In short, yes. You have my question correct. I have MFA configured with Duo, but I want to trigger MFA based on the presence of an ldap attribute. We have placed this attribute in the cas.properties file under mfa.method.userAttribute=csunAffiliation (so csunAffiliation is the attribute I'm looking for). I'm still not sure what the expected value of this attribute is; is it the particular authn_method to use (so in our case the value would be duo-two-factor)?
I do see the value being queried for, but in this case the value comes back without a matching service and the logic falls through to matching the service parameter and sending me to MFA auth. I would have hoped that since the attribute does not match anything, CAS would fall through to single-factor authentication, even if the service is configured. Since when the service goes unconfigured, I don't seem to get a login screen: I get the error flow instead. This service parameter is used for both single and two-factor login, and the way this feels to run, every user that comes through with a matching service attribute will then be sent to multi-factor authentication. Here are the debug logs on a session, thanks again. -Michael. <login ticket obtained> 2015-04-13 15:05:09,948 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor] - <[org.jasig.cas.web.support .CasArgumentExtractor@155788fa] intercepted the request successfully for multifactor authentication> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor] - <Attempting to extract mult ifactor authentication method from registered service attribute...> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor] - <Created multifactor authen tication service instance for [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languageCd=ENG] with [authn_method] as [duo-two-factor] and auth entication method definition source [REGISTERED_SERVICE_DEFINITION].> 2015-04-13 15:05:09,948 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationArgumentExtractor] - <[org.jasig.cas.web.support.CasArgume ntExtractor@155788fa] intercepted the request successfully for multifactor authentication> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationArgumentExtractor] - <Attempting to extract multifactor au thentication parameters from the request> 2015-04-13 15:05:09,949 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationArgumentExtractor] - <Request has no request parameter [au thn_method]. Delegating to the next argument extractor in the chain...> 2015-04-13 15:05:09,949 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,949 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in FlowScope: https://dev-mynorthridge.csun.calstate.edu/psp/PAN RTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,950 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-16-VnKqsp6fliMPc27HvhcJBWmxs6rYxg> <Sign in> 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Checking account status for password...> 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Retrieving number of days to password expiration date for user ml71834> 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Starting search with searchFilter: (|(uid=ml71834)(mailLocalAddress=ml7 [email protected])([email protected])(mailLocalAddress=ml71834)([email protected])([email protected])(mail=ml71834)(mailroutingaddress= [email protected])(mailroutingaddress=ml71834)(employeeNumber=ml71834))> 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Returning attributes shadowLastChange:shadowWarning:shadowMax::csunEduP ersonFlag> 2015-04-13 15:06:03,535 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Recalculated epochdays shadowLastChange attribute to 2015-06-14T00:00:0 0.000Z> 2015-04-13 15:06:03,535 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Retrieved date value 2015-06-14T00:00:00.000Z for date attribute shadow LastChange and added 90 days. The final expiration date is 2015-09-12T00:00:00.000Z> 2015-04-13 15:06:03,535 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Calculating number of days left to the expiration date for user ml71834 > 2015-04-13 15:06:03,535 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Current date is 2015-04-13T22:06:03.535Z> 2015-04-13 15:06:03,536 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Expiration date is 2015-09-12T00:00:00.000Z> 2015-04-13 15:06:03,536 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Warning period begins on 2015-09-02T00:00:00.000Z> 2015-04-13 15:06:03,536 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Password is not expiring. 151 days left to the warning> 2015-04-13 15:06:03,536 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Password for ml71834 is not expiring> 2015-04-13 15:06:03,536 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Switching to flow event id success for user ml71834> 2015-04-13 15:06:03,618 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing LDAP bind with credential: uid=ml71834,ou=people,ou=auth, o=CSUN> 2015-04-13 15:06:03,629 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully a uthenticated [username: ml71834]> 2015-04-13 15:06:03,630 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:03,630 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:03,630 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:03,631 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved ml71834. Trying LDAP resolve now.. .