[cas-user] MFA with Multiple Providers, Bugs in CAS?

Tue, 08 Mar 2022 18:40:25 -0800 

I tried all different ways to get MFA triggers to work with CAS and let the 
user decide which one to use, scenarios I tested,

Triggers:
Groovy Per Application- only works for single provider

Principal Attribute - used multi-valued attribute in ldap, set to mfa-gauth 
and mfa-webathn, but CAS will pick one and not let user decide

REST - Only works if it returns a single provider

Principal Attribute Per Application -  Only works if it returns a single 
provider

Since those trigger weren't working to let user decide the provider, I 
decided to activate globally

cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth,mfa-web-authn

and then used bypass rules such as groovy for each provider using 

cas.authn.mfa.gauth.bypass.groovy.location
cas.authn.mfa.web-authn.bypass.groovy.location

boolean run(final Object... args) {
    def authentication = args[0]
    def principal = args[1]
    def service = args[2]
    def provider = args[3]
    def logger = args[4]
    def httpRequest = args[5]

    if (service.name == "myservicename") {
        logger.info("Evaluating principal attributes 
${principal.attributes}")

        def bypass = principal.attributes['eduPersonAffiliation']
        if (bypass.contains("staff")) {
            logger.info("Bypass for principal ${principal.id} is not 
allowed")
            return true
        }
    }
    return false
}

this works to allow selection if the script returns true but if it return 
false CAS just sits at the MFA selection screen blank because no providers 
should be used. I would assume this is a bug or mis-config because if no 
providers are found it should continue to login to application.

I don't really know what else to try or how to get multiple MFA providers 
to work based on attribute and value

Any help with this would be appreciated

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0749e4ee-8a91-4082-9b04-fc14c48d7f33n%40apereo.org.

Reply via email to