Re: [cas-user] MFA REST trigger without service?
Thank you for the reply! I'll try it with those default service parameters. We offer optional MFA for the users so they can use a more secure way to authenticate. If a malicious third-party can bypass MFA simply by not providing the service param, it offers no extra protection for the user. Even if MFA is optional for users, if you opt-in for it, it should be required after that. After reading some more CAS source code, it seems that the trigger mechanism does not support this and instead decides that no MFA is chosen if the REST request fails and MFA is not mandatory for all users. I'll have to see what we can do to prevent this. Tomi On Thursday, 12 January 2023 at 19:36:22 UTC+2 Ray Bon wrote: > Tomi, > > If MFA is optional, then it can not be enforced, so the bypass makes sense. > > MFA would/should be triggered when the user visits a service (you can add > MFA required to the service definition or set it globally, etc.). > > You can set a default service that is redirected to after login, > https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html > cas.view.default-redirect-url > > There is also this property on the same page, > cas.sso.allow-missing-service-parameter > > Ray > > On Thu, 2023-01-12 at 00:38 -0800, 'Tomi Karlstedt' via CAS Community > wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi, > > Our implementation uses the CAS login form to log users in and checks > username/password from a separate service. We're adding an optional MFA for > users and we want to save the chosen MFA provider per user into the same > service that handles usernames and passwords. > > There's a way to trigger MFA from a REST endpoint (implemented by > RestEndpointMultifactorAuthenticationTrigger) which seems to suite us well. > However, the current implementation of the REST MFA trigger seems to let > users bypass MFA by simply not including the service parameter when logging > in. To me this seems like a glaring bug in the implementation. > > My question is, can we force the service parameter (server side) or set a > default service somehow in the logging flow to mitigate this immediately? > > Tomi > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0bdc810d-4914-44ee-af7b-7660c4a409b1n%40apereo.org.
[cas-user] webauthn device registration, endpoint security
Hi all, is there a way to expose "webAuthnDevices" actuator endpoint without interfering with standard registration flow in CAS server? We are using CAS server version 6.6.2. When I try to expose webauthn actuator endpoints by setting management.endpoint.webAuthnDevices.enabled=true management.endpoints.web.exposure.include=webAuthnDevices and securing them by using cas.monitor.endpoints.endpoint.webAuthnDevices.access=AUTHENTICATED with basic Spring Security, the standard device registration flow now also requires basic authentication, which is not available to users. I would not mind using the CAS API for adding webauthn device, as mentioned in doc page, but I could not find description of such API. Does it refer to using POST to /cas/actuator/webAuthnDevices/{username}? If that is the case, what data should be sent to the endpoint? Best regards, Michal Vocu -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/876bd864-7375-8a2c-5976-df8f0cbf3e47%40cuni.cz. begin:vcard fn;quoted-printable:Michal Voc=C5=AF n;quoted-printable:Voc=C5=AF;Michal org;quoted-printable:Univerzita Karlova v Praze;=C3=9Astav v=C3=BDpo=C4=8Detn=C3=AD techniky adr;quoted-printable;quoted-printable:;;Ovocn=C3=BD trh 3;Praha;;11636;=C4=8Cesk=C3=A1 republika email;internet:mic...@cuni.cz tel;work:224491809 url:http://uvt.cuni.cz version:2.1 end:vcard smime.p7s Description: S/MIME Cryptographic Signature
Re: [cas-user] MFA REST trigger without service?
Tomi, If MFA is optional, then it can not be enforced, so the bypass makes sense. MFA would/should be triggered when the user visits a service (you can add MFA required to the service definition or set it globally, etc.). You can set a default service that is redirected to after login, https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html cas.view.default-redirect-url There is also this property on the same page, cas.sso.allow-missing-service-parameter Ray On Thu, 2023-01-12 at 00:38 -0800, 'Tomi Karlstedt' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi, Our implementation uses the CAS login form to log users in and checks username/password from a separate service. We're adding an optional MFA for users and we want to save the chosen MFA provider per user into the same service that handles usernames and passwords. There's a way to trigger MFA from a REST endpoint (implemented by RestEndpointMultifactorAuthenticationTrigger) which seems to suite us well. However, the current implementation of the REST MFA trigger seems to let users bypass MFA by simply not including the service parameter when logging in. To me this seems like a glaring bug in the implementation. My question is, can we force the service parameter (server side) or set a default service somehow in the logging flow to mitigate this immediately? Tomi -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7bf10748d43b63aafb01b44ca35139dd910184b7.camel%40uvic.ca.
[cas-user] Re: service registry with redis
I have the configs cas.serviceRegistry.json.location=classpath:/services cas.serviceRegistry.initFromJson=true On Thursday, January 12, 2023 at 4:15:22 PM UTC+2 Freedom K wrote: > Hi all, > > I am using cas 5.2.9 and trying to register the services at initialization > from .json files using redis, but is not working. Is it possible in this > cas version? > > Thanks > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/42781c45-eba4-4477-971d-6adffd22d8c2n%40apereo.org.
[cas-user] service registry with redis
Hi all, I am using cas 5.2.9 and trying to register the services at initialization from .json files using redis, but is not working. Is it possible in this cas version? Thanks -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0bb8d01-5cef-42ee-8f9f-0976147bed68n%40apereo.org.
[cas-user] MFA REST trigger without service?
Hi, Our implementation uses the CAS login form to log users in and checks username/password from a separate service. We're adding an optional MFA for users and we want to save the chosen MFA provider per user into the same service that handles usernames and passwords. There's a way to trigger MFA from a REST endpoint (implemented by RestEndpointMultifactorAuthenticationTrigger) which seems to suite us well. However, the current implementation of the REST MFA trigger seems to let users bypass MFA by simply not including the service parameter when logging in. To me this seems like a glaring bug in the implementation. My question is, can we force the service parameter (server side) or set a default service somehow in the logging flow to mitigate this immediately? Tomi -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f00605a-5934-4287-8a0e-2abfab643b3an%40apereo.org.
[cas-user] Re: CAS 6.6.3 No TransactionManager on JPA ticket registry
Hi! I updated to v6.6.4 but have still the same error. I have found a workaround by setting: cas.ticket.registry.core.enable-locking=false Gregory G kirjutas Teisipäev, 3. jaanuar 2023 kl 06:17:35 UTC+2: > Hello, > > I have the same error, and seems to be fixed in CAS 6.6.4 > > Since 3 days, our testing env start again, without any modifications > > Le jeudi 22 décembre 2022 à 13:54:15 UTC+1, Lauri a écrit : > >> Hi! >> I get an error: >> "Caused by: >> org.springframework.beans.factory.NoUniqueBeanDefinitionException: No >> qualifying bean of type >> 'org.springframework.transaction.TransactionManager' available: expected >> single matching bean but found 4: >> ticketTransactionManager,transactionManagerGoogleAuthenticator,transactionManagerEvents,transactionManagerMfaAuthnTrust" >> when trying to use JPA ticket registry together with Google >> Authenticator, Events and MFA authn trust dependencies. >> I use MySQL5InnoDBDialect in CAS 6.6.3 in external Tomcat 9. >> It worked in CAS 6.2. >> When I remove Google Authenticator, Events and MFA authn trust >> dependencies, then JPA ticket registry works and no such error is thrown. >> Is there some configuration value what I should set in order to set >> transaction manager for JPA ticket registry? >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8da99d5f-803e-4d85-a4a7-5180dc1645b3n%40apereo.org.