> 2015-04-13 15:06:03,631 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <LDAP search with filter "(|(uid=ml71834)(ma [email protected])([email protected])(mailLocalAddress=ml71834)([email protected])([email protected])(mail=ml71834)(m [email protected])(mailroutingaddress=ml71834)(employeeNumber=ml71834))"> 2015-04-13 15:06:03,631 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <returning searchcontrols: scope=2; search b ase=ou=People,ou=Auth,o=csun; attributes=[uid]; timeout=1000> 2015-04-13 15:06:03,705 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved ml71834 to ml71834> 2015-04-13 15:06:03,706 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:03,706 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Created seed map='{username=[ml71834]}' for uid='ml718 34'> 2015-04-13 15:06:03,706 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Adding attribute 'username' with value '[ml71834]' to query builder 'null'> 2015-04-13 15:06:03,706 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Generated query builder 'ml71834' from query Map {user name=[ml71834]}.> 2015-04-13 15:06:03,706 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal ml71834> 2015-04-13 15:06:03,707 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@700bf23d authe nticated ml71834 with credential [username: ml71834].> 2015-04-13 15:06:03,707 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for ml71834: {}> 2015-04-13 15:06:03,707 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: ml71834] WHAT: supplied credentials: [username: ml71834] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Apr 13 15:06:03 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:03,707 DEBUG [net.unicon.cas.mfa.authentication.principal.PrincipalAttributeMultiFactorAuthenticationRequestResolver] - <No multifactor authenti cation requests could be resolved based on [csunAffiliation]> 2015-04-13 15:06:03,707 DEBUG [net.unicon.cas.mfa.web.flow.InitiatingMultiFactorAuthenticationViaFormAction] - <Resolved 0 multifactor authentication requests> 2015-04-13 15:06:03,707 DEBUG [net.unicon.cas.mfa.web.flow.InitiatingMultiFactorAuthenticationViaFormAction] - <No multifactor authentication requests could be r esolved.> 2015-04-13 15:06:03,708 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorAuthenticationSpringWebflowEventBuilder] - <Attempting to build an event based on the authentication method [duo-two-factor] and service [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languageCd=ENG] > 2015-04-13 15:06:03,708 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorAuthenticationSpringWebflowEventBuilder] - <Resulting even t id is [mfa-duo-two-factor]. Locating transitions in the context for that event id...> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorAuthenticationSpringWebflowEventBuilder] - <Found matching transition [mfa-duo-two-factor] with target [mfa-duo-two-factor] for event mfa-duo-two-factor. Will proceed normally..> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Authentication has entered the flow [login] executing state [ mfa-duo-two-factor> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Retrieved authentication context. Building multifactor creden tials...> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Attempting to collect multifactor credentials from the contex t...> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Context is missing multifactor credentials. Initializing a ne w instance...> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Added authentication to the chain> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Added credentials to the chain by id [ml71834]> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Added multifactor credentials to the request context.> 2015-04-13 15:06:03,722 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,722 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor] - <[org.jasig.cas.web.support .CasArgumentExtractor@155788fa] intercepted the request successfully for multifactor authentication> 2015-04-13 15:06:03,722 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor] - <Attempting to extract mult ifactor authentication method from registered service attribute...> 2015-04-13 15:06:03,722 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor] - <Created multifactor authen tication service instance for [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languageCd=ENG] with [authn_method] as [duo-two-factor] and auth entication method definition source [REGISTERED_SERVICE_DEFINITION].> 2015-04-13 15:06:03,723 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,723 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationArgumentExtractor] - <[org.jasig.cas.web.support.CasArgume ntExtractor@155788fa] intercepted the request successfully for multifactor authentication> 2015-04-13 15:06:03,723 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationArgumentExtractor] - <Attempting to extract multifactor au thentication parameters from the request> 2015-04-13 15:06:03,723 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationArgumentExtractor] - <Request has no request parameter [au thn_method]. Delegating to the next argument extractor in the chain...