Andrew,
This logger will tell you what attributes are found:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
Ray
P.S. It may be that spring is doing some extra processing of the properties. I
will have test this.
On Tue, 2021-02-02 at 14:17 -0800, Andrew Marker wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Thanks Ray.
It seems as though some (at least) have overrides in place for the use of
either. That would be super confusing if some have overrides and others do not.
For example: These both work in 6.2.7 in 6.3.
* cas.theme.defaultThemeName
* cas.theme.default-theme-name
*
cas.authn.mfa.globalProviderId
*
cas.authn.mfa.global-provider-id
So far I'm not having luck with either when it comes to the following, or my
regex is not valid in the context of this property. It's strictly in my case a
multi-value attribute, however assuming it was a string, I am hoping my initial
regex would work in the context of a string or string array "under the covers".
* cas.authn.mfa.globalPrincipalAttributeNameTriggers
* cas.authn.mfa.globalPrincipalAttributeValueRegex
I imagine this is working for others? I pre-production, I can experiment with
service by service, but there are many rules in production and I guess that
would strictly still work.
Again I am grateful for the guidance you've elected to provide.
On Tuesday, February 2, 2021 at 1:55:15 PM UTC-6 Ray Bon wrote:
Andrew,
The 6.x series of cas properties should be camelCase (the docs have not been
updated).
Ray
On Tue, 2021-02-02 at 11:34 -0800, Andrew Marker wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hey,
I'm moving from 5.3.x to 6.2.7 and I'm stymied in my progress by something I
hope is obvious. Since it is happening in both 6.2.7 and 6.3.0, I'm hoping it
is just miss configuration on my part and I'm hoping to get some guidance.
Below are the relevant configurations ported from v5.3. Most notably I had to
convert all these properties from camelCase to hyphenated-lowercase. The issue
is that, it does not seem to respect the trigger attributes as 5.3 does. My
assumption is that only folk in a group called multifactor-authentication will
be prompted for DUO.
If I enable global mfa, by setting the provider id, all requests including
delegate auth are transitioned to the duo workflow: They either are asked to
setup mfa on a phone, or it just fails (delegate without enough info).
Currently I only have one MFA provider.
# Duo Security
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[0].name=Duo Security
cas.authn.mfa.duo[0].duo-secret-key=myFirstSupaSekritKey
cas.authn.mfa.duo[0].duo-application-key=mySecondSupaSekritKey
cas.authn.mfa.duo[0].duo-integration-key=myTirdSupaSekritKey
cas.authn.mfa.duo[0].duo-api-host=api-8675309.duosecurity.com<http://api-8675309.duosecurity.com>
#Global MFA
cas.authn.mfa.request-parameter=authn_method
cas.authn.mfa.global-provider-id=mfa-duo
cas.authn.mfa.global-failure-mode=OPEN
cas.authn.mfa.global-principal-attribute-name-triggers=isMemberOf
cas.authn.mfa.global-principal-attribute-value-regex=.*cn=multifactor-authentication.*
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831<tel:(250)%20721-8831> | CLE 019 | [email protected]
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1ef0e39a06ed2870b8bb841b2be9393a5b7b340.camel%40uvic.ca.
