I got it working by adding my own gauth.json in
/cas-overlay-template/src/main/resources/services
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name": "oupsi",
"id" : 100,
"multifactorPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-gauth"] ]
}
}
On Wednesday, June 21, 2017 at 9:48:09 AM UTC-4, Sai Mallela wrote:
>
> Hello Dimitri,
>
> Can you please help me with gauth to work globally. Here are my settings
> in cas.properties and I still don't see the page or option to enter the
> google authentication code:
>
> cas.server.name: https://drupalvm.dev:8443
> cas.server.prefix: https://drupalvm.dev:8443/cas
>
> cas.adminPagesSecurity.ip=127\.0\.0\.1
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
> *//GAUTH MFA*
> cas.authn.mfa.globalProviderId=mfa-gauth
>
> cas.authn.mfa.gauth.windowSize=3
> cas.authn.mfa.gauth.issuer=companyname
> cas.authn.mfa.gauth.codeDigits=6
> cas.authn.mfa.gauth.label=google authentication
> cas.authn.mfa.gauth.timeStepSize=30
> cas.authn.mfa.gauth.rank=0
> cas.authn.mfa.gauth.trustedDeviceEnabled=true
>
> *//LDAP Authentication*
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl=ldap://1.2.3.4:389
> cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].baseDn=ou=HWPeople, dc=companyname, dc=com
> cas.authn.ldap[0].userFilter=uid={user}
> cas.authn.ldap[0].bindDn=cn=Manager,dc=companyname,dc=com
> cas.authn.ldap[0].bindCredential=abcd
>
> cas.authn.attributeRepository.ldap.ldapUrl=ldap://1.2.3.4:389
> cas.authn.attributeRepository.ldap.useSsl=false
> cas.authn.attributeRepository.ldap.useStartTls=false
> cas.authn.attributeRepository.ldap.connectTimeout=5000
> cas.authn.attributeRepository.ldap.baseDn=ou=HWPeople, dc=companyname,
> dc=com
> cas.authn.attributeRepository.ldap.userFilter=uid={user}
> cas.authn.attributeRepository.ldap.subtreeSearch=true
> cas.authn.attributeRepository.ldap.bindDn=cn=Manager,dc=companyname,dc=com
> cas.authn.attributeRepository.ldap.bindCredential=abcd
>
> logging.level.org.apereo=DEBUG
> logging.level.org.ldaptiv=DEBUG
>
> *#disable test user*
> cas.authn.accept.users=
>
> Thanks,
> Sai
>
>
> On Thursday, April 6, 2017 at 5:05:27 AM UTC-4, Dmytro Havrylov wrote:
>>
>> Hello,
>>
>> I have a trouble configuring MFA trigger depending on Global Principal
>> Attribute. According to the documentation it should work like
>>
>> MFA can be triggered for all users/subjects carrying a specific
>> attribute that matches one of the conditions below.
>>
>>
>> * Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY
>> matches an MFA provider. This option is more relevant if you have more
>> than one provider configured or if you have the flexibilty of assigning
>> provider ids to attributes as values.
>>
>>
>> I have two MFA providers configured in the system: mfa-yubikey and
>> mfa-gauth. Both of them are working as expected if used as
>> cas.authn.mfa.globalProviderId (as single MFA provider). In my case I need
>> to choose the MFA provider according to the attribute value saved in the
>> LDAP. So I have following lines in the properties (the MFA provider should
>> be stored into the businessCategory LDAP attribute):
>>
>> "cas.authn.ldap[0].principalAttributeId": "uid",
>> "cas.authn.ldap[0].principalAttributePassword": "userPassword",
>> "cas.authn.ldap[0].principalAttributeList":
>> "sn,cn:commonName,givenName,yubiKeyId,businessCategory",
>> "cas.authn.attributeRepository.ldap.attributes.uid": "uid",
>> "cas.authn.attributeRepository.ldap.attributes.yubiKeyId": "yubiKeyId",
>> "cas.authn.attributeRepository.ldap.attributes.businessCategory":
>> "businessCategory",
>> "cas.authn.attributeRepository.ldap.defaultAttributesToRelease":
>> "uid,yubiKeyId,businessCategory",
>> "cas.authn.mfa.globalPrincipalAttributeNameTriggers": "businessCategory",
>> "cas.authn.mfa.globalPrincipalAttributeValueRegex":
>> "mfa-yubikey|mfa-gauth",
>>
>> Property cas.authn.mfa.globalProviderId is not set.
>> The project get's compiled and deployed without exceptions. Then I set
>> businessCategory attribute to the random value the MFA is not triggered at
>> all. This is expected, because it does not match the regexp. If I set it to
>> the "mfa-yubikey" then gauth gets triggered (but yubikey is expected). I
>> can find the following in the logs (with debug enabled):
>>
>> ...