> 2015-04-13 15:06:03,723 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,723 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in FlowScope: https://dev-mynorthridge.csun.calstate.edu/psp/PAN RTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,724 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-17-cMNVMU5Su7Cj3ZS5TiKJL1cyOybsra> 2015-04-13 15:06:03,744 DEBUG [com.duosecurity.DuoWeb] - <username 'ml71834'> 2015-04-13 15:06:03,745 DEBUG [com.duosecurity.DuoWeb] - <The generated signed request: 'TX|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTYzMDYz|3e21ca613a28fef8 74c39f99ccdad6c45691fa93:APP|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTY2MzYz|7097770612d7df4750c9750925744e0ea1060a99'> <After MFA Auth> 2015-04-13 15:06:41,388 DEBUG [net.unicon.cas.mfa.authentication.duo.DuoAuthenticationService] - <Calling DuoWeb.verifyResponse with signed request token 'AUTH|b Ww3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTYyODYw|71a24797987e1a56351786c3dda57358097b53d5:APP|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTY2MzYz|7097770612d 7df4750c9750925744e0ea1060a99'> 2015-04-13 15:06:41,388 DEBUG [com.duosecurity.DuoWeb] - <Verifying sig_response: 'AUTH|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTYyODYw|71a24797987e1a563517 86c3dda57358097b53d5:APP|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTY2MzYz|7097770612d7df4750c9750925744e0ea1060a99'> 2015-04-13 15:06:41,388 DEBUG [net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler] - <Response from Duo verify: [ml71834]> 2015-04-13 15:06:41,388 INFO [net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler] - <Successful Duo authentication for [ml71834]> 2015-04-13 15:06:41,388 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler successfu lly authenticated [username: ml71834]> 2015-04-13 15:06:41,388 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved ml71834. Trying LDAP resolve now.. .> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <LDAP search with filter "(|(uid=ml71834)(ma [email protected])([email protected])(mailLocalAddress=ml71834)([email protected])([email protected])(mail=ml71834)(m [email protected])(mailroutingaddress=ml71834)(employeeNumber=ml71834))"> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <returning searchcontrols: scope=2; search b ase=ou=People,ou=Auth,o=csun; attributes=[uid]; timeout=1000> 2015-04-13 15:06:41,444 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Resolved ml71834 to ml71834> 2015-04-13 15:06:41,445 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Created seed map='{username=[ml71834]}' for uid='ml718 34'> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Adding attribute 'username' with value '[ml71834]' to query builder 'null'> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Generated query builder 'ml71834' from query Map {user name=[ml71834]}.> 2015-04-13 15:06:41,445 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal ml71834> 2015-04-13 15:06:41,445 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler@75ab3aeb authenticated ml71834 with credential [username: ml71834].> 2015-04-13 15:06:41,445 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for ml71834: {}> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.mfa.authentication.RememberAuthenticationMethodMetaDataPopulator] - <Captured authentication method [duo-two-factor ] into the authentation context> 2015-04-13 15:06:41,445 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: ml71834] WHAT: supplied credentials: [username: ml71834] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Apr 13 15:06:41 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:41,446 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Adding ticket TGT-5-Vivp9dmBEIFogxg6OwVqXysnbe2eYISRHJWZIYfYLFHruzaROB-de v-cas.csun.edu> 2015-04-13 15:06:41,451 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: net.unicon.cas.mfa.authentication.principal.MultiFactorCredentials@22972900 WHAT: TGT-5-Vivp9dmBEIFogxg6OwVqXysnbe2eYISRHJWZIYfYLFHruzaROB-dev-cas.csun.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Mon Apr 13 15:06:41 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:41,451 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorAuthenticationSpringWebflowEventBuilder] - <Attempting to build an event based on the authentication method [duo-two-factor] and service [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languageCd=ENG] > 2015-04-13 15:06:41,452 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorAuthenticationSpringWebflowEventBuilder] - <Resulting even t id is [mfa-duo-two-factor]. Locating transitions in the context for that event id...> 2015-04-13 15:06:41,452 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorAuthenticationSpringWebflowEventBuilder] - <Found matching transition [mfa-duo-two-factor] with target [mfaSuccess] for event mfa-duo-two-factor. Will proceed normally..