Dirk,

Sorry for the huge delay, here's all my config related to the 
cas.authn.mfa.gauth piece (sans our JPA config, since it doesn't sound like 
you need it):

cas.authn.mfa.globalFailureMode=OPEN
#cas.authn.mfa.globalPrincipalAttributeNameTriggers=mfa-user
#cas.authn.mfa.globalProviderId=mfa-gauth
cas.authn.mfa.groovyScript=file:/usr/tomcat/mfaAuthTrigger.groovy

cas.authn.mfa.gauth.issuer=TEST
cas.authn.mfa.gauth.label=TEST

cas.authn.mfa.gauth.windowSize=3
cas.authn.mfa.gauth.codeDigits=6
cas.authn.mfa.gauth.timeStepSize=30
cas.authn.mfa.gauth.rank=0
#cas.authn.mfa.gauth.trustedDeviceEnabled=false -- I still can't get this 
to work
cas.authn.mfa.gauth.name=TEST

cas.authn.mfa.gauth.cleaner.schedule.enabled=true
cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000
cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000

Be sure the file is on a location that the tomcat user can read from. I 
just put it in tomcat root for simplicity's sake.

I hope this helps if you're still having problems.

Thanks,

-Jonathan

On Wednesday, August 22, 2018 at 3:08:50 PM UTC-5, Dirk Tepe wrote:
>
> Can you provide some details regarding your configuration to get 
> cas.authn.mfa.groovyScript working? I'm currently using a groovy script for 
> MFA bypass successfully but now have need to use one for triggering as 
> well. However, the triggering script example wraps the run method in a 
> class and I've not been successful in getting it executed. CAS complains if 
> I have the path to the file incorrect, so I know it's at least identifying 
> that the file exists, I just can't figure out how to get it executed.
>
> Thanks,
>
> -dirk
>
> On Monday, July 2, 2018 at 3:06:05 PM UTC-4, Jonathan Barrett wrote:
>>
>> All,
>>
>> I was able to resolve the issue by rethinking my program flow and instead 
>> rewrite the groovy file to run off of the cas.authn.mfa.groovyScript 
>> property so it controls the trigger of MFA instead of bypassing activated 
>> MFA. Better to not trigger MFA at all instead of try to bypass in my case. 
>> Plus, this gave me the ability to do more preprocessing to push people 
>> around to multiple MFA providers as needed. Be aware that service.id at 
>> the trigger level is the URL instead of the service registry name/ID. Hope 
>> this helps someone.
>>
>> -Jonathan
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ceaf9267-c5c6-4597-b029-36487945f801%40apereo.org.

Reply via email to