Hello. We are having trouble actually triggering the mfa-authentication with a groovy trigger script despite the trigger script running (and logging what it's doing) seemingly just fine.
We authenticate from ldap and also support spnego authentication and then trigger mfa with a groovy trigger if spnego isn't in use. The groovy script runs and does what it's supposed to do and then returns what it's (apparently) supposed to return but the mfa process does not trigger after that regardless. If we activate mfa globally based on a principal attribute instead of a groovy trigger, then the mfa works as it should. If we try to do it with the groovy script it won't activate. Would any of you have any idea what we're doing wrong? Here's the mfa configuration in cas.properties: ## #DUO MFA provider cas.authn.mfa.duo[0].duoSecretKey=[redacted] cas.authn.mfa.duo[0].rank=1 cas.authn.mfa.duo[0].duoApplicationKey=[redacted] cas.authn.mfa.duo[0].duoIntegrationKey=[redacted] cas.authn.mfa.duo[0].duoApiHost=[redacted] cas.authn.mfa.duo[0].trustedDeviceEnabled=false cas.authn.mfa.duo[0].id=mfa-duo cas.authn.mfa.duo[0].registrationUrl=https://[redacted] cas.authn.mfa.duo[0].name=Login (CAS) cas.authn.mfa.duo[0].order=1 cas.authn.mfa.groovyScript=file:/etc/cas/mfaGroovyTrigger.groovy cas.authn.mfa.provider-selection-enabled=true #cas.authn.mfa.globalPrincipalAttributeNameTriggers=LGUserType,Company,CostCenter #cas.authn.mfa.globalPrincipalAttributeValueRegex=23K65.* #cas.authn.mfa.globalPrincipalAttributeValueRegex=donotmatch (the commented out lines are the tests with the principal attribute, those work) This is the groovy trigger script: import java.util.* class MFACustomTrigger { def String run(final Object... args) { def service = args[0] def registeredService = args[1] def authentication = args[2] def httpRequest = args[3] def logger = args[4] logger.info("Evaluating authentication attributes [{}]", authentication.attributes) logger.info("Evaluating principal attributes [{}]", authentication.principal.attributes) def isSpnego = authentication.attributes['credentialType'] def cc = authentication.principal.attributes['costCenter'] if (isSpnego.contains('SpnegoCredential')) { logger.info("Spnego active, bypassing MFA [{}]", isSpnego) return null } else { cc.each { if (it.matches('23K65.+')) { logger.info("CostCenter TIHA [{}]", cc) logger.info("Activating MFA for this authentication session") return "mfa-duo" } else { logger.info("CostCenter something else [{}]", cc) return null } } } } } Good ideas, suggestions, general advice and pointers to best practices are more than welcome. Thank you in advance. BR, Otto Myyrä -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04b42a96-1253-470f-adaa-ba4e1d936276n%40apereo.org.