> 2015-04-13 15:06:41,452 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session 178yuenpaz9u4113kkh28kef1l in 2 seconds> 2015-04-13 15:06:41,453 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [TGT-5-Vivp9dmBEIFogxg6OwV qXysnbe2eYISRHJWZIYfYLFHruzaROB-dev-cas.csun.edu]> 2015-04-13 15:06:41,459 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Updating ticket TGT-5-Vivp9dmBEIFogxg6OwVqXysnbe2eYISRHJWZIYfYLFHruzaROB- dev-cas.csun.edu> 2015-04-13 15:06:41,462 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Adding ticket ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu> 2015-04-13 15:06:41,468 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu] for service [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languageCd=ENG] for user [ml71834]> 2015-04-13 15:06:41,473 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: ml71834 WHAT: ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu for https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languageCd=ENG ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Apr 13 15:06:41 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:41,479 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session 178yuenpaz9u4113kkh28kef1l in 2 seconds> 2015-04-13 15:06:41,605 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:41,611 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Updating ticket ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu> 2015-04-13 15:06:41,618 DEBUG [net.unicon.cas.mfa.MultiFactorAwareCentralAuthenticationService] - <Principal id to return for service [generic https service] is [ml71834]. The default principal id is [ml71834].> 2015-04-13 15:06:41,622 DEBUG [net.unicon.cas.mfa.web.MultiFactorServiceValidateController] - <Successfully validated service ticket: ST-5-daYsnZj4W1mdcSQ6EOjE-d ev-cas.csun.edu> >Let me make sure I have understood your question first. You have configured >duo with CAS-MFA and now want to trigger >mfa based on an ldap attribute? >If that is so, have you configured the ldap attribute in the cas.properties >file? Could you attach DEBUG logs that would >show what CAS is doing when it >retrieves and compares that attribute value? Is the attribute configured to be >retrieved >from your source? From: Lazar, Michael E [mailto:[email protected]] Sent: Monday, April 13, 2015 11:10 AM To: [email protected] Subject: Re:[cas-user] MFA option based on ldap attribute? The services snippet looks like this, pretty close to the default: { "services":[ { "id":1, "serviceId":"^(https?|imaps?)://.*", "name":"generic https service", "description":"Generic https service", "extraAttributes": { "authn_method": "duo-two-factor" } } ] } For now, I am only working with the single mfa provider. I was intentionally breaking the serviceId (I removed a t in order to break the regex) to see if the system would fall back to single-factor authentication: having no service ID to match to. The MFA seems to bind to the service at the login-ticket phase, and without any service configured it perhaps has nothing to bind to. I have looked in my config for id="principalAttributeMfaRequestResolver" and can't seem to find it.. Is there something I'm missing in my configuration files. I'm using a recent clone of the repository, just pulled from master to be sure. Subject: Re: MFA option based on ldap attribute? From: Dmitriy Kopylenko <[email protected]<mailto:[email protected]>> Date: Sat, 11 Apr 2015 03:36:01 -0400 X-Message-Number: 2 That's exactly how it works - the first leg of authentication transaction happens (primary authentication), then a requirement for the second factor is computed from the resolved principal attribute. In your case it looks like the service authorization step fails to match the configured url with the actual service url provided, before even the mfa machinery kicks in. Could you please post your configured registered service snippet along with the actual service url that you are passing in? Cheers, D. Sent from my iPhone > On Apr 10, 2015, at 17:01, Lazar, Michael E > <[email protected]<mailto:[email protected]>> wrote: > > Hello, > > I have read this section, configured an attribute in the properties file and > am trying to get this logic to fire. What I tried to do is change the > servicesRegistry.conf and made the regular expression not match > (https/imaps). However now when I give cas my URL with service attribute, cas > sends me to the "Application Not Authorized to use CAS" error view. > > My current list of authn-methods only includes one method for MFA we are > using, and when I add that authn_method attribute to the URL I get a login > prompt (so: working). > > Is there another method I need to add to configuration in order for CAS to > treat the login as a single-factor one (at least until this attribute is > queried for)? > > I would need the principle from the first-factor login to get ldap attributes > from and make the decision to require multi factor authentication. > > Thanks again, > -Michael. > > >Subject: Re: MFA option based on ldap attribute? > >From: Dmitriy Kopylenko <[email protected]<mailto:[email protected]>> > >Date: Thu, 09 Apr 2015 16:55:48 -0400 > X-Message-Number: 4 > > > >Please see "Authentication Methods via Principal Attributes" section. > > > >Best, > >D. > > -- -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
