> [Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo']>
>>> org.springframework.webflow.execution.FlowExecutionException: Exception
>>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>>> at
>>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re
>>> sume(FlowExecutionImpl.java:263) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.executor.FlowExecutorImpl.resume
>>> Execution(FlowExecutorImpl.java:169) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[?:1.8.0_151]
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> ~[?:1.8.0_151]
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[?:1.8.0_151]
>>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
>>>
>>> Caused by:
>>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
>>> Error encoding flow execution
>>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionReposito
>>> ry.getKey(ClientFlowExecutionRepository.java:114)
>>> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.as
>>> signKey(FlowExecutionImpl.java:419) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:170)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.State.enter(State.java:194)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at
>>> org.springframework.webflow.engine.Transition.execute(Transition.java:228)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.ex
>>> ecute(FlowExecutionImpl.java:395) ~[spring-webflow-2.4.6.RELEASE
>>> .jar:2.4.6.RELEASE]
>>> at org.springframework.webflow.engine.impl.RequestControlContex
>>> tImpl.execute(RequestControlContextImpl.java:214)
>>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>>
>>> Caused by: java.io.NotSerializableException: org.springframework.core.io
>>> .UrlResource
>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
>>> ~[?:1.8.0_151]
>>> at
>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>>> ~[?:1.8.0_151]
>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>>> ~[?:1.8.0_151]
>>> at
>>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
>>> ~[?:1.8.0_151]
>>> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
>>> ~[?:1.8.0_151]
>>> at
>>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>>> ~[?:1.8.0_151]
>>> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>>> ~[?:1.8.0_151]
>>> at
>>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
>>> ~[?:1.8.0_151]
>>>
>>>
>>> I posted the output to pastebin since it was too large for just posting
>>> here: https://pastebin.com/yNPk4u7n
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b
>>> 9f%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-
> ddfd969c5924%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-ddfd969c5924%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-
> B9647B352CB5%40gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-B9647B352CB5%40gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midKW9nbuUSutNPX5%2BKbmKPfaGnMRfjmVosqwBESC9KNgw%40mail.gmail.com.
