I have the same issue with 7.0.3 and Duo MFA, I am also hoping for a fix with 7.1, Thank you Ray and Mike.
On Wed, Apr 17, 2024 at 9:53 AM Mike S <[email protected]> wrote: > You're right! Removing support-surrogate-webflow allows merging to proceed > properly. Think this will be addressed in 7.1, or is this working as > intended and we have to do something else to enable proper attribute > merging? > > On Tuesday, April 16, 2024 at 8:55:32 p.m. UTC-2:30 Ray Bon wrote: > >> I have been able to confirm that the presence of the surrogate log in >> feature can create the observed problem. >> >> implementation "org.apereo.cas:cas-server-support-surrogate-webflow" >> >> The non merging of attributes happens even though no surrogate login >> takes place. >> >> Ray >> >> On Mon, 2024-04-15 at 12:30 -0700, Mike S wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> FYI, downgrading to 6.6.13 works. DUO universal prompt functions properly >> and the principal attributes are from LDAP only. I'm suspicious that >> something about DUO and/or MFA is broken in CAS 7.0.3. >> >> On Monday, April 15, 2024 at 2:10:54 p.m. UTC-2:30 Mike S wrote: >> >> Hi Ray, >> >> it was in /etc/cas/config/lob4j2.xml, setting the log level to debug: >> >> <Configuration monitorInterval="5" packages="org.apereo.cas.logging"> >> <Properties> >> <Property name="baseDir">/var/log/cas</Property> >> <Property name="cas.log.level">*debug*</Property> >> >> On Saturday, April 13, 2024 at 1:48:06 a.m. UTC-2:30 Ray Bon wrote: >> >> Mike, >> >> What logger did you enable to see this? >> >> Ray >> >> On Fri, 2024-04-12 at 11:36 -0700, Mike S wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> Thanks for your response Ray. I've been banging my head against this for >> a while and I thought it was something I was missing. I've verified the >> conflict resolver option doesn't work. >> >> The log debug log output shows the LDAP and DUO attributes at one point >> are merged, but the result is discarded. >> >> Is there a suggested workaround? >> >> On Friday, April 12, 2024 at 12:24:47 p.m. UTC-2:30 Ray Bon wrote: >> >> Mike, >> >> I can confirm this behaviour. >> DefaultPrincipalElectionStrategy was changed between 6.5 and 7.0. The >> change was in 5bcef20 about 5 months ago. >> >> The old behaviour was to select the first principle in a list; new >> behaviour defaults to last. >> Even setting this property, >> >> cas.person-directory.principal-resolution-conflict-strategy=first >> >> does not work. >> >> Printing the list of principals immediately before >> PrincipalElectionStrategyConflictResolver is invoked: >> >> 2024-04-11 23:40:23,144 ERROR [ >> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - <principal: >> SimplePrincipal(id=rbon, attributes={cn=[Ray Bon], >> description=[ROLE_ADMIN], domain=[uvic.ca], ... >> 2024-04-11 23:40:23,144 ERROR [ >> org.aper.cas.auth.prin.DefaultPrincipalElectionStrategy] - <principal: >> SimplePrincipal(id=rbon, attributes={duoAud=[...], >> duoAuthCtxAccessDeviceIp=[...], ... >> >> The principal id's are the same (so merging attributes should work). >> >> Our setup fetches attributes after authentication (instead of at the time >> of authentication) but before duo flow. >> >> I will investigate if there is an effect of when ldap attributes are >> retrieved; as well as look into other possible config settings that might >> affect attribute merging. >> >> Ray >> >> >> On Wed, 2024-04-10 at 12:47 -0700, Mike S wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> >> (Apologies for the repost. The CAS version has been added in the subject >> line as well as the cas.properties file) >> >> We are testing a CAS 7.0.3 POC system using universal prompt DUO MFA. The >> system is configured to use OpenLDAP for authentication. However, once DUO >> MFA is enabled via the Fawnoos blog entry, the attributes returned for the >> principal are from DUO. >> >> How do we tell CAS to only use the LDAP attribute repository? >> >> Thanks, >> Mike >> >> *cas.properties* >> >> cas.server.name=https://cas-poc.xxx.yyy >> cas.server.prefix=${cas.server.name}/cas >> cas.server.scope=xxx.yyy >> cas.host.name=xxx.yyy >> >> logging.config: file:/etc/cas/config/log4j2.xml >> logging.level.org.apereoi.cas=debug >> >> server.port=8443 >> server.ssl.enabled=true >> server.ssl.protocol=TLS >> server.ssl.key-store=file:/etc/cas/config/keystore.jks >> server.ssl.key-store-password=XXXXXXXXXXXXXXXXXXX >> server.ssl.key-password=YYYYYYYYYYYYYYYYY >> server.ssl.key-store-type=JKS >> server.ssl.key-alias=default >> >> server.servlet.context-path=/cas >> server.servlet.application-display-name=cas >> >> cas.server.tomcat.http[0].enabled=false >> cas.server.tomcat.http-proxy.enabled=true >> cas.server.tomcat.http-proxy.secure=false >> cas.server.tomcat.http-proxy.scheme=https >> cas.server.tomcat.http-proxy.protocol=HTTP/2 >> server.tomcat.remoteip.internal-proxies=AAA.BBB.CCC.DDD >> server.tomcat.accesslog.request-attributes-enabled=true >> server.tomcat.max-http-form-post-size=2097152 >> server.tomcat.max-threads=200 >> >> [service registry config omitted] >> >> cas.authn.accept.users= >> cas.authn.accept.enabled=false >> >> cas.authn.ldap[0].type=AUTHENTICATED >> cas.authn.ldap[0].ldap-url=ldaps://ldap1.xxx.yyy,ldaps://ldap2.xxx.yyy >> cas.authn.ldap[0].base-dn=dc=xxx,dc=yyy >> cas.authn.ldap[0].search-filter=(|(uid={user})(mailAddress={user})) >> cas.authn.ldap[0].bind-dn=uid=ro-ldap-user,ou=users,dc=xxx,dc=yyy >> cas.authn.ldap[0].bind-credential=XXXXXXXXXXXXXX >> >> cas.authn.ldap[0].principal-attribute-list=altEmailaltEmailDate,authViaAltEmailVerificationKey,[...] >> >> cas.authn.mfa.triggers.global.global-provider-id=mfa-duo >> cas.authn.mfa.duo[0].account-status-enabled=true >> cas.authn.mfa.duo[0].duo-secret-key=XXXXXXXXXXXXXXXXXXXXXXXXXX >> cas.authn.mfa.duo[0].duo-integration-key=YYYYYYYYYYYYYYYYY >> cas.authn.mfa.duo[0].duo-api-host=ZZZZZZZZZZZZZZZZZZZZZZ >> >> >> >> >> >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/89c58aec-5144-4f08-a966-be07804bc579n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/89c58aec-5144-4f08-a966-be07804bc579n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMLyn%2B_GJF%3DJXdxcGL-HqjyLVn_oxXGK0BnUPBna8x9vW2KHeg%40mail.gmail.com.
