The services snippet looks like this, pretty close to the default:
{
"services":[
{
"id":1,
"serviceId":"^(https?|imaps?)://.*",
"name":"generic https service",
"description":"Generic https service",
"extraAttributes": {
"authn_method": "duo-two-factor"
}
}
]
}
For now, I am only working with the single mfa provider.
I was intentionally breaking the serviceId (I removed a t in order to break the
regex) to see if the system would fall back to single-factor authentication:
having no service ID to match to.
The MFA seems to bind to the service at the login-ticket phase, and without any
service configured it perhaps has nothing to bind to. I have looked in my
config for id="principalAttributeMfaRequestResolver" and can't seem to find
it.. Is there something I'm missing in my configuration files. I'm using a
recent clone of the repository, just pulled from master to be sure.
Subject: Re: MFA option based on ldap attribute?
From: Dmitriy Kopylenko <[email protected]<mailto:[email protected]>>
Date: Sat, 11 Apr 2015 03:36:01 -0400
X-Message-Number: 2
That's exactly how it works - the first leg of authentication transaction
happens (primary authentication), then a requirement for the second factor is
computed from the resolved principal attribute. In your case it looks like the
service authorization step fails to match the configured url with the actual
service url provided, before even the mfa machinery kicks in.
Could you please post your configured registered service snippet along with the
actual service url that you are passing in?
Cheers,
D.
Sent from my iPhone
> On Apr 10, 2015, at 17:01, Lazar, Michael E
> <[email protected]<mailto:[email protected]>> wrote:
>
> Hello,
>
> I have read this section, configured an attribute in the properties file and
> am trying to get this logic to fire. What I tried to do is change the
> servicesRegistry.conf and made the regular expression not match
> (https/imaps). However now when I give cas my URL with service attribute, cas
> sends me to the "Application Not Authorized to use CAS" error view.
>
> My current list of authn-methods only includes one method for MFA we are
> using, and when I add that authn_method attribute to the URL I get a login
> prompt (so: working).
>
> Is there another method I need to add to configuration in order for CAS to
> treat the login as a single-factor one (at least until this attribute is
> queried for)?
>
> I would need the principle from the first-factor login to get ldap attributes
> from and make the decision to require multi factor authentication.
>
> Thanks again,
> -Michael.
>
> >Subject: Re: MFA option based on ldap attribute?
> >From: Dmitriy Kopylenko <[email protected]<mailto:[email protected]>>
> >Date: Thu, 09 Apr 2015 16:55:48 -0400
> X-Message-Number: 4
> >
> >Please see "Authentication Methods via Principal Attributes" section.
> >
> >Best,
> >D.
>
> --
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
