I have been working on getting MFA-Duo to trigger only when a user is a member of a specific group. I have been able to use the " principalAttributeNameTrigger" and the "principalAttributeValueToMatch" to match single value attributes. Is it possible to filter the mfa-duo based on a multi-value attribute like this? The following is the service definition I have been trying to get working and and example of the memberOf attribute output.
Example service: { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^(http|https)://.*", "name" : "HTTP and HTTPS", "id" : 100, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" }, "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ], "principalAttributeNameTrigger" : "memberOf", "principalAttributeValueToMatch" : "CN=Duo Authentication,OU=groups,DC=example,DC=com" } } Example output of memberOf attribute: DEBUG [LdapAuthenticationHandler] - <Found principal attribute: [memberOf[CN =Users,OU=groups,DC=example,DC=com, CN=Duo Authentication,OU=groups,DC= example,DC=com, CN=Employee,OU=groups,DC=example,DC=com] Thanks -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+unsubscr...@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.