This triggers (assuming you're on 5.2) are not useful? # Activate MFA globally based on authentication metadata attributes # cas.authn.mfa.globalAuthenticationAttributeNameTriggers=memberOf,eduPersonPrimaryAffiliation # cas.authn.mfa.globalAuthenticationAttributeValueRegex=faculty|staff# Activate MFA globally based on principal attributes # cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf,eduPersonPrimaryAffiliation# Specify the regular expression pattern to trigger multifactor when working with a single provider. # Comment out the setting when working with multiple multifactor providers # cas.authn.mfa.globalPrincipalAttributeValueRegex=faculty|staff# Activate MFA globally based on principal attributes and a groovy-based predicate # cas.authn.mfa.globalPrincipalAttributePredicate=file:/etc/cas/PredicateExample.groovy
2018-02-06 12:18 GMT-03:00 brian mancuso <[email protected]>: > I'm open to any solution that simplifies things and meets the needs. When > I'd read the documentation, it seemed custom triggers were the way to go > here. > > To give a little more information, I have students and employees that both > need to login via CAS to several systems. For some of those systems, we > need to require employees that login to use DUO while students will have > the option, but not be required. Other systems won't require DUO for either > group unless they're already enrolled. > > On Tuesday, February 6, 2018 at 9:59:02 AM UTC-5, Manfredo Hopp wrote: >> >> Couldn't this be achieved through custom authentication handler? >> >> El martes, 6 de febrero de 2018, brian mancuso <[email protected]> >> escribió: >> >>> We would like to allow users in a specific ldap group the ability to >>> optionally bypass Duo for a given service if the user is not signed up for >>> a 2fa account. Essentially there would be these two cases for a user: >>> >>> - 2fa always required >>> - 2fa optionally required (but always required if the user has a Duo >>> account) >>> >>> I have two duo instances defined in the cas.properties file: mfa-duo, >>> mfa-duo-force. The first is in bypass mode while the latter doesn't allow >>> any bypass. >>> >>> Then my other classes are thus: >>> *spring.factories* >>> org.springframework.boot.autoconfigure.EnableAutoConfiguration=org. >>> apereo.cas.custom.config.SelectiveDuoWebflowEventResolverConfiguration >>> >>> >>> I then put together a custom trigger that will determine if a user is >>> required to use DUO or not: >>> >>> *SelectiveDuoWebflowEventResolver.java* >>> package org.apereo.cas.custom.mfa; >>> >>> import com.google.common.collect.ImmutableSet; >>> import java.util.Map; >>> import java.util.Optional; >>> import java.util.Set; >>> import org.apereo.cas.CentralAuthenticationService; >>> import org.apereo.cas.authentication.Authentication; >>> import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan; >>> import org.apereo.cas.authentication.AuthenticationSystemSupport; >>> import org.apereo.cas.authentication.principal.Principal; >>> import org.apereo.cas.services.MultifactorAuthenticationProvider; >>> import org.apereo.cas.services.MultifactorAuthenticationProviderSel >>> ector; >>> import org.apereo.cas.services.RegisteredService; >>> import org.apereo.cas.services.ServicesManager; >>> import org.apereo.cas.ticket.registry.TicketRegistrySupport; >>> import org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEven >>> tResolver; >>> import org.apereo.cas.web.support.WebUtils; >>> import org.slf4j.Logger; >>> import org.slf4j.LoggerFactory; >>> import org.springframework.web.util.CookieGenerator; >>> import org.springframework.webflow.execution.Event; >>> import org.springframework.webflow.execution.RequestContext; >>> >>> public class SelectiveDuoWebflowEventResolver extends >>> AbstractCasWebflowEventResolver { >>> >>> private static final Logger LOGGER = LoggerFactory.getLogger(Select >>> iveDuoWebflowEventResolver.class); >>> >>> public SelectiveDuoWebflowEventResolver(AuthenticationSystemSupport >>> authenticationSystemSupport, CentralAuthenticationService >>> centralAuthenticationService, ServicesManager servicesManager, >>> TicketRegistrySupport ticketRegistrySupport, CookieGenerator >>> warnCookieGenerator, AuthenticationServiceSelectionPlan >>> authenticationSelectionStrategies, MultifactorAuthenticationProviderSelector >>> selector) { >>> super(authenticationSystemSupport, >>> centralAuthenticationService, servicesManager, ticketRegistrySupport, >>> warnCookieGenerator, authenticationSelectionStrategies, selector); >>> } >>> >>> @Override >>> public Set<Event> resolveInternal(RequestContext context) { >>> final RegisteredService service = WebUtils.getRegisteredService( >>> context); >>> final Authentication authentication = >>> WebUtils.getAuthentication(context); >>> Set<String> attributeKeys = authentication.getAttributes() >>> .keySet(); >>> for (String s : attributeKeys) { >>> System.out.println("s: " + s + " " + >>> authentication.getAttributes().get(s)); >>> } >>> Principal principal = authentication.getPrincipal(); >>> attributeKeys = principal.getAttributes().keySet(); >>> for (String s : attributeKeys) { >>> System.out.println("p: " + s + " " + >>> principal.getAttributes().get(s)); >>> } >>> if (userRequiresDUO()) { >>> LOGGER.warn("Forcing MFA"); >>> Optional<MultifactorAuthenticationProvider> mfaDuoForced = >>> this.getMultifactorAuthenticationProviderFromApplicationCont >>> ext("mfa-duo-force"); >>> MultifactorAuthenticationProvider forcedProvider = >>> mfaDuoForced.get(); >>> final Map eventAttributes >>> = buildEventAttributeMap(authent >>> ication.getPrincipal(), >>> service, >>> forcedProvider); >>> final Event event >>> = validateEventIdForMatchingTran >>> sitionInContext(forcedProvider.getId(), >>> context, eventAttributes); >>> return ImmutableSet.of(event); >>> } else { >>> LOGGER.warn("Not forcing MFA"); >>> Optional<MultifactorAuthenticationProvider> mfaDuo = >>> this.getMultifactorAuthenticationProviderFromApplicationCont >>> ext("mfa-duo"); >>> MultifactorAuthenticationProvider bypassableProvider = >>> mfaDuo.get(); >>> final Map eventAttributes >>> = buildEventAttributeMap(authentication.getPrincipal(), >>> service, >>> bypassableProvider); >>> final Event event >>> = validateEventIdForMatchingTran >>> sitionInContext(bypassableProvider.getId(), >>> context, eventAttributes); >>> return ImmutableSet.of(event); >>> } >>> } >>> } >>> >>> >>> >>> *SelectiveDuoWebflowEventResolverConfiguration.java* >>> package org.apereo.cas.custom.config; >>> >>> import javax.annotation.PostConstruct; >>> import org.apereo.cas.CentralAuthenticationService; >>> import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan; >>> import org.apereo.cas.authentication.AuthenticationSystemSupport; >>> import org.apereo.cas.configuration.CasConfigurationProperties; >>> import org.apereo.cas.custom.mfa.SelectiveDuoWebflowEventResolver; >>> import org.apereo.cas.services.MultifactorAuthenticationProviderSel >>> ector; >>> import org.apereo.cas.services.ServicesManager; >>> import org.apereo.cas.ticket.registry.TicketRegistrySupport; >>> import org.apereo.cas.web.flow.authentication.RankedMultifactorAuth >>> enticationProviderSelector; >>> import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventRe >>> solver; >>> import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver; >>> import org.springframework.beans.factory.annotation.Autowired; >>> import org.springframework.beans.factory.annotation.Qualifier; >>> import org.springframework.boot.context.properties.EnableConfigurat >>> ionProperties; >>> import org.springframework.cloud.context.config.annotation.RefreshScope; >>> import org.springframework.context.annotation.Bean; >>> import org.springframework.context.annotation.Configuration; >>> import org.springframework.web.util.CookieGenerator; >>> >>> @Configuration("selectiveDuoWebflowEventResolverConfiguration") >>> @EnableConfigurationProperties(CasConfigurationProperties.class) >>> public class SelectiveDuoWebflowEventResolverConfiguration { >>> >>> @Autowired >>> @Qualifier("initialAuthenticationAttemptWebflowEventResolver") >>> private CasDelegatingWebflowEventResolver initialEventResolver; >>> >>> @Autowired >>> @Qualifier("centralAuthenticationService") >>> private CentralAuthenticationService centralAuthenticationService; >>> >>> @Autowired >>> @Qualifier("defaultAuthenticationSystemSupport") >>> private AuthenticationSystemSupport authenticationSystemSupport; >>> >>> @Autowired >>> @Qualifier("defaultTicketRegistrySupport") >>> private TicketRegistrySupport ticketRegistrySupport; >>> >>> @Autowired >>> @Qualifier("servicesManager") >>> private ServicesManager servicesManager; >>> >>> @Autowired(required = false) >>> @Qualifier("multifactorAuthenticationProviderSelector") >>> private final MultifactorAuthenticationProviderSelector >>> multifactorAuthenticationProviderSelector = new >>> RankedMultifactorAuthenticationProviderSelector(); >>> >>> @Autowired >>> @Qualifier("warnCookieGenerator") >>> private CookieGenerator warnCookieGenerator; >>> >>> @Autowired >>> @Qualifier("authenticationServiceSelectionPlan") >>> private AuthenticationServiceSelectionPlan >>> authenticationRequestServiceSelectionStrategies; >>> >>> @RefreshScope >>> @Bean >>> public CasWebflowEventResolver selectiveDuoWebflowEventResolver() { >>> return new SelectiveDuoWebflowEventResolv >>> er(authenticationSystemSupport, >>> centralAuthenticationService, >>> servicesManager, ticketRegistrySupport, >>> warnCookieGenerator, >>> authenticationRequestServiceSelectionStrategies, >>> multifactorAuthenticationProviderSelector); >>> } >>> >>> @PostConstruct >>> public void initialize() { >>> initialEventResolver.addDelegate(selectiveDuoWebflowEventRes >>> olver()); >>> } >>> >>> } >>> >>> >>> This is driving me nuts because in the documentation it just states that >>> you are allowed to use multiple DUO instances. But I'm getting an error >>> that transitions aren't defined for the mfa-duo-force instance: >>> >>> 2018-02-01 10:25:29,433 WARN [org.apereo.cas.web.flow.resol >>> ver.impl.AbstractCasWebflowEventResolver] - <Transition definition >>> cannot be found for event [mfa-duo-force|mfa-duo]> >>> >>> >>> If anyone has any information on how I can get this working or if I'm >>> approaching this all wrong, please let me know. Thanks in advance! >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/a/ap >>> ereo.org/d/msgid/cas-user/263f6a6c-9f2b-446f-9707-3c23b96a3f >>> 65%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/263f6a6c-9f2b-446f-9707-3c23b96a3f65%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/ea1c8c9e-e871-458c-bb74- > 38e3ed896421%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea1c8c9e-e871-458c-bb74-38e3ed896421%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mic-DS77RQ4rQBMqcGtk2Y2eRpTDoB1TNY%3DJ5TiaNYy5iA%40mail.gmail.com.
