I tried to get this working last summer with no luck...I finally punted and used a groovy to return the appropriate MFA provider.
On Wednesday, August 14, 2019 at 12:50:13 PM UTC-5, John Bond wrote: > > HI all, > > I'm attempting to configure CAS so that the MFA provider is determined via > an ldap attribute. I have the following config > > ``` > server.ssl.keyStore=file:/etc/cas/thekeystore > > cas.server.name=https://idp.wikimedia.org:8443 > cas.server.prefix=https://idp.wikimedia.org:8443/cas > > cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory > cas.authn.mfa.gauth.json.location=file:///etc/cas/config/gauthdevices.json > cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2fdevices.json > > logging.config: file:/etc/cas/config/log4j2.xml > > cas.serviceRegistry.json.location=file:/etc/cas/services > > > cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider > cas.authn.ldap[0].principalAttributeList=cn,memberOf,mail,businessCategory > cas.authn.ldap[0].type=AUTHENTICATED > cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE > cas.authn.ldap[0].ldapurl=ldaps://ldap-ro.eqiad.wikimedia.org:636 ldaps:// > ldap-ro.codfw.wikimedia.org:636 > cas.authn.ldap[0].useStartTLS=false > cas.authn.ldap[0].basedn=dc=wikimedia,dc=org > cas.authn.ldap[0].searchFilter=cn={user} > cas.authn.ldap[0].binddn=cn=user,ou=profile,dc=wikimedia,dc=org > cas.authn.ldap[0].bindcredential=**removed** > cas.authn.accept.users= > logging.level.org.apereo=DEBUG > ``` > And my user has `businessCategory: mfa-gauth` configuered in ldap. > however when i try to authenticate i see the following in the debug logs > > ``` > 2019-08-14 17:35:06,797 DEBUG > [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] > > - <Located attribute value [[mfa-gauth]] for [[businessCategory]]> > 2019-08-14 17:35:06,797 DEBUG > [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute > value [[mfa-gauth]] is not a single-valued attribute> > 2019-08-14 17:35:06,799 DEBUG > [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Ignoring > [mfa-gauth] since no matching transition could be found> > 2019-08-14 17:35:06,799 DEBUG > [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] > > - <No set of events based on the attribute(s) [[businessCategory]] could be > matched> > ``` > > so it looks like ldap sends this value as an array and CAS doesn't like > that. Is anyone able to give advice on how i could get ldap to send this > [or some other attribute] as a string or fix this issue on the CAS side > > Cheers John > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/640c568e-0e5e-4cd4-a0f5-635633a185f4%40apereo.org.
