Thank you both for the replies! It makes sense that "cas.authn.mfa.globalProviderId=mfa-gauth" is the problem, only if I comment it out, then I can't seem to get the service registry entry I pasted earlier to force MFA, though debug logs show some stuff about mfa-gauth in the DefaultAuthenticationEventExecutionPlan which indicates to me it's at least... considered(?), but nothing telling.
I have no other cas.authn.mfa configuration directives in cas.properties at this point except for cas.authn.mfa.gauth.label cas.authn.mfa.gauth.issuer I wonder if it's possible I'm hitting some kind of default bypass condition? Any other ideas? Thanks again, Dave On Friday, September 21, 2018 at 3:40:10 PM UTC-4, David Curry wrote: > > I think the problem is this line: > > cas.authn.mfa.globalProviderId=mfa-gauth > > > According to the documentation, that enables MFA for all services, > regardless of any other settings. Since you don't want that, you should > probably turn it off. > > We have basically the same settings that Matt just posted here, and like > his setup, it only does MFA on the few services where we've explicitly told > it to. > > --Dave > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR OF INFORMATION SECURITY* > INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 212 229-5300 x4728 • [email protected] <javascript:> > > [image: The New School] > > > On Fri, Sep 21, 2018 at 3:37 PM Matthew Uribe <[email protected] > <javascript:>> wrote: > >> Hi Dave, >> >> I'm still on CAS 5.2, so perhaps things have changed, but I'm doing >> exactly what you describe with Duo. >> >> In my cas.properties: >> >> #Configure Duo authentication properties >> cas.authn.mfa.globalFailureMode: OPEN >> # Aims Two-Factor >> cas.authn.mfa.duo[0].duoApiHost: such.and.such >> cas.authn.mfa.duo[0].duoIntegrationKey: D...........A5 >> cas.authn.mfa.duo[0].duoSecretKey: N.....................E5 >> cas.authn.mfa.duo[0].trustedDeviceEnabled: false >> cas.authn.mfa.duo[0].duoApplicationKey: 01234567890 >> cas.authn.mfa.duo[0].id: mfa-duo >> >> >> Then in service registry: >> >> "multifactorPolicy" : { >> "@class" : >> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ >> "mfa-duo" ] ] >> } >> >> >> Services which don't include a multifactorPolicy don't require MFA. >> >> Matt >> >> >> On Friday, September 21, 2018 at 12:56:53 PM UTC-6, Dave B wrote: >>> >>> Running latest CAS 5.3 and just implemented MFA. My goal is to have MFA >>> disabled globally but able to be turned on based only on inclusion service >>> registry. >>> >>> However, I can not get MFA to work on any service unless >>> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. >>> >>> With the settings below, ALL services, regardless of inclusion of >>> "multifactorPolicy", require MFA. My only option is to explicitly exclude >>> (bypass) all other services for which I don't want to require MFA. >>> >>> Is this intended behavior? >>> >>> Relevant config: >>> cas.properties: >>> cas.authn.mfa.globalProviderId=mfa-gauth >>> cas.authn.mfa.globalFailureMode=CLOSED >>> >>> >>> "multifactorPolicy" : { >>> "@class" : >>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >>> "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ >>> "mfa-gauth" ] ], >>> "failureMode" : "CLOSED" >>> }, >>> >>> Thanks for any help! >>> -Dave >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1bcee0d-d6e3-4727-bfb9-1400cb3fb396%40apereo.org.
