Hee is my understanding of using MFA:
scenario 1: Disable MFA globally, and enable it at the service leve
a. configure in cas.properties
Nothing:
b. Enable 2FA at the service leve
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://demo1.mydomain.(com|com/.*)$",
"name" : "demo1",
"id" : 20001107,
"description" : "2FA demo site",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-gauth" ] ]
},
"evaluationOrder" : 1107
}
scenario 2: Enale MFA globally, and disable it for few services
a. Enable MFA globally
cas.authn.mfa.global-provider-id=mfa-gauth
b. Disable 2FA at the service leve
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://demo1.mydomain.(com|com/.*)$",
"name" : "demo1",
"id" : 20001107,
"description" : "2FA demo site",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-gauth" ] ],
"bypassEnabled" : "true"
},
"evaluationOrder" : 1107
}
scenario 3: By pass MFA by client IP
configure in cas.properties
cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3
Notes: This is a configure item of gauth, it is effect only when mfa-gauth
is selected.
scenario 4: Complex situation
For some complex usage, we can only use groovy script to archive our goal.
a. configure in cas.properties
cas.authn.mfa.groovyScript=file:/opt/castest/mfaGroovyTrigger.groovy
cat /opt/castest/mfaGroovyTrigger.groovy
import java.util.*
class SampleGroovyEventResolver {
def String run(final Object[] args) {
def service = args[0]
def registeredService = args[1]
def authentication = args[2]
def httpRequest = args[3]
def logger = args[4]
def service_id = service.id
logger.info("MFA: service id {}", service_id)
if ( service_id.startsWith("https://demo1.mydomain.com/sso";)) {
logger.info("MFA: demo1")
return "mfa-gauth"
}
if ( service_id.startsWith("https://demo2.mydomain.com";) ) {
logger.info("MFA: demo2")
def clientIP = httpRequest.getRemoteAddr()
logger.info("MFA: clientIP is: {}", clientIP)
if ( clientIP == "192.168.100.108" ) {
logger.info("MFA: {} needs 2FA", clientIP)
return "mfa-gauth"
}
}
logger.info("MFA: Default, No 2FA! ")
return null
}
}
b. No special configure is needed at the service leve
delete multifactorPolicy at the service configure
notes: we need to disable other configure
#cas.authn.mfa.global-provider-id=mfa-gauth
#cas.authn.mfa.gauth.bypass.http-request-remote-address=192.168.1.3
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/adcb7a2c-ff0c-4025-84e9-ceac8949bbc4n%40apereo.org.
