This works fine when only one provider is defined but when you have
multiple like [ "mfa-gauth", "mfa-webauthn"] it doesn't trigger, changing
to either [ "mfa-gauth"] or [ "mfa-webauthn"] triggers it. Are MFA
triggers only allowed to return one provider? It works with multiple
providers when no trigger is set so is this a bug?
On Wednesday, March 2, 2022 at 11:17:24 AM UTC-6 John wrote:
> With debug on I can see it being skipped?? Of course I have attributes
> defined and WANT it to trigger, and the attributes/values match and still
> says its skipping
>
> DEBUG
> [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
>
> - <Locating attribute value for attribute(s): [[eduPersonAffiliation]].>
> DEBUG
> [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver]
>
> - <Located attribute value [[staff]] for [[eduPersonAffiliation]]>
> DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
> <Attribute value [staff] is a single-valued attribute>
> ....
> ....
> DEBUG
> [org.apereo.cas.authentication.mfa.trigger.RegisteredServiceMultifactorAuthenticationTrigger]
>
> - <Authentication policy for [^(http|https)://changed.name.com.*] has
> defined principal attribute triggers. Skipping...>
>
> On Wednesday, March 2, 2022 at 9:19:51 AM UTC-6 John wrote:
>
>> I have added the "Principal Attribute Per Application" MFA setting, CAS
>> 6.4.6 , and MFA never triggers, if I remove the
>> principalAttributeNameTrigger and principalAttributeValueToMatch it works
>> just fine. I can see in the console and logs, the attribute values are
>> retrieved from ldap and doesnt trigger still. See below, the attribute
>> eduPersonAffiliation=staff but doesnt trigger. Anything else need to be set
>> to get it working?
>>
>> console log:
>>
>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[mfa-gauth,
>>
>> mfa-webauthn], failureMode=UNDEFINED,
>> principalAttributeNameTrigger=eduPersonAffiliation,
>> principalAttributeValueToMatch=staff, bypassEnabled=false,
>> forceExecution=true, bypassTrustedDeviceEnabled=false,
>> bypassPrincipalAttributeName=null, bypassPrincipalAttributeValue=null,
>> script=null)
>>
>> audit log:
>>
>> "attributes\":{\"cn\":[\"changed name\"],\"displayName\":[\"changed
>> name\"],\"eduPersonAffiliation\":[\"staff\"],
>>
>> service:
>>
>> "multifactorPolicy":
>> {
>> "@class":
>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
>> "mfa-gauth", "mfa-webauthn"] ],
>> "principalAttributeNameTrigger" : "eduPersonAffiliation",
>> "principalAttributeValueToMatch" : "staff",
>> },
>>
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/91716223-5575-4cc5-b394-0525ef0f0e5dn%40apereo.org.
