shib-cas-authn3 3.2.3 does not support handling authn context classes received from CAS. Switch to a more recent version such as a 3.2.4.beta4 please. The readme also provides an example of how one can map MFA on CAS to the REFEDS profile, which might serve as inspiration for you.
On Friday, February 15, 2019 at 9:04:36 AM UTC-7, Mickaël wrote: > > Hi everybody, > > I have a Shibboleth IDP v3.4.3 with the plugin shibcas 3.2.3 for > delegating authentification to my CAS server in version 5.3.3. > On my CAS server, for specific service, users should do an authentication > by login/password AND Google OTP. > > My problem is the next, my CAS return a strange value to my shibcas : > > 2019-02-15 16:17:54,149 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:44] - principalName found > and being passed on: XXXXXX > 2019-02-15 16:17:54,150 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > credentialType with values [UsernamePasswordCredential, > GoogleAuthenticatorTokenCredential] > 2019-02-15 16:17:54,150 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > samlAuthenticationStatementAuthMethod with values > [urn:oasis:names:tc:SAML:1.0:am:password, > urn:oasis:names:tc:SAML:1.0:am:unspecified] > 2019-02-15 16:17:54,150 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute uid > with values XXXXXXX > 2019-02-15 16:17:54,151 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > isFromNewLogin with values true > 2019-02-15 16:17:54,151 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > bypassMultifactorAuthentication with values false > 2019-02-15 16:17:54,151 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > authenticationDate with values 2019-02-15T16:17:53.562+01:00[Europe/Paris] > 2019-02-15 16:17:54,152 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > authenticationMethod with values [LdapAuthenticationHandler, > GoogleAuthenticatorAuthenticationHandler] > 2019-02-15 16:17:54,152 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > authnContextClass with values mfa-gauth > 2019-02-15 16:17:54,152 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > successfulAuthenticationHandlers with values [LdapAuthenticationHandler, > GoogleAuthenticatorAuthenticationHandler] > 2019-02-15 16:17:54,159 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute > longTermAuthenticationRequestTokenUsed with values false > 2019-02-15 16:17:54,160 - DEBUG > [net.unicon.idp.externalauth.ShibcasAuthServlet:51] - Found attributes from > CAS. Processing... > > So my Shibboleth sent to the SP : > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > > Is there a missing configuration on my CAS to send the right SAML > assertion ? > > Thanks for response. > > Sincerely, Mickaël > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4e89992-0acd-4b69-afb3-12ea5324aa82%40apereo.org.
