HI all, I'm attempting to configure CAS so that the MFA provider is determined via an ldap attribute. I have the following config
``` server.ssl.keyStore=file:/etc/cas/thekeystore cas.server.name=https://idp.wikimedia.org:8443 cas.server.prefix=https://idp.wikimedia.org:8443/cas cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory cas.authn.mfa.gauth.json.location=file:///etc/cas/config/gauthdevices.json cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2fdevices.json logging.config: file:/etc/cas/config/log4j2.xml cas.serviceRegistry.json.location=file:/etc/cas/services cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider cas.authn.ldap[0].principalAttributeList=cn,memberOf,mail,businessCategory cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE cas.authn.ldap[0].ldapurl=ldaps://ldap-ro.eqiad.wikimedia.org:636 ldaps://ldap-ro.codfw.wikimedia.org:636 cas.authn.ldap[0].useStartTLS=false cas.authn.ldap[0].basedn=dc=wikimedia,dc=org cas.authn.ldap[0].searchFilter=cn={user} cas.authn.ldap[0].binddn=cn=user,ou=profile,dc=wikimedia,dc=org cas.authn.ldap[0].bindcredential=**removed** cas.authn.accept.users= logging.level.org.apereo=DEBUG ``` And my user has `businessCategory: mfa-gauth` configuered in ldap. however when i try to authenticate i see the following in the debug logs ``` 2019-08-14 17:35:06,797 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Located attribute value [[mfa-gauth]] for [[businessCategory]]> 2019-08-14 17:35:06,797 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute value [[mfa-gauth]] is not a single-valued attribute> 2019-08-14 17:35:06,799 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Ignoring [mfa-gauth] since no matching transition could be found> 2019-08-14 17:35:06,799 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <No set of events based on the attribute(s) [[businessCategory]] could be matched> ``` so it looks like ldap sends this value as an array and CAS doesn't like that. Is anyone able to give advice on how i could get ldap to send this [or some other attribute] as a string or fix this issue on the CAS side Cheers John -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/027b362c-8152-457e-94b4-1136043f4bfc%40apereo.org.
