Tom,
Our setup is a bit different. We use this for services that require MFA
"multifactorPolicy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders":
[
"java.util.HashSet",
[
"mfa-duo"
]
],
"failureMode": "CLOSED",
"principalAttributeNameTrigger": "",
"principalAttributeValueToMatch": "",
"forceExecution": true
},
It triggers right away; But we only have one MFA provider.
Although those properties are not in the docs, they are in the class,
https://github.com/apereo/cas/blob/7.0.x/core/cas-server-core-services-api/src/main/java/org/apereo/cas/services/DefaultRegisteredServiceMultifactorPolicy.java
Ray
On Tue, 2024-05-07 at 22:40 -0700, [email protected] wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi, thanks for the response!
Actually what seems to happen is that when /authorize is called, the CAS
OAuth20HandlerInterceptorAdapter.preHandle() is invoked which in turn invokes
the pac4jSecurityInterceptor. Eventually the
org.pac4j.core.engine.DefaultSecurityLogicgets called and it checks (via
DefaultAuthorizationChecker) if an active pac4j profile can be found in the
session store. It seems like if I call /authorize within some time (~10min?)
after a successful login to CAS, then there is an active profile in the session
and the authentication & authorization is considered valid and access is
granted.
However after waiting for some time, when I call /authorize, then there is no
profile in the session store and eventually we end up in the MFA step.
Is anyone able to explain how this works and if there is some way to affect the
profile expiration in the session store, so that the pac4j engine would NOT
consider the request authorized? I suppose we would want to otherwise keep the
default functionality, but for some specific oauth clients we would want MFA be
triggered on EVERY request to /authorize.
I might be completely lost too, would be happy to receive some insight on this
if someone is aware :)
Many thanks!
Tom
On Wednesday 8 May 2024 at 03:39:51 UTC+3 Ray Bon wrote:
Tom,
Could it be that the groovy script is returning null or a value that cas does
not understand?
Ray
On Tue, 2024-05-07 at 06:49 -0700, [email protected] wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hello!
I'm trying to trigger MFA even if the user is authenticated and the TGT
participates in the existing SSO session, but somehow the behavior is
inconsistent. I'm using OAuth authorization code flow and already somehow
managed to execute a flow where after a call to /authorize, the user was NOT
requested to authenticate (due to active SSO), but still the MFA policy was
triggered as expected.
Now I'm unable to reproduce that. Instead whenever I send a request to
/authorize, I get redirected to the service redirect URL with an OAuth code in
the query parameters. Instead I would like the MFA provider to get triggered on
each call to /authorize for this specific service.
In the service configuration I have defined:
"multifactorPolicy":{
"@class":"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"script":"classpath:groovy/forceMfaPolicy.groovy",
"bypassEnabled":"false",
"forceExecution":"true"
}
What might be the correct way to enforce MFA even if an SSO session is active
and being participated in?
Thank you!
Tom
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da8ed2c91d700aed13e6703e383686a2af979b08.camel%40uvic.ca.
