Re: [cas-dev] Re: MFA Duo with v5.0.0RC2 based on group membership.
File an issue please. Include all relevant info. -- Misagh From: Klint Reply: Klint Date: September 28, 2016 at 12:12:37 AM To: CAS Developer Subject: [cas-dev] Re: MFA Duo with v5.0.0RC2 based on group membership. I am seeing this same behavior in v5.0.0RC3-SNAPSHOT. On Wednesday, September 21, 2016 at 9:02:59 AM UTC-6, Klint wrote: Some more information on the issue: In the logs it shows what looks like a successful login, but the user is not prompted for MFA-Duo when they are a member of the group, and on the client I get the following error response from the CAS server. INVALID_AUTHENTICATION_CONTEXT The validation request for ST-*** cannot be satisfied. The request is either unrecognized or unfulfilled. Logs: = WHO: klintholmes WHAT: Supplied credentials: [klintholmes] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Tue Sep 20 17:50:24 2016 CLIENT IP ADDRESS: 0.0.0.0 SERVER IP ADDRESS: 0.0.0.0 = > 2016-09-20 17:50:24,206 INFO [Slf4jLoggingAuditTrailManager] - 2016-09-20 17:50:24,239 INFO [CentralAuthenticationServiceImpl] - https://service] and principal [klintholmes]> 2016-09-20 17:50:24,241 INFO [Slf4jLoggingAuditTrailManager] - https://service. ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Tue Sep 20 17:50:24 2016 CLIENT IP ADDRESS: 0.0.0.0 SERVER IP ADDRESS: 0.0.0.0 = > 2016-09-20 17:50:24,401 INFO [Slf4jLoggingAuditTrailManager] - https://groups.google.com/a/apereo.org/group/cas-dev/. -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+unsubscr...@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
[cas-dev] Re: MFA Duo with v5.0.0RC2 based on group membership.
I am seeing this same behavior in v5.0.0RC3-SNAPSHOT.
On Wednesday, September 21, 2016 at 9:02:59 AM UTC-6, Klint wrote:
>
> Some more information on the issue:
>
> In the logs it shows what looks like a successful login, but the user is
> not prompted for MFA-Duo when they are a member of the group, and on the
> client I get the following error response from the CAS server.
>
> INVALID_AUTHENTICATION_CONTEXT
> The validation request for ST-*** cannot be satisfied. The
> request is either unrecognized or unfulfilled.
>
>
> Logs:
> =
> WHO: klintholmes
> WHAT: Supplied credentials: [klintholmes]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Sep 20 17:50:24 2016
> CLIENT IP ADDRESS: 0.0.0.0
> SERVER IP ADDRESS: 0.0.0.0
> =
> >
>
>
> 2016-09-20 17:50:24,206 INFO [Slf4jLoggingAuditTrailManager] - trail record BEGIN
> =
> WHO: klintholmes
> WHAT: TGT-**vunDf0ZKib-137
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Sep 20 17:50:24 2016
> CLIENT IP ADDRESS: 0.0.0.0
> SERVER IP ADDRESS: 0.0.0.0
> =
>
>
> >
> 2016-09-20 17:50:24,239 INFO [CentralAuthenticationServiceImpl] - ticket [ST-***] for service [https://service] and principal
> [klintholmes]>
> 2016-09-20 17:50:24,241 INFO [Slf4jLoggingAuditTrailManager] - trail record BEGIN
> =
> WHO: klintholmes
> WHAT: ST-** for https://service.
> ACTION: SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Sep 20 17:50:24 2016
> CLIENT IP ADDRESS: 0.0.0.0
> SERVER IP ADDRESS: 0.0.0.0
> =
>
>
> >
> 2016-09-20 17:50:24,401 INFO [Slf4jLoggingAuditTrailManager] - trail record BEGIN
> =
> WHO: klintholmes
> WHAT: ST-**
> ACTION: SERVICE_TICKET_VALIDATED
> APPLICATION: CAS
> WHEN: Tue Sep 20 17:50:24 2016
> CLIENT IP ADDRESS: 0.0.0.0
> SERVER IP ADDRESS: 0.0.0.0
> =
>
>
>
> On Tuesday, September 20, 2016 at 4:24:47 PM UTC-6, Klint wrote:
>>
>> I have been working on getting MFA-Duo to trigger only when a user is a
>> member of a specific group. I have been able to use the "
>> principalAttributeNameTrigger" and the "principalAttributeValueToMatch"
>> to match single value attributes. Is it possible to filter the mfa-duo
>> based on a multi-value attribute like this? The following is the service
>> definition I have been trying to get working and and example of the
>> memberOf attribute output.
