Hello Using cas 6.1.2 and compiled cas-management (master branch, thanks to Travis et.al) for fixing the attribute and pac4J compatible changes and 6.x tree.
Trying this: https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/ Assigned: cas.authn.mfa.provider-selection-enabled=true I also tried/set rank value the same (i.e. 100) for mfa-google and mfa-yubi key. When setup only for one MFA then I get MFA for that device. When choosing two mfa values, the mfa is entirely bypassed. Never see the selection as shown on the blog article. Shown json export from cas-management I am certain I am missing something obvious. Any clue is greatly appreciated. Is this implementation mandatory for this integration: cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/mfaGroovySelector.groovy If such, any clues how to proceed. Also did the parameter search for any additional parameter to no avail. gradlew runShell java -jar build/libs/cas-server-support-shell-6.1.2.jar cas>find --name mfa.provider Property: cas.authn.adaptive.risk.response.mfa-provider Group: cas.authn.adaptive.risk.response Default Value: [blank] Type: java.lang.String Summary: If an authentication attempt is deemed risky, force a multi-factor authentication event noted by the provider id here. Description: If an authentication attempt is deemed risky, force a multi-factor authentication event noted by the provider id here. Deprecated: no ---------------------------------------------------------------------- Property: cas.authn.mfa.provider-selector-groovy-script Group: cas.authn.mfa Default Value: [blank] Type: org.springframework.core.io.Resource Summary: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, by default CAS will attempt to sort the collection of providers based on their rank and will pick one with the highest priority. Description: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, by default CAS will attempt to sort the collection of providers based on their rank and will pick one with the highest priority. This use case may arise if multiple triggers are defined where each decides on a different multifactor authentication provider, or the same provider instance is configured multiple times with many instances. Provider selection may also be carried out using Groovy scripting strategies more dynamically. The following example should serve as an outline of how to select multifactor providers based on a Groovy script. Deprecated: no ---------------------------------------------------------------------- Property: cas.authn.mfa.provider-selection-enabled Group: cas.authn.mfa Default Value: false Type: java.lang.Boolean Summary: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, this setting will allow one to interactively choose a provider out of the list of available providers. Description: In the event that multiple multifactor authentication providers are determined for a multifactor authentication transaction, this setting will allow one to interactively choose a provider out of the list of available providers. A trigger may be designed to support more than one provider, and rather than letting CAS auto-determine the selected provider via scripts or ranking strategies, this method puts the choice back onto the user to decide which provider makes the most sense at any given time. Deprecated: no JSON output from cas-management, changed sensitive info { @class: org.apereo.cas.services.RegexRegisteredService serviceId: ^https://somewhere.and.nowhere(\\z|/.*) name: SAMPLE id: 1 expirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy deleteWhenExpired: false notifyWhenDeleted: false notifyWhenExpired: false } proxyPolicy: { @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy } proxyTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy numberOfUses: 0 } serviceTicketExpirationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy numberOfUses: 0 } evaluationOrder: 1 usernameAttributeProvider: { @class: org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider canonicalizationMode: NONE encryptUsername: false } logoutType: BACK_CHANNEL requiredHandlers: [ java.util.HashSet [] ] environments: [ java.util.HashSet [] ] attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy principalAttributesRepository: { @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository mergingStrategy: MULTIVALUED ignoreResolvedAttributes: false } consentPolicy: { @class: org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy enabled: true order: 0 } authorizedToReleaseCredentialPassword: false authorizedToReleaseProxyGrantingTicket: false excludeDefaultAttributes: false authorizedToReleaseAuthenticationAttributes: true order: 0 allowedAttributes: [ java.util.ArrayList [ mail cn groupMembership ] ] } multifactorPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy multifactorAuthenticationProviders: [ java.util.HashSet [ mfa-gauth mfa-yubikey ] ] failureMode: PHANTOM ( also tried with CLOSED to no avail) principalAttributeNameTrigger: groupMembership principalAttributeValueToMatch: cn=SOME_GROUP_DN bypassEnabled: false forceExecution: false bypassTrustedDeviceEnabled: false } accessStrategy: { @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy order: 0 enabled: true ssoEnabled: true delegatedAuthenticationPolicy: { @class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy allowedProviders: [ java.util.ArrayList [] ] permitUndefined: true exclusive: false } requireAllAttributes: true requiredAttributes: { @class: java.util.LinkedHashMap } rejectedAttributes: { @class: java.util.LinkedHashMap } caseInsensitive: false } properties: { @class: java.util.LinkedHashMap } contacts: [ java.util.ArrayList [] ] } -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c8e359b-a55c-474a-99a0-f9b4cb37a0e6%40apereo.org.
