Yes the attribute value should match the expected authn method. (This can be a different thing and you can put in configuration to translate that value to something that CAS understands, but lets keep things simple for now)
Based on your configuration, single factor would never be invoked. There are 3 ways to configure an MFA flow: by request, by service, by attribute. You have configured the last two.and so, since by attribute does not amount to anything, (because of a value mismatch) you're only left with the by-service option which kicks in the duo flow, because your service registry pretty much says all http/https applications are required to go through MFA with DUO, which is what the code does. The MFA trigger is computed based on the 3 options above, and whoever "wins" is going to dictate what's going to happen to the rest of the flow. In your case, "by service" wins. If you want to ONLY enforce the MFA flow based on a user attribute, configure the attribute (as you have) and set up its value. Then modify your service registry to not catch every application, but the one you have in mind, and remove its requirement for duo with the authn_method attribute. Now the error flow you encounter is something I am not sure I fully understand. You get an error that says app is not authorized to CAS? Adjust the service id to match your service exactly (and don't make it match everything if you want to implement the above option, which isn't really a recommended approach anyway :) ) HTH. From: Lazar, Michael E [mailto:[email protected]] Sent: Monday, April 13, 2015 3:20 PM To: [email protected] Subject: Re:[cas-user] MFA option based on ldap attribute? In short, yes. You have my question correct. I have MFA configured with Duo, but I want to trigger MFA based on the presence of an ldap attribute. We have placed this attribute in the cas.properties file under mfa.method.userAttribute=csunAffiliation (so csunAffiliation is the attribute I'm looking for). I'm still not sure what the expected value of this attribute is; is it the particular authn_method to use (so in our case the value would be duo-two-factor)? I do see the value being queried for, but in this case the value comes back without a matching service and the logic falls through to matching the service parameter and sending me to MFA auth. I would have hoped that since the attribute does not match anything, CAS would fall through to single-factor authentication, even if the service is configured. Since when the service goes unconfigured, I don't seem to get a login screen: I get the error flow instead. This service parameter is used for both single and two-factor login, and the way this feels to run, every user that comes through with a matching service attribute will then be sent to multi-factor authentication. Here are the debug logs on a session, thanks again. -Michael. <login ticket obtained> 2015-04-13 15:05:09,948 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthe nticationArgumentExtractor] - <[org.jasig.cas.web.support .CasArgumentExtractor@155788fa <mailto:.CasArgumentExtractor@155788fa> ] intercepted the request successfully for multifactor authentication> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthe nticationArgumentExtractor] - <Attempting to extract mult ifactor authentication method from registered service attribute...> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthe nticationArgumentExtractor] - <Created multifactor authen tication service instance for [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languag eCd=ENG] with [authn_method] as [duo-two-factor] and auth entication method definition source [REGISTERED_SERVICE_DEFINITION].> 2015-04-13 15:05:09,948 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationA rgumentExtractor] - <[org.jasig.cas.web.support.CasArgume ntExtractor@155788fa] intercepted the request successfully for multifactor authentication> 2015-04-13 15:05:09,948 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationA rgumentExtractor] - <Attempting to extract multifactor au thentication parameters from the request> 2015-04-13 15:05:09,949 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationA rgumentExtractor] - <Request has no request parameter [au thn_method]. Delegating to the next argument extractor in the chain...> 2015-04-13 15:05:09,949 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,949 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in FlowScope: https://dev-mynorthridge.csun.calstate.edu/psp/PAN RTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:05:09,950 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-16-VnKqsp6fliMPc27HvhcJBWmxs6rYxg> <Sign in> 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Checking account status for password...