>>
>> Example service:
>>
>> {
>>
>> "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>
>> "serviceId" : "^(http|https)://.*",
>>
>> "name" : "HTTP and HTTPS",
>>
>> "id" : 100,
>>
>> "attributeReleasePolicy" : {
>>
>> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>
>> },
>>
>> "multifactorPolicy" : {
>>
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>>
>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
>> "mfa-duo" ] ],
>>
>> "principalAttributeNameTrigger" : "memberOf",
>>
>> "principalAttributeValueToMatch" : "CN=Duo
>> Authentication,OU=groups,DC=example,DC=com"
>>
>> }
>>
>> }
>>
>> Example output of memberOf attribute:
>>
>> DEBUG [LdapAuthenticationHandler] - > [CN=Users,OU=groups,DC=example,DC=com, CN=Duo Authentication,OU=groups,DC
>> =example,DC=com, CN=Employee,OU=groups,DC=example,DC=com]
>>
>>
>> Thanks
>>
>
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-dev+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
[cas-dev] Re: MFA Duo with v5.0.0RC2 based on group membership.
Some more information on the issue:
In the logs it shows what looks like a successful login, but the user is
not prompted for MFA-Duo when they are a member of the group, and on the
client I get the following error response from the CAS server.
INVALID_AUTHENTICATION_CONTEXT
The validation request for ST-*** cannot be satisfied. The
request is either unrecognized or unfulfilled.
Logs:
=
WHO: klintholmes
WHAT: Supplied credentials: [klintholmes]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Sep 20 17:50:24 2016
CLIENT IP ADDRESS: 0.0.0.0
SERVER IP ADDRESS: 0.0.0.0
=
>
2016-09-20 17:50:24,206 INFO [Slf4jLoggingAuditTrailManager] -
2016-09-20 17:50:24,239 INFO [CentralAuthenticationServiceImpl] - https://service] and principal
[klintholmes]>
2016-09-20 17:50:24,241 INFO [Slf4jLoggingAuditTrailManager] - https://service.
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Sep 20 17:50:24 2016
CLIENT IP ADDRESS: 0.0.0.0
SERVER IP ADDRESS: 0.0.0.0
=
>
2016-09-20 17:50:24,401 INFO [Slf4jLoggingAuditTrailManager] -
> I have been working on getting MFA-Duo to trigger only when a user is a
> member of a specific group. I have been able to use the "
> principalAttributeNameTrigger" and the "principalAttributeValueToMatch"
> to match single value attributes. Is it possible to filter the mfa-duo
> based on a multi-value attribute like this? The following is the service
> definition I have been trying to get working and and example of the
> memberOf attribute output.
>
> Example service:
>
> {
>
> "@class" : "org.apereo.cas.services.RegexRegisteredService",
>
> "serviceId" : "^(http|https)://.*",
>
> "name" : "HTTP and HTTPS",
>
> "id" : 100,
>
> "attributeReleasePolicy" : {
>
> "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>
> },
>
> "multifactorPolicy" : {
>
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>
> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
> "mfa-duo" ] ],
>
> "principalAttributeNameTrigger" : "memberOf",
>
> "principalAttributeValueToMatch" : "CN=Duo
> Authentication,OU=groups,DC=example,DC=com"
>
> }
>
> }
>
> Example output of memberOf attribute:
>
> DEBUG [LdapAuthenticationHandler] - CN=Users,OU=groups,DC=example,DC=com, CN=Duo Authentication,OU=groups,DC=
> example,DC=com, CN=Employee,OU=groups,DC=example,DC=com]
>
>
> Thanks
>
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-dev+unsubscr...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
