Updated parameters with new naming convention to no avail.
This from parameter extraction from cas-server-support-shell /find
parameter names
----------------------------------------------------------------------
Property: cas.authn.mfa.trusted.device-registration-enabled
Group: cas.authn.mfa.trusted
Default Value: true
Type: java.lang.Boolean
Summary: Indicates whether CAS should ask for device registration consent
or execute it automatically.
Description: Indicates whether CAS should ask for device registration
consent *or execute it automatically*.
Deprecated: no
To recap
cas.authn.mfa.gauth. trusted.device-registration-enabled=true
and any given MFA provider
cas.authn.mfa.yubikey.trusted-device-enabled
cas.authn.mfa.gauth.trusted-device-enabled
cas.authn.mfa.u2f.trusted-device-enabled
cas.authn.mfa.simple.trusted-device-enabled
cas.authn.mfa.trusted.deviceFingerprint.cookie.name=MFATRUSTED
1) The cookie MFATRUSTED is populated and
multifactor_authentication_trust_record db table is populated* if and only
if* the user enters a name on the last screen and does not choose skip.
Authentication finishes irrespective of providing the name or skipping.
(expected)
2) Setting cas.authn.mfa.trusted.device-registration-enabled=false and all
others the same
The cookie MFATRUSTED is *never *populated and
multifactor_authentication_trust_record db table is *never *populated
Authentication finishes (expected)
Am I miss-understanding the process here. I really think the auto
registration was functional at least on version 5.3.x.
Is the execute it automatically imply the behavior as #2 above?
Is there any other way to auto-register device (pretty much auto user
consent?).
Any parameter value might have missed or this is not intended to function
as such?
Thanks.
On Thursday, July 16, 2020 at 4:07:48 PM UTC-4 randomuser878 wrote:
> Hello
>
> Trying to simplify the MFA flow and skip the register device. For some
> reason a configuration might be missing somewhere. I think I have seen it
> working as such in cas 5.3.x but it's been a while.
>
> Generally, the user authenticates, followed by MFA phase then next
> screen is the device registration/skip.
> Interested on automation of the third screen to be auto registration and
> transparent to the user.
>
> Any of the 4 config would give me enough leads please yubikey, google,
> u2f, simple (email/sms)
>
> Unless I am mistaken, I need the below else devices are not trusted per
> MFA desired maxAge (cookie) and timeUnit (storage) time to live. I would
> think there is some other parameter missing as well.
>
> cas.authn.mfa.gauth.trustedDeviceEnabled=true
>
> cas.authn.mfa.trusted.authenticationContextAttribute=isFromTrustedMultifactorAuthentication
> cas.authn.mfa.trusted.deviceRegistrationEnabled=true
> cas.authn.mfa.trusted.timeUnit=DAYS
> cas.authn.mfa.trusted.expiration=1
> ...
> cas.authn.mfa.trusted.deviceFingerprint.cookie.name=MFATRUSTED
> cas.authn.mfa.trusted.deviceFingerprint.cookie.domain=
> cas.authn.mfa.trusted.deviceFingerprint.cookie.path=/cas
> cas.authn.mfa.trusted.deviceFingerprint.cookie.httpOnly=true
> cas.authn.mfa.trusted.deviceFingerprint.cookie.secure=true
> #
> cas.authn.mfa.trusted.deviceFingerprint.cookie.maxAge=14400
> cas.authn.mfa.trusted.deviceFingerprint.componentSeparator=@
> cas.authn.mfa.trusted.deviceFingerprint.cookie.enabled=true
> cas.authn.mfa.trusted.deviceFingerprint.cookie.order=1
> cas.authn.mfa.trusted.deviceFingerprint.clientIp.enabled=true
> cas.authn.mfa.trusted.deviceFingerprint.clientIp.order=2
> cas.authn.mfa.trusted.deviceFingerprint.userAgent.enabled=true
> cas.authn.mfa.trusted.deviceFingerprint.userAgent.order=3
>
> Thanks for your help.
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/87892a6b-67dd-43b5-b1a7-67504dbce27cn%40apereo.org.
