I meant to add, our pom.xml has the following dependencies (in case we’re
missing something):
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp-${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-hazelcast-ticket-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-duo</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.17.1-GA</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-webflow</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-web</artifactId>
<version>${cas.version}</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-configuration</artifactId>
<version>${cas.version}</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-authentication</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
> On Feb 9, 2018, at 5:19 PM, Man H <[email protected]> wrote:
>
>
> add
> <dependency>
> <groupId>org.apereo.cas</groupId>
> <artifactId>cas-server-core-authentication</artifactId>
> <version>${cas.version}</version>
> </dependency>
>
> with:
>
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:/etc/cas/config/mfaGroovyTrigger.groovy
>
> you should get
>
> 2018-02-09 19:10:39,145 DEBUG
> [org.apereo.cas.authentication.GroovyMultifactorAuthenticationProviderBypass]
> - <Evaluating multifactor authentication bypass properties for principal
> [casuser], service [null] and provider
> [DefaultDuoMultifactorAuthenticationProvider] via Groovy script [URL
> [file:/etc/cas/config/mfaGroovyTrigger.groovy]]>
>
>
>
>
>
> 2018-02-09 17:11 GMT-03:00 Brian Davidson <[email protected]
> <mailto:[email protected]>>:
> Just to add a bit to what Brian M. provided (I’m also a Brian, and a
> co-worker of Brian M’s):
>
> We have Duo MFA working if we comment out:
> cas.authn.mfa.duo[0].bypass.type=GROOVY
> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
> <>
>
> We did find that CAS was unable to check to see if the user exists in Duo if
> we used the “CAS” integration in Duo. But it works if we set up the
> integration as “Auth API”.
>
> We haven’t touched webflow. With the groovy script in place,
>
> When we enable GROOVY bypass script, we get:
>
> 2018-02-09 15:04:55,638 DEBUG
> [org.springframework.webflow.engine.impl.FlowExecutionImpl] - <Attempting to
> handle [org.springframework.webflow.execution.FlowExecutionException:
> Exception thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'] with root
> cause [java.io <http://java.io/>.NotSerializableException:
> org.springframework.core.io
> <http://org.springframework.core.io/>.UrlResource]>
>
> As well as the stack trace Brian M. provided.
>
> cas.authn.mfa.duo[0].bypass.groovy.location was the missing piece yesterday.
> Dug through source code to find that. We’re happy to provide updates to the
> documentation once we get this working.
>
> Thanks for the help!
>
>> On Feb 9, 2018, at 10:14 AM, brian mancuso <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Anything that says "REMOVED" is just stuff I pulled out before posting it. I
>> didn't want to post any private/sensitive information.
>>
>> On Friday, February 9, 2018 at 9:59:12 AM UTC-5, Manfredo Hopp wrote:
>> What do you mean by REMOVED in properties .
>>
>> El viernes, 9 de febrero de 2018, brian mancuso <[email protected] <>>
>> escribió:
>> Hey all,
>>
>> I was originally trying to setup some custom triggers to determine who
>> should use MFA and who is allowed to bypass. I have since been directed
>> towards Groovy to simplify things, but I'm still having some trouble.
>>
>> At this point, the Groovy script's purpose is strictly to test if a certain
>> user will bypass MFA while others will not. Here's my setup:
>>
>> /etc/cas/config/cas.properties
>>
>> ##
>> # Duo security 2fa authentication provider
>> # https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey
>> <https://www.duosecurity.com/docs/duoweb#1.-generate-an-akey>
>> #
>> cas.authn.mfa.duo[0].rank=0
>> cas.authn.mfa.duo[0].duoApiHost=REMOVED
>> cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
>> cas.authn.mfa.duo[0].duoSecretKey=REMOVED
>> cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
>> cas.authn.mfa.duo[0].id=mfa-duo
>> cas.authn.mfa.globalProviderId=mfa-duo
>> cas.authn.mfa.globalFailureMode=OPEN
>> cas.authn.mfa.duo[0].bypass.type=GROOVY
>> cas.authn.mfa.duo[0].bypass.groovy.location=file:///etc/cas/selectiveDuo.groovy