Hello Alexis, Many thanks for the feedback. If you happen to see this, any chance you can share how did you made these two parameters cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf cas.authn.mfa.globalPrincipalAttributeValueRegex=something
Was Regex just the top entry case sensitive for cn=something, ou=... or full DN match was in order. Any chance you used different attribute outside MS-AD ldap like groupMembership for name trigger. What was the value for cas.authn.mfa.globalFailureMode= OPEN,PHANTOM, CLOSED On individual websites, what did you had to do to ensure if the above cas.authn.mfa.globalPrincipalAttributeNameTriggers/Regex does not match, it does not enforce MFA-request. Currently match or no match on globalPrincipalAttributeNameTriggers/Regex, the MFA is required from the individual site. Thanks again. On Friday, June 12, 2020 at 9:43:02 AM UTC-4 Alexis wrote: > Hello, > > I really hope you already found a solution, but if not, for my part, I did > : > > cas.authn.mfa.globalProviderId=mfa-yubikey,mfa-gauth > > And it works ! > > Regards, > > Le vendredi 20 décembre 2019 20:30:06 UTC+1, randomuser878 a écrit : >> >> Hello >> >> Using cas 6.1.2 and compiled cas-management (master branch, thanks to >> Travis et.al) for fixing the attribute and pac4J compatible changes and >> 6.x tree. >> >> Trying this: >> https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/ >> >> Assigned: cas.authn.mfa.provider-selection-enabled=true >> I also tried/set rank value the same (i.e. 100) for mfa-google and >> mfa-yubi key. >> When setup only for one MFA then I get MFA for that device. >> When choosing two mfa values, the mfa is entirely bypassed. Never see >> the selection as shown on the blog article. Shown json export from >> cas-management >> I am certain I am missing something obvious. Any clue is greatly >> appreciated. >> >> Is this implementation mandatory for this >> integration: >> cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/mfaGroovySelector.groovy >> If such, any clues how to proceed. >> >> Also did the parameter search for any additional parameter to no avail. >> gradlew runShell >> java -jar build/libs/cas-server-support-shell-6.1.2.jar >> >> cas>find --name mfa.provider >> Property: cas.authn.adaptive.risk.response.mfa-provider >> Group: cas.authn.adaptive.risk.response >> Default Value: [blank] >> Type: java.lang.String >> Summary: If an authentication attempt is deemed risky, force a >> multi-factor authentication event noted by the provider id here. >> Description: If an authentication attempt is deemed risky, force a >> multi-factor authentication event noted by the provider id here. >> Deprecated: no >> ---------------------------------------------------------------------- >> Property: cas.authn.mfa.provider-selector-groovy-script >> Group: cas.authn.mfa >> Default Value: [blank] >> Type: org.springframework.core.io.Resource >> Summary: In the event that multiple multifactor authentication providers >> are determined for a multifactor authentication transaction, by default CAS >> will attempt to sort the collection of providers based on their rank and >> will pick one with the highest priority. >> Description: In the event that multiple multifactor authentication >> providers are determined for a multifactor authentication transaction, by >> default CAS will attempt to sort the collection of providers based on their >> rank and will pick one with the highest priority. This use case may arise >> if multiple triggers are defined where each decides on a different >> multifactor authentication provider, or the same provider instance is >> configured multiple times with many instances. Provider selection may also >> be carried out using Groovy scripting strategies more dynamically. The >> following example should serve as an outline of how to select multifactor >> providers based on a Groovy script. >> Deprecated: no >> ---------------------------------------------------------------------- >> Property: cas.authn.mfa.provider-selection-enabled >> Group: cas.authn.mfa >> Default Value: false >> Type: java.lang.Boolean >> Summary: In the event that multiple multifactor authentication providers >> are determined for a multifactor authentication transaction, this setting >> will allow one to interactively choose a provider out of the list of >> available providers. >> Description: In the event that multiple multifactor authentication >> providers are determined for a multifactor authentication transaction, this >> setting will allow one to interactively choose a provider out of the list >> of available providers. A trigger may be designed to support more than one >> provider, and rather than letting CAS auto-determine the selected provider >> via scripts or ranking strategies, this method puts the choice back onto >> the user to decide which provider makes the most sense at any given time. >> Deprecated: no >> >> >> JSON output from cas-management, changed sensitive info >> { >> @class: org.apereo.cas.services.RegexRegisteredService >> serviceId: ^https://somewhere.and.nowhere(\\z|/.*) >> name: SAMPLE >> id: 1 >> expirationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy >> deleteWhenExpired: false >> notifyWhenDeleted: false >> notifyWhenExpired: false >> } >> proxyPolicy: >> { >> @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy >> } >> proxyTicketExpirationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy >> numberOfUses: 0 >> } >> serviceTicketExpirationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy >> numberOfUses: 0 >> } >> evaluationOrder: 1 >> usernameAttributeProvider: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider >> canonicalizationMode: NONE >> encryptUsername: false >> } >> logoutType: BACK_CHANNEL >> requiredHandlers: >> [ >> java.util.HashSet >> [] >> ] >> environments: >> [ >> java.util.HashSet >> [] >> ] >> attributeReleasePolicy: >> { >> @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy >> principalAttributesRepository: >> { >> @class: >> org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository >> mergingStrategy: MULTIVALUED >> ignoreResolvedAttributes: false >> } >> consentPolicy: >> { >> @class: >> org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy >> enabled: true >> order: 0 >> } >> authorizedToReleaseCredentialPassword: false >> authorizedToReleaseProxyGrantingTicket: false >> excludeDefaultAttributes: false >> authorizedToReleaseAuthenticationAttributes: true >> order: 0 >> allowedAttributes: >> [ >> java.util.ArrayList >> [ >> mail >> cn >> groupMembership >> ] >> ] >> } >> multifactorPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy >> multifactorAuthenticationProviders: >> [ >> java.util.HashSet >> [ >> mfa-gauth >> mfa-yubikey >> ] >> ] >> failureMode: PHANTOM ( also tried with CLOSED to no avail) >> principalAttributeNameTrigger: groupMembership >> principalAttributeValueToMatch: cn=SOME_GROUP_DN >> bypassEnabled: false >> forceExecution: false >> bypassTrustedDeviceEnabled: false >> } >> accessStrategy: >> { >> @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy >> order: 0 >> enabled: true >> ssoEnabled: true >> delegatedAuthenticationPolicy: >> { >> @class: >> org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy >> allowedProviders: >> [ >> java.util.ArrayList >> [] >> ] >> permitUndefined: true >> exclusive: false >> } >> requireAllAttributes: true >> requiredAttributes: >> { >> @class: java.util.LinkedHashMap >> } >> rejectedAttributes: >> { >> @class: java.util.LinkedHashMap >> } >> caseInsensitive: false >> } >> properties: >> { >> @class: java.util.LinkedHashMap >> } >> contacts: >> [ >> java.util.ArrayList >> [] >> ] >> } >> >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/18cd5560-e51e-4541-8ec1-b2cf7c65900fn%40apereo.org.
