Re: [cas-user] disabling MFA, MFA failure modes

2018-09-11 Thread 'jhawkesworth' via CAS Community
Just to follow up (in a less huge font) https://github.com/apereo/cas/pull/3509 fixed the INVALID_AUTHENTICATION_CONTEXT issue for me. All the best, Jon On Monday,

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-10 Thread Jon Hawkesworth
Great, thank you so much for tackling this! As soon as I have figured out the best way for me to test your PR I will comment on it. Jon On Mon, 10 Sep 2018 at 16:30, Travis Schmidt wrote: > PR (https://github.com/apereo/cas/pull/3509) has been submitted to > correct this. > > On Mon, Sep 10,

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-10 Thread Travis Schmidt
PR (https://github.com/apereo/cas/pull/3509) has been submitted to correct this. On Mon, Sep 10, 2018 at 8:03 AM Travis Schmidt wrote: > This is an issue where if you indicate bypass from a script, the the > authentication is not correctly marked as being bypassed and the context > validator

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-10 Thread Travis Schmidt
This is an issue where if you indicate bypass from a script, the the authentication is not correctly marked as being bypassed and the context validator then rejects. Also be aware that currently if you choose GROOVY or REST for bypass providers, this overrides all rules in DEFAULT. Meaning if

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-10 Thread Tepe, Dirk
I'm literally dealing with the same error and decision of trigger vs bypass right now. We were triggering all users for Duo, then deciding in the groovy script which to bypass. This works fine when simply judging by the prompt for Duo or not, but we also got the INVALID_AUTHENTICATION_CONTEXT when

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-10 Thread 'jhawkesworth' via CAS Community
Thanks for this thread. I think perhaps having a groovy script which determines whether or not to bypass DUO might be the way forward? In theory you can just change the groovy script (on each CAS node) if DUO is degraded and subsequent requests would then take notice of new bypass policy.

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-07 Thread Baron Fujimoto
A closer review of the cas properties documentation suggests that setting cas.authn.mfa.globalFailureMode=NONE wouldn't have the desired effect after all. It doesn't disable MFA, just assumes the MFA provider is avialable. So I should back up and reformulate my question: Is there a way to

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-04 Thread Baron Fujimoto
Yes, we're essentially relying on the Duo integration to determine whether the user needs MFA and we're hitting Duo with every AuthN. Our CAS isn't currently set configured up to check a group for Duo-enabled membership. Thus our desire to simply disable MFA altogether (by executive decision)

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-04 Thread Richard Frovarp
Yeah, but how do they opt in? You're basically relying on the Duo integration to come back and say that the user needs to MFA? That means that you're hitting Duo every auth, even if the user hasn't opted in. Which means these sorts of events are really nasty if that is the case. I also can't

Re: [cas-user] disabling MFA, MFA failure modes

2018-09-04 Thread Baron Fujimoto
We're enabling Duo via the multifactor section in each service registration as below. However, this is in our default service registration template and is present in our hundreds of registered services (our users currently opt-in to MFA/Duo). It would be, uhh, non-optimal for us to have to go