I have been working on getting MFA-Duo to trigger only when a user is a
member of a specific group. I have been able to use the "
principalAttributeNameTrigger" and the "principalAttributeValueToMatch" to
match single value attributes. Is it possible to filter the mfa-duo based
on a multi-value attribute like this? The following is the service
definition I have been trying to get working and and example of the
memberOf attribute output.
Example service:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(http|https)://.*",
"name" : "HTTP and HTTPS",
"id" : 100,
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-duo" ] ],
"principalAttributeNameTrigger" : "memberOf",
"principalAttributeValueToMatch" : "CN=Duo
Authentication,OU=groups,DC=example,DC=com"
}
}
Example output of memberOf attribute:
DEBUG [LdapAuthenticationHandler] - <Found principal attribute: [memberOf[CN
=Users,OU=groups,DC=example,DC=com, CN=Duo Authentication,OU=groups,DC=
example,DC=com, CN=Employee,OU=groups,DC=example,DC=com]
Thanks
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-dev+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
