Let me make sure I have understood your question first. You have configured duo with CAS-MFA and now want to trigger mfa based on an ldap attribute?
If that is so, have you configured the ldap attribute in the cas.properties file? Could you attach DEBUG logs that would show what CAS is doing when it retrieves and compares that attribute value? Is the attribute configured to be retrieved from your source? From: Lazar, Michael E [mailto:[email protected]] Sent: Monday, April 13, 2015 11:10 AM To: [email protected] Subject: Re:[cas-user] MFA option based on ldap attribute? The services snippet looks like this, pretty close to the default: { "services":[ { "id":1, "serviceId":"^(https?|imaps?)://.*", "name":"generic https service", "description":"Generic https service", "extraAttributes": { "authn_method": "duo-two-factor" } } ] } For now, I am only working with the single mfa provider. I was intentionally breaking the serviceId (I removed a t in order to break the regex) to see if the system would fall back to single-factor authentication: having no service ID to match to. The MFA seems to bind to the service at the login-ticket phase, and without any service configured it perhaps has nothing to bind to. I have looked in my config for id="principalAttributeMfaRequestResolver" and can't seem to find it.. Is there something I'm missing in my configuration files. I'm using a recent clone of the repository, just pulled from master to be sure. Subject: Re: MFA option based on ldap attribute? From: Dmitriy Kopylenko <[email protected] <mailto:[email protected]> > Date: Sat, 11 Apr 2015 03:36:01 -0400 X-Message-Number: 2 That's exactly how it works - the first leg of authentication transaction happens (primary authentication), then a requirement for the second factor is computed from the resolved principal attribute. In your case it looks like the service authorization step fails to match the configured url with the actual service url provided, before even the mfa machinery kicks in. Could you please post your configured registered service snippet along with the actual service url that you are passing in? Cheers, D. Sent from my iPhone > On Apr 10, 2015, at 17:01, Lazar, Michael E <[email protected] <mailto:[email protected]> > wrote: > > Hello, > > I have read this section, configured an attribute in the properties file and am trying to get this logic to fire. What I tried to do is change the servicesRegistry.conf and made the regular expression not match (https/imaps). However now when I give cas my URL with service attribute, cas sends me to the "Application Not Authorized to use CAS" error view. > > My current list of authn-methods only includes one method for MFA we are using, and when I add that authn_method attribute to the URL I get a login prompt (so: working). > > Is there another method I need to add to configuration in order for CAS to treat the login as a single-factor one (at least until this attribute is queried for)? > > I would need the principle from the first-factor login to get ldap attributes from and make the decision to require multi factor authentication. > > Thanks again, > -Michael. > > >Subject: Re: MFA option based on ldap attribute? > >From: Dmitriy Kopylenko <[email protected] <mailto:[email protected]> > > >Date: Thu, 09 Apr 2015 16:55:48 -0400 > X-Message-Number: 4 > > > >Please see "Authentication Methods via Principal Attributes" section. > > > >Best, > >D. > > -- -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