>> 2017-04-03 13:18:05,808 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <LDAP response
>> returned as result. Creating the final LDAP principal>
>> 2017-04-03 13:18:05,809 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Creating LDAP
>> principal for dimitri based on uid=dimitri,ou=People,dc=example,dc=com>
>> 2017-04-03 13:18:05,810 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Retrieved
>> principal id attribute dimitri>
>> 2017-04-03 13:18:05,810 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>> principal attribute: [yubiKeyId[cccscedtfar]]>
>> 2017-04-03 13:18:05,811 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>> principal attribute: [givenName[Dimitri]]>
>> 2017-04-03 13:18:05,812 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>> principal attribute: [businessCategory[mfa-yubikey]]>
>> 2017-04-03 13:18:05,813 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>> principal attribute: [sn[Gavrilov]]>
>> 2017-04-03 13:18:05,813 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Found
>> principal attribute: [cn[dimitri]]>
>> 2017-04-03 13:18:05,814 DEBUG
>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Created LDAP
>> principal for id dimitri and 6 attributes>
>> 2017-04-03 13:18:05,816 INFO
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>> <LdapAuthenticationHandler successfully authenticated dimitri>
>> 2017-04-03 13:18:05,817 DEBUG
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <No
>> resolver configured for LdapAuthenticationHandler. Falling back to handler
>> principal dimitri>
>> 2017-04-03 13:18:05,817 DEBUG
>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Final
>> principal resolved for this authentication event is dimitri>
>> 2017-04-03 13:18:05,818 DEBUG
>> [org.apereo.cas.authentication.AllAuthenticationPolicy] - <Authentication
>> policy is satisfied.>
>> 2017-04-03 13:18:05,819 INFO [org.apereo.cas.authentication.
>> PolicyBasedAuthenticationManager] - <Authenticated principal [dimitri]
>> and attributes {businessCategory=mfa-yubikey, commonName=Dimitri,
>> givenName=Dimitri, LdapAuthenticationHandler.dn=uid=dimitri,ou=People,dc=
>> example,dc=com, sn=Gavrilov, yubiKeyId=cccscedtfar} with credentials [
>> dimitri].>
>> 2017-04-03 13:18:05,820 DEBUG [org.apereo.cas.audit.spi.
>> ThreadLocalPrincipalResolver] - <Resolving principal at audit point [
>> execution(Authentication org.apereo.cas.authentication.
>> AbstractAuthenticationManager.authenticate(AuthenticationTransaction))]>
>> 2017-04-03 13:18:05,821 INFO [org.apereo.inspektr.audit.support.
>> Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
>> =============================================================
>> WHO: dimitri
>> WHAT: Supplied credentials: [dimitri]
>> ACTION: AUTHENTICATION_SUCCESS
>> APPLICATION: CAS
>> WHEN: Mon Apr 03 13:18:05 CEST 2017
>> CLIENT IP ADDRESS: 192.168.168.12
>> SERVER IP ADDRESS: 192.168.168.16
>> =============================================================
>>
>>
>> >
>> 2017-04-03 13:18:05,822 DEBUG [org.apereo.cas.authentication.
>> DefaultAuthenticationTransactionManager] - <Successful authentication;
>> Collecting authentication result [org.apereo.cas.authentication.
>> DefaultAuthentication@9f0afc06]>
>> 2017-04-03 13:18:05,824 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,825 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,826 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,827 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,828 DEBUG [org.apereo.cas.adaptors.gauth.
>> GoogleAuthenticatorMultifactorAuthenticationProvider] - <Multifactor
>> failure mode for ^(https|imaps)://.* is defined as CLOSED>
>> 2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,829 DEBUG [org.apereo.cas.web.support.WebUtils] - <
>> Evaluating request to determine if warning cookie should be generated>
>> 2017-04-03 13:18:05,830 DEBUG [org.apereo.cas.adaptors.yubikey.
>> YubiKeyMultifactorAuthenticationProvider] - <Provided event id mfa-yubikey
>> is not applicable to this provider identified by {}>
>> 2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support.
>> DefaultArgumentExtractor] - <Created https://
>> sso.example.com/cas/status/dashboard based on
>> org.apereo.cas.authentication.principal.WebApplicationServiceFactory@489c4525>
>> 2017-04-03 13:18:05,832 DEBUG [org.apereo.cas.web.support.
>> DefaultArgumentExtractor] - <Extractor generated service type org.apereo.
>> cas.authentication.principal.SimpleWebApplicationServiceImpl for: https:
>> //sso.example.com/cas/status/dashboard>
>> Hibernate: select googleauth0_.id as id1_0_, googleauth0_.secretKey as
>> secretKe2_0_, googleauth0_.username as username3_0_,
>> googleauth0_.validationCode
>> as validati4_0_ from GoogleAuthenticatorRegistrationRecord googleauth0_
>> where googleauth0_.username=?
>>
>>
>> Does anyone knows how to get the Global Principal Attribute working?
>>
>> Thanks
>> Dimitri
>>
>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6eb8ea5c-73c4-4b76-a4bd-03a915c40bf8%40apereo.org.
