The brief story: CAS never kicks off the multifactor trusted device
registration webflow. I've tried this with just about every version of CAS
6, most recently with 6.1.2 and a large number of 6.2.0 snapshots. I've
tested this with Google Authenticator, using both Redis and JSON for token
storage, as well as CAS Simple MFA. I'm posting the very stripped-down
configuration I've tried against a bare overlay template, but this has also
been tested in a much more fully fledged environment with an LDAP backend,
Redis ticket storage, etc. etc..
What stands out to me is that this was working before, at the beginning of
the year, I believe. That leads me to suspect that something changed such
that I am effectively misconfiguring the trusted MFA settings. Otherwise, I
don't see how it could be so uniformly broken across multiple versions. On
the other hand, I've attempted this with MFA REST storage, and the code for
that is actually broken (in the sense that the cleaner process errors out
without even contacting the REST URL), so perhaps there's just something
totally wrong with MFA trusted devices in general.
My testbed uses the vanilla Apereo CAS overlay template with the below
modifications, including removing cas.properties in favor of cas.yml. I
have a single RegexRegisteredService with no configuration other than the
name, id, and URL. I am able to login as casuser, which triggers MFA
registration as expected, proceeds to prompt for the token, and then...
authenticates me directly to the service. The entire time, the only
occurrence of the strings 'trust' or 'Trust' in the logs are 1. CAS dumping
the configured property names at startup, 2. warnings about the encryption
keys being set (obviously doesn't occur with a production configuration),
and 3. the MFA trusted device storage cleaner firing and not finding
anything.
I'm really at the end of my rope here, and hoping someone will tell me I'm
an idiot and I've missed something obvious.
Thanks for any input,
Hayden Sartoris
*Additional modules in build.gradle:*
dependencies {
// Other CAS dependencies/modules may be listed here...
compile
"org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-gauth:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-gauth-redis:${casServerVersion}"
compile
"org.apereo.cas:cas-server-support-trusted-mfa:${casServerVersion}"
}
*CAS configuration:*
redis:
host: redis
port: 6379
server:
port: 8443
ssl:
enabled: true
keyStore: <...>
cas:
serviceRegistry.json.location: "file:/etc/cas/services"
server:
name: https://cas02.bard.edu:8443
prefix: ${cas.server.name}/cas
authn:
mfa:
globalProviderId: mfa-gauth
gauth:
issuer: Bard
label: cas02.bard.edu
codeDigits: 6
timeStepSize: 30
trustedDeviceEnabled: true
redis:
host: ${redis.host}
port: ${redis.port}
trusted:
deviceRegistrationEnabled: true
json.location: "file:/etc/cas/config/trusted-dev.json"
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/890e3828-829b-40a3-87e8-99b1d190d653%40apereo.org.
