I understand better now :-) the expiration for trusted device is +100
years, with a solution with couchDB.
Thanks for pointing out the template and 'divs' in question.
Christophe.
Le vendredi 3 novembre 2023 à 23:19:18 UTC+1, Anthony Oslund a écrit :
>
> We are using simple MFA, but as far as the expiration (need to re-MFA)
> goes the following may help.
>
> Researched every possible expiration property and found they were ignored.
>
> If you take a close look at the "expirationDate":
> "2123-11-03T09:23:27.000+00:00" from your note, this is set to expire 100
> years in the future. No matter what we configured it always set the
> expiration to 100 years in the future.
>
> Due to this and other issues with caching with JDBC we settled on caching
> (including MFA) to couchDb. Had never used couchDb before, but it
> literally took 10-15 minutes to install and config.
>
> If you search for "MFA expiration with couchDb" in this list it explains
> the solution we ended up using to be able to expire MFA. Not perfect, but
> very workable.
>
> On Friday, November 3, 2023 at 5:16:18 AM UTC-5 Chris SC wrote:
>
>> Hello,
>> [version 6.6.13]
>> I'm working on the implementation of the MFA with the Google Auth.
>> provider and Trusted Devices.
>> I have a question concerning the configuration of Trusted Devices.
>>
>> First time the user comes to a 'Register Device' screen (after MFA Google
>> Auth screen), with 2 fields:
>> 1/ Name of the current device
>> ----> I want to hide this one on the template. What is the template name
>> please ?
>>
>> 2/ Duration for registered device
>> ----> I want to hide this one too, by forcing an expiry time for everyone
>> (30 days)
>>
>> I've seen some of previous 6.6 configurations using :
>> cas.authn.mfa.trusted.expiration=30
>> cas.authn.mfa.trusted.timeUnit=DAY
>>
>> But these 2 parameters are no longer available in 6.6.13.
>> I thought that this part was now delegated on the provider side, but I
>> can't find anything on the Google Auth configuration.
>>
>> For now, If I take a look at storage, default expiration is 1 year.
>> So How to set this parameter for now ?
>>
>> [
>> {
>> "id": 1699003407119,
>> "principal": "testuser",
>> "deviceFingerprint": "OO5ovcvIZWMPRebiQZGGp6nK2lT1GzElrgtUN87acB8ADGOy",
>> "recordDate": "2023-11-03T10:23:27+01:00",
>> "recordKey":
>> "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjBjNjQyMzg3LTM3M2EtNDZkZi1iOGM3LTEyNGNlZmJiMDhlNyJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySWl3aVkzUjVJam9pU2xkVUlpd2lkSGx3SWpvaVNsZFVJdIUWhmMmt1dWFlQTQ0TFNjTmhnRDFHb1ZSVW5WejVwSWt0QWsuN3JkWkswX0lTcENaMVQ3a1BFOF9LQQ.hW-Q2nsqjhr0Dnx3LIBJilZgBRoyPAKA8RLN5x2Vtzl44lmizs4-EV-ftwU8jIx7Z7whpTgp6DASz49pc6NO8g",
>> "name": "charming_wilson",
>> "expirationDate": "2123-11-03T09:23:27.000+00:00"
>> }
>> ]
>>
>>
>> Thanks for your help!
>> Christophe.
>>
>>
>> Current MFA trusted devices configuration :
>> ##========================================
>> ## MFA / Trusted Devices :
>> ##========================================
>>
>> cas.authn.mfa.trusted.mongo.clientUri=mongodb://user:x@localhost:27017/cas-mongo-database
>> cas.authn.mfa.trusted.mongo.collection=TrustedRepository
>> cas.authn.mfa.trusted.mongo.drop-collection=false
>>
>> cas.authn.mfa.trusted.core.authentication-context-attribute=isFromTrustedMultifactorAuthentication
>> cas.authn.mfa.trusted.core.device-registration-enabled=true
>> as.authn.mfa.trusted.core.auto-assign-device-name=true
>>
>> cas.authn.mfa.trusted.crypto.enabled=true
>> as.authn.mfa.trusted.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
>> cas.authn.mfa.trusted.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
>>
>> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.encryption.key=xxxxxxxxxxxxxxxxxxx
>>
>> cas.authn.mfa.trusted.deviceFingerprint.cookie.crypto.signing.key=xxxxxxxxxxxxxxxxxxx
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2979d593-1f43-44c5-99c2-15466d0f2966n%40apereo.org.