> 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Retrieving number of days to password expiration date for user ml71834> 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Starting search with searchFilter: (|(uid=ml71834)(mailLocalAddress=ml7 [email protected])([email protected])(mailLocalAddress=ml71 834)([email protected])([email protected])(mail=ml71834)(mailro utingaddress <mailto:[email protected])([email protected])(mailLocalAddr ess=ml71834)([email protected])([email protected])(mail=ml71834 )(mailroutingaddress> = [email protected])(mailroutingaddress=ml71834)(employeeNumber=ml71834)) <mailto:[email protected])(mailroutingaddress=ml71834)(employeeNumber=ml718 34))> > 2015-04-13 15:06:03,429 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Returning attributes shadowLastChange:shadowWarning:shadowMax::csunEduP ersonFlag> 2015-04-13 15:06:03,535 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Recalculated epochdays shadowLastChange attribute to 2015-06-14T00:00:0 0.000Z> 2015-04-13 15:06:03,535 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Retrieved date value 2015-06-14T00:00:00.000Z for date attribute shadow LastChange and added 90 days. The final expiration date is 2015-09-12T00:00:00.000Z> 2015-04-13 15:06:03,535 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Calculating number of days left to the expiration date for user ml71834 > 2015-04-13 15:06:03,535 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Current date is 2015-04-13T22:06:03.535Z> 2015-04-13 15:06:03,536 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Expiration date is 2015-09-12T00:00:00.000Z> 2015-04-13 15:06:03,536 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Warning period begins on 2015-09-02T00:00:00.000Z> 2015-04-13 15:06:03,536 INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - <Password is not expiring. 151 days left to the warning> 2015-04-13 15:06:03,536 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Password for ml71834 is not expiring> 2015-04-13 15:06:03,536 DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - <Switching to flow event id success for user ml71834> 2015-04-13 15:06:03,618 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - <Performing LDAP bind with credential: uid=ml71834,ou=people,ou=auth, o=CSUN> 2015-04-13 15:06:03,629 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully a uthenticated [username: ml71834]> 2015-04-13 15:06:03,630 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:03,630 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinc ipalResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:03,630 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinc ipalResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:03,631 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Resolved ml71834. Trying LDAP resolve now.. .> 2015-04-13 15:06:03,631 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <LDAP search with filter "(|(uid=ml71834)(ma [email protected])([email protected])(mai lLocalAddress=ml71834)([email protected])([email protected])(ma il=ml71834)(m <mailto:[email protected])(mailLocalAddress=ml71834@csun. edu)(mailLocalAddress=ml71834)([email protected])(mail=ml71834@csun .edu)(mail=ml71834)(m> [email protected])(mailroutingaddress=ml71834)(employeeNu mber=ml71834)) <mailto:[email protected])(mailroutingaddress=ml71834)(em ployeeNumber=ml71834))> "> 2015-04-13 15:06:03,631 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <returning searchcontrols: scope=2; search b ase=ou=People,ou=Auth,o=csun; attributes=[uid]; timeout=1000> 2015-04-13 15:06:03,705 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Resolved ml71834 to ml71834> 2015-04-13 15:06:03,706 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:03,706 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Created seed map='{username=[ml71834]}' for uid='ml718 34'> 2015-04-13 15:06:03,706 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Adding attribute 'username' with value '[ml71834]' to query builder 'null'> 2015-04-13 15:06:03,706 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Generated query builder 'ml71834' from query Map {user name=[ml71834]}.> 2015-04-13 15:06:03,706 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal ml71834> 2015-04-13 15:06:03,707 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@700bf23d authe nticated ml71834 with credential [username: ml71834].> 2015-04-13 15:06:03,707 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for ml71834: {}> 2015-04-13 15:06:03,707 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: ml71834] WHAT: supplied credentials: [username: ml71834] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Apr 13 15:06:03 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:03,707 DEBUG [net.unicon.cas.mfa.authentication.principal.PrincipalAttributeMultiFactor AuthenticationRequestResolver] - <No multifactor authenti cation requests could be resolved based on [csunAffiliation]> 2015-04-13 15:06:03,707 DEBUG [net.unicon.cas.mfa.web.flow.InitiatingMultiFactorAuthenticationViaFormAct ion] - <Resolved 0 multifactor authentication requests> 2015-04-13 15:06:03,707 DEBUG [net.unicon.cas.mfa.web.flow.InitiatingMultiFactorAuthenticationViaFormAct ion] - <No multifactor authentication requests could be r esolved.