I have added the "Principal Attribute Per Application" MFA setting, CAS
6.4.6 , and MFA never triggers, if I remove the
principalAttributeNameTrigger and principalAttributeValueToMatch it works
just fine. I can see in the console and logs, the attribute values are
retrieved from ldap and doesnt trigger still. See below, the attribute
eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set
to get it working?
console log:
multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth,
mfa-webauthn], failureMode=UNDEFINED,
principalAttributeNameTrigger=eduPersonAffiliation,
principalAttributeValueToMatch=staff, bypassEnabled=false,
forceExecution=true, bypassTrustedDeviceEnabled=false,
bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
script=null)
audit log:
"attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed
name\"],\"eduPersonAffiliation\":[\"staff\"],
service:
"multifactorPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-gauth", "mfa-webauthn"] ],
"principalAttributeNameTrigger" : "eduPersonAffiliation",
"principalAttributeValueToMatch" : "staff",
},
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/617c920e-64d3-4f83-965d-a2167e7f8dfen%40apereo.org.
