Hello,
I have a trouble configuring MFA trigger depending on Global Principal
Attribute. According to the documentation it should work like
MFA can be triggered for all users/subjects carrying a specific attribute
that matches one of the conditions below.
* Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY
matches an MFA provider. This option is more relevant if you have more than
one provider configured or if you have the flexibilty of assigning provider
ids to attributes as values.
I have two MFA providers configured in the system: mfa-yubikey and
mfa-gauth. Both of them are working as expected if used as
cas.authn.mfa.globalProviderId (as single MFA provider). In my case I need
to choose the MFA provider according to the attribute value saved in the
LDAP. So I have following lines in the properties (the MFA provider should
be stored into the businessCategory LDAP attribute):
"cas.authn.ldap[0].principalAttributeId": "uid",
"cas.authn.ldap[0].principalAttributePassword": "userPassword",
"cas.authn.ldap[0].principalAttributeList":
"sn,cn:commonName,givenName,yubiKeyId,businessCategory",
"cas.authn.attributeRepository.ldap.attributes.uid": "uid",
"cas.authn.attributeRepository.ldap.attributes.yubiKeyId": "yubiKeyId",
"cas.authn.attributeRepository.ldap.attributes.businessCategory":
"businessCategory",
"cas.authn.attributeRepository.ldap.defaultAttributesToRelease":
"uid,yubiKeyId,businessCategory",
"cas.authn.mfa.globalPrincipalAttributeNameTriggers": "businessCategory",
"cas.authn.mfa.globalPrincipalAttributeValueRegex": "mfa-yubikey|mfa-gauth",
Property cas.authn.mfa.globalProviderId is not set.
The project get's compiled and deployed without exceptions. Then I set
businessCategory attribute to the random value the MFA is not triggered at
all. This is expected, because it does not match the regexp. If I set it to
the "mfa-yubikey" then gauth gets triggered (but yubikey is expected). I
can find the following in the logs (with debug enabled):
...
2017-04-03 13:18:05,808 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response
returned as result. Creating the final LDAP principal>
2017-04-03 13:18:05,809 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP
principal for dimitri based on uid=dimitri,ou=People,dc=example,dc=com>
2017-04-03 13:18:05,810 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved
principal id attribute dimitri>
2017-04-03 13:18:05,810 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [yubiKeyId[cccscedtfar]]>
2017-04-03 13:18:05,811 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [givenName[Dimitri]]>
2017-04-03 13:18:05,812 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [businessCategory[mfa-yubikey]]>
2017-04-03 13:18:05,813 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [sn[Gavrilov]]>
2017-04-03 13:18:05,813 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
principal attribute: [cn[dimitri]]>
2017-04-03 13:18:05,814 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created LDAP
principal for id dimitri and 6 attributes>
2017-04-03 13:18:05,816 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<LdapAuthenticationHandler successfully authenticated dimitri>
2017-04-03 13:18:05,817 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <No
resolver configured for LdapAuthenticationHandler. Falling back to handler
principal dimitri>
2017-04-03 13:18:05,817 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final
principal resolved for this authentication event is dimitri>
2017-04-03 13:18:05,818 DEBUG
[org.apereo.cas.authentication.AllAuthenticationPolicy] - <Authentication
policy is satisfied.>
2017-04-03 13:18:05,819 INFO [org.apereo.cas.authentication.
PolicyBasedAuthenticationManager] - <Authenticated principal [dimitri] and
attributes {businessCategory=mfa-yubikey, commonName=Dimitri, givenName=
Dimitri, LdapAuthenticationHandler.dn=uid=dimitri,ou=People,dc=example,dc=
com, sn=Gavrilov, yubiKeyId=cccscedtfar} with credentials [dimitri].>
2017-04-03 13:18:05,820 DEBUG [org.apereo.cas.audit.spi.
ThreadLocalPrincipalResolver] - <Resolving principal at audit point [
execution(Authentication org.apereo.cas.authentication.
AbstractAuthenticationManager.authenticate(AuthenticationTransaction))]>
2017-04-03 13:18:05,821 INFO [org.apereo.inspektr.audit.support.
Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: dimitri
WHAT: Supplied credentials: [dimitri]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Mon Apr 03 13:18:05 CEST 2017
CLIENT IP ADDRESS: 192.168.168.12
SERVER IP ADDRESS: 192.168.168.16
=============================================================
>
2017-04-03 13:18:05,822 DEBUG [org.apereo.cas.authentication.
DefaultAuthenticationTransactionManager] - <Successful authentication;
Collecting authentication result [org.apereo.cas.authentication.
DefaultAuthentication@9f0afc06]>
2017-04-03 13:18:05,824 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,826 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,828 DEBUG [org.apereo.cas.adaptors.gauth.
GoogleAuthenticatorMultifactorAuthenticationProvider] - <Multifactor
failure mode for ^(https|imaps)://.* is defined as CLOSED>
2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - <
Evaluating request to determine if warning cookie should be generated>
2017-04-03 13:18:05,830 DEBUG [org.apereo.cas.adaptors.yubikey.
YubiKeyMultifactorAuthenticationProvider] - <Provided event id mfa-yubikey
is not applicable to this provider identified by {}>
2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support.
DefaultArgumentExtractor] - <Created https://
sso.example.com/cas/status/dashboard based on
org.apereo.cas.authentication.principal.WebApplicationServiceFactory@489c4525>
2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support.
DefaultArgumentExtractor] - <Extractor generated service type org.apereo.cas
.authentication.principal.SimpleWebApplicationServiceImpl for: https://
sso.example.com/cas/status/dashboard>
Hibernate: select googleauth0_.id as id1_0_, googleauth0_.secretKey as
secretKe2_0_, googleauth0_.username as username3_0_,
googleauth0_.validationCode
as validati4_0_ from GoogleAuthenticatorRegistrationRecord googleauth0_
where googleauth0_.username=?
Does anyone knows how to get the Global Principal Attribute working?
Thanks
Dimitri
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1e282e9-d593-461e-b841-552d7fba403f%40apereo.org.