> 2015-04-13 15:06:03,708 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorA uthenticationSpringWebflowEventBuilder] - <Attempting to build an event based on the authentication method [duo-two-factor] and service [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languag eCd=ENG] > 2015-04-13 15:06:03,708 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorA uthenticationSpringWebflowEventBuilder] - <Resulting even t id is [mfa-duo-two-factor]. Locating transitions in the context for that event id...> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorA uthenticationSpringWebflowEventBuilder] - <Found matching transition [mfa-duo-two-factor] with target [mfa-duo-two-factor] for event mfa-duo-two-factor. Will proceed normally..> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Authentication has entered the flow [login] executing state [ mfa-duo-two-factor> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Retrieved authentication context. Building multifactor creden tials...> 2015-04-13 15:06:03,720 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Attempting to collect multifactor credentials from the contex t...> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Context is missing multifactor credentials. Initializing a ne w instance...> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Added authentication to the chain> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Added credentials to the chain by id [ml71834]> 2015-04-13 15:06:03,721 DEBUG [net.unicon.cas.mfa.web.flow.GenerateMultiFactorCredentialsAction] - <Added multifactor credentials to the request context.> 2015-04-13 15:06:03,722 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,722 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthe nticationArgumentExtractor] - <[org.jasig.cas.web.support .CasArgumentExtractor@155788fa <mailto:.CasArgumentExtractor@155788fa> ] intercepted the request successfully for multifactor authentication> 2015-04-13 15:06:03,722 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthe nticationArgumentExtractor] - <Attempting to extract mult ifactor authentication method from registered service attribute...> 2015-04-13 15:06:03,722 DEBUG [net.unicon.cas.mfa.web.support.RegisteredServiceAttributeMultiFactorAuthe nticationArgumentExtractor] - <Created multifactor authen tication service instance for [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languag eCd=ENG] with [authn_method] as [duo-two-factor] and auth entication method definition source [REGISTERED_SERVICE_DEFINITION].> 2015-04-13 15:06:03,723 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,723 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationA rgumentExtractor] - <[org.jasig.cas.web.support.CasArgume ntExtractor@155788fa] intercepted the request successfully for multifactor authentication> 2015-04-13 15:06:03,723 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationA rgumentExtractor] - <Attempting to extract multifactor au thentication parameters from the request> 2015-04-13 15:06:03,723 DEBUG [net.unicon.cas.mfa.web.support.RequestParameterMultiFactorAuthenticationA rgumentExtractor] - <Request has no request parameter [au thn_method]. Delegating to the next argument extractor in the chain...> 2015-04-13 15:06:03,723 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,723 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in FlowScope: https://dev-mynorthridge.csun.calstate.edu/psp/PAN RTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:03,724 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-17-cMNVMU5Su7Cj3ZS5TiKJL1cyOybsra> 2015-04-13 15:06:03,744 DEBUG [com.duosecurity.DuoWeb] - <username 'ml71834'> 2015-04-13 15:06:03,745 DEBUG [com.duosecurity.DuoWeb] - <The generated signed request: 'TX|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTYzMDYz|3e21ca613a28fef8 74c39f99ccdad6c45691fa93:APP|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4O TY2MzYz|7097770612d7df4750c9750925744e0ea1060a99'> <After MFA Auth> 2015-04-13 15:06:41,388 DEBUG [net.unicon.cas.mfa.authentication.duo.DuoAuthenticationService] - <Calling DuoWeb.verifyResponse with signed request token 'AUTH|b Ww3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTYyODYw|71a24797987e1a56351786 c3dda57358097b53d5:APP|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTY2MzY z|7097770612d 7df4750c9750925744e0ea1060a99'> 2015-04-13 15:06:41,388 DEBUG [com.duosecurity.DuoWeb] - <Verifying sig_response: 'AUTH|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTYyODYw|71a24797987e1a5 63517 86c3dda57358097b53d5:APP|bWw3MTgzNHxESTVXSzFBR1lKVkFTOEJUR1JRTnwxNDI4OTY2M zYz|7097770612d7df4750c9750925744e0ea1060a99'> 2015-04-13 15:06:41,388 DEBUG [net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler] - <Response from Duo verify: [ml71834]> 2015-04-13 15:06:41,388 INFO [net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler] - <Successful Duo authentication for [ml71834]> 2015-04-13 15:06:41,388 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler successfu lly authenticated [username: ml71834]> 2015-04-13 15:06:41,388 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinc ipalResolver] - <Attempting to resolve a principal...> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinc ipalResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Resolved ml71834. Trying LDAP resolve now.. .> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <LDAP search with filter "(|(uid=ml71834)(ma [email protected])([email protected])(mai lLocalAddress=ml71834)([email protected])([email protected])(ma il=ml71834)(m <mailto:[email protected])(mailLocalAddress=ml71834@csun. edu)(mailLocalAddress=ml71834)([email protected])(mail=ml71834@csun .edu)(mail=ml71834)(m> [email protected])(mailroutingaddress=ml71834)(employeeNu mber=ml71834)) <mailto:[email protected])(mailroutingaddress=ml71834)(em ployeeNumber=ml71834))> "> 2015-04-13 15:06:41,389 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <returning searchcontrols: scope=2; search b ase=ou=People,ou=Auth,o=csun; attributes=[uid]; timeout=1000> 2015-04-13 15:06:41,444 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Resolved ml71834 to ml71834> 2015-04-13 15:06:41,445 DEBUG [org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipa lResolver] - <Creating SimplePrincipal for [ml71834]> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Created seed map='{username=[ml71834]}' for uid='ml718 34'> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Adding attribute 'username' with value '[ml71834]' to query builder 'null'> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.addons.persondir.JsonBackedComplexStubPersonAttributeDao] - <Generated query builder 'ml71834' from query Map {user name=[ml71834]}.> 2015-04-13 15:06:41,445 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal ml71834> 2015-04-13 15:06:41,445 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <net.unicon.cas.mfa.authentication.duo.DuoAuthenticationHandler@75ab3aeb authenticated ml71834 with credential [username: ml71834].> 2015-04-13 15:06:41,445 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Attribute map for ml71834: {}> 2015-04-13 15:06:41,445 DEBUG [net.unicon.cas.mfa.authentication.RememberAuthenticationMethodMetaDataPop ulator] - <Captured authentication method [duo-two-factor ] into the authentation context> 2015-04-13 15:06:41,445 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: ml71834] WHAT: supplied credentials: [username: ml71834] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Mon Apr 13 15:06:41 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:41,446 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Adding ticket TGT-5-Vivp9dmBEIFogxg6OwVqXysnbe2eYISRHJWZIYfYLFHruzaROB-de v-cas.csun.edu> 2015-04-13 15:06:41,451 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: net.unicon.cas.mfa.authentication.principal.MultiFactorCredentials@2297290 0 <mailto:net.unicon.cas.mfa.authentication.principal.MultiFactorCredentials @22972900> WHAT: TGT-5-Vivp9dmBEIFogxg6OwVqXysnbe2eYISRHJWZIYfYLFHruzaROB-dev-cas.csun.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Mon Apr 13 15:06:41 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:41,451 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorA uthenticationSpringWebflowEventBuilder] - <Attempting to build an event based on the authentication method [duo-two-factor] and service [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languag eCd=ENG] > 2015-04-13 15:06:41,452 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorA uthenticationSpringWebflowEventBuilder] - <Resulting even t id is [mfa-duo-two-factor]. Locating transitions in the context for that event id...> 2015-04-13 15:06:41,452 DEBUG [net.unicon.cas.mfa.web.flow.event.ServiceAuthenticationMethodMultiFactorA uthenticationSpringWebflowEventBuilder] - <Found matching transition [mfa-duo-two-factor] with target [mfaSuccess] for event mfa-duo-two-factor. Will proceed normally..