Although I couldn't find it in the docs, maybe a typo, it does work as intended, the config key cas.authn.mfa.gauth.core.multiple-device-registration-enabled = false;
You might be better using the https://apereo.github.io/cas/6.6.x/webflow/Webflow-Customization-Interrupt-Groovy.html option as it executes farther down the chain. Your use case reminds me of something similar we run except in the groovy mfa script for trusted devices, i.e once they have a registered device the registration is no longer available, if device is "trusted" by user and in ip subnet mfa is bypassed as well. I actually believe we went down the road because I think with groovy mfa, even if device is trusted, it still would prompt for mfa selection. I cannot remember at the moment though. this should get you closer, the first param in the groovy script is 'webflow' , import org.springframework.webflow.* context = webflow.execution.RequestContext On Tuesday, September 12, 2023 at 10:34:25 AM UTC-5 [email protected] wrote: > Hi, > > Thanks for your answer. I had read those articles already, but they didn't > help a lot or maybe I am trying to do something too crazy. > > I am still not able to get the 'mfa-gauth' state in the 'login' webflow in > spite of seeing it in the logs and the webflow output endpoint. > > I did some cleaning and tidying to get a more readable output from the > logs. > > <Exiting state 'realSubmit'> > <Entering state 'mfa-gauth' of flow 'login'> > > No problem to add actions to 'realSubmit' state, using something very > alike to " > https://apereo.github.io/cas/6.5.x/webflow/Webflow-Customization-Extensions.html > " > > Are they some restrictions on what can be accessed with the groovy webflow > extensions ? > > In the same way, I still don't understand how to get a reference to the > mfa-provider. I had a look at > "core/cas-server-core-web-api/src/main/java/org/apereo/cas/web/support/WebUtils.java" > > and it seems " getMultifactorAuthenticationProviderById" should be userful, > but I don't knwo what to use as 'context' when trying to call it from the > groovy script. > > I will have a closer look to your class, especially try to understant how > to use it. > > Regards > > > Le 06-Sep-2023 19:02:50 +0200, [email protected] a écrit: > > These should help > https://fawnoos.com/2021/08/20/cas64-webflow-extensions/ > https://fawnoos.com/2022/04/21/cas66-webflow-groovy-actions/ > > I have a helper class that can print out the flow > https://gist.github.com/rbonatuvic/d3ef9e8dc0c5a78870a8520bc2ab2b74 > > Ray > > On Wed, 2023-09-06 at 14:46 +0200, spfma.tech via CAS Community wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi, > > I spent some time studying your script and I think I will follow this way. > But I am having hard times gathering informations to write the script I > need. > > Here is what I am trying to do : now 'mfa-gauth' is working, I would like > to "harden" it a little bit, as I think the authenticator registration > procedure is too open by default (someone who managed to steal a password > can register his own if he is faster than the account owner. So unsecure > access should not be possible if no device has been registered in a safer > way before). > > I would like to alter the webflow in order to display a warning message if > the user has not registered at least one authenticator already and is not > coming from a trusted network, then move to a failed state. > > I have spent a lot of time studying logfiles to understand how states and > transitions are interacting, and I think I have to either modify > "mfa-gauth" state in "login" webflow, or the "mfa-gauth" weblow iself as it > is called as a subflow. > > But I have no idea how to address another flow that "login", if and how I > can query 'mfa-gauth' backend to check if there are some registered > authenticators, or how to display and extra views. > > Do you know where I could find informations and clues about this ? In fact > I don't even know what namespaces are available in the script. > > Regards > > > > Le 25-Jul-2023 16:15:39 +0200, [email protected] a écrit: > > Maybe Misagh could put in his thoughts on this, but I would argue the > opposite is more true in fact, having custom java code and having to > register, etc.. rely's on way MORE base code in cas then the groovy > methods. If you take a look at the way groovy scripts are written in cas it > is mainly a simple execute groovy method passing the parameters and just > reading the results. That code itself doesn't change much, we had thousands > of lines of custom java code before the 6.x days, for all kinds of things. > Now we maintain 2 individual java class files and working to get those > changes pushed into cas, just need to write the test cases and scenarios. > > One of the benefits to using groovy is the no compile time, they don't > need to be compiled with your overlay! most if not all groovy scripts are > reloaded on demand, when changed and take affect immediately with no > restarts which makes a huge difference. > > Not sure why the other posters simple-mfa wouldnt work but works no > problem for us, it could be the trigger type being used, there is the > cas.authn.mfa.core.provider-selector-groovy-script and what we use, > cas.authn.mfa.groovy-script and we have some vendors/external services that > use database auth and mfa is fine, we also use surrogate and in our groovy > we have parts written to either bypass/force for surrogate situations. > > We have been using CAS since the 3.x days and when groovy webflow came > along, it was a blessing!! It is soooo much easier to maintain then custom > java code. See the attached, this is one of about 4 different flow > modifiers, using the "properties" in a service definition, we utilize this > flow to inject custom post fields for services that require a POST response > instead of REDIRECT. > > I think, in my opinion, groovy is way more sustainable to maintain then > the other. > > Thanks, > John > > On Tuesday, July 25, 2023 at 7:18:07 AM UTC-5 [email protected] wrote: > > Hi, > Thanks for your reply. > From what I have read in the recommendations in the docs, scripting is ok > but coding is better and more sustainable (build time vs run time I guess). > So I am trying to understand how to implement something like what is > described here : > https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html > But so far I don't even know where to put the code, how to even have a > single debug log line. > Thanks for this example (I think I saw it a couple of monthes ago),if will > follow this way if it's the right one too. > But I can't forget I have to replicate an old "login-webflow.xml", which > seems to be done programmatically only in current version. > Regards > > > Le 21-Jul-2023 20:00:53 +0200, [email protected] a écrit: > > This may provide some direction > https://fawnoos.com/2018/11/22/cas5-groovy-mfa/ > There may be other posts on this site that can help. > > Ray > > On Fri, 2023-07-21 at 08:49 +0200, spfma.tech via CAS Community wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi, > I would like to implement some conditional MFA scenarios (using a > different provider depending on the network is the first one), but reading > https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Custom.html > > does not provide a lot of help. > Is there some code snippet available somewhere I could use as an example ? > Regards > > ------------------------------ > FreeMail powered by mail.fr > > > > > > > > ------------------------------ > FreeMail powered by mail.fr > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd892674-8cea-4f49-a814-568482278b47n%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fd892674-8cea-4f49-a814-568482278b47n%40apereo.org?utm_medium=email&utm_source=footer> > . > > > ------------------------------ > FreeMail powered by mail.fr > > > > > > > > ------------------------------ > FreeMail powered by mail.fr -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4722d24d-2a04-4afe-9437-e692f208beb7n%40apereo.org.