> 2015-04-13 15:06:41,452 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session 178yuenpaz9u4113kkh28kef1l in 2 seconds> 2015-04-13 15:06:41,453 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [TGT-5-Vivp9dmBEIFogxg6OwV qXysnbe2eYISRHJWZIYfYLFHruzaROB-dev-cas.csun.edu]> 2015-04-13 15:06:41,459 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Updating ticket TGT-5-Vivp9dmBEIFogxg6OwVqXysnbe2eYISRHJWZIYfYLFHruzaROB- dev-cas.csun.edu> 2015-04-13 15:06:41,462 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Adding ticket ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu> 2015-04-13 15:06:41,468 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu] for service [https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languag eCd=ENG] for user [ml71834]> 2015-04-13 15:06:41,473 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: ml71834 WHAT: ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu for https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login <https://dev-mynorthridge.csun.calstate.edu/psp/PANRTRS/?cmd=login&languag eCd=ENG> &languageCd=ENG ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Apr 13 15:06:41 PDT 2015 CLIENT IP ADDRESS: 169.254.20.119 SERVER IP ADDRESS: 169.254.20.119 ============================================================= > 2015-04-13 15:06:41,479 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session 178yuenpaz9u4113kkh28kef1l in 2 seconds> 2015-04-13 15:06:41,605 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://dev-mynorthridge.csun.calstate.edu/psp /PANRTRS/?cmd=login&languageCd=ENG> 2015-04-13 15:06:41,611 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - <Updating ticket ST-5-daYsnZj4W1mdcSQ6EOjE-dev-cas.csun.edu> 2015-04-13 15:06:41,618 DEBUG [net.unicon.cas.mfa.MultiFactorAwareCentralAuthenticationService] - <Principal id to return for service [generic https service] is [ml71834]. The default principal id is [ml71834].> 2015-04-13 15:06:41,622 DEBUG [net.unicon.cas.mfa.web.MultiFactorServiceValidateController] - <Successfully validated service ticket: ST-5-daYsnZj4W1mdcSQ6EOjE-d ev-cas.csun.edu> >Let me make sure I have understood your question first. You have configured duo with CAS-MFA and now want to trigger >mfa based on an ldap attribute? >If that is so, have you configured the ldap attribute in the cas.properties file? Could you attach DEBUG logs that would >show what CAS is doing when it retrieves and compares that attribute value? Is the attribute configured to be retrieved >from your source? From: Lazar, Michael E [mailto:[email protected]] Sent: Monday, April 13, 2015 11:10 AM To: [email protected] <mailto:[email protected]> Subject: Re:[cas-user] MFA option based on ldap attribute? The services snippet looks like this, pretty close to the default: { "services":[ { "id":1, "serviceId":"^(https?|imaps?)://.*", "name":"generic https service", "description":"Generic https service", "extraAttributes": { "authn_method": "duo-two-factor" } } ] } For now, I am only working with the single mfa provider. I was intentionally breaking the serviceId (I removed a t in order to break the regex) to see if the system would fall back to single-factor authentication: having no service ID to match to. The MFA seems to bind to the service at the login-ticket phase, and without any service configured it perhaps has nothing to bind to. I have looked in my config for id="principalAttributeMfaRequestResolver" and can't seem to find it.. Is there something I'm missing in my configuration files. I'm using a recent clone of the repository, just pulled from master to be sure. Subject: Re: MFA option based on ldap attribute? From: Dmitriy Kopylenko < <mailto:[email protected]> [email protected]> Date: Sat, 11 Apr 2015 03:36:01 -0400 X-Message-Number: 2 That's exactly how it works - the first leg of authentication transaction happens (primary authentication), then a requirement for the second factor is computed from the resolved principal attribute. In your case it looks like the service authorization step fails to match the configured url with the actual service url provided, before even the mfa machinery kicks in. Could you please post your configured registered service snippet along with the actual service url that you are passing in? Cheers, D. Sent from my iPhone > On Apr 10, 2015, at 17:01, Lazar, Michael E < <mailto:[email protected]> [email protected]> wrote: > > Hello, > > I have read this section, configured an attribute in the properties file and am trying to get this logic to fire. What I tried to do is change the servicesRegistry.conf and made the regular expression not match (https/imaps). However now when I give cas my URL with service attribute, cas sends me to the "Application Not Authorized to use CAS" error view. > > My current list of authn-methods only includes one method for MFA we are using, and when I add that authn_method attribute to the URL I get a login prompt (so: working). > > Is there another method I need to add to configuration in order for CAS to treat the login as a single-factor one (at least until this attribute is queried for)? > > I would need the principle from the first-factor login to get ldap attributes from and make the decision to require multi factor authentication. > > Thanks again, > -Michael. > > >Subject: Re: MFA option based on ldap attribute? > >From: Dmitriy Kopylenko < <mailto:[email protected]> [email protected]> > >Date: Thu, 09 Apr 2015 16:55:48 -0400 > X-Message-Number: 4 > > > >Please see "Authentication Methods via Principal Attributes" section. > > > >Best, > >D. > > -- -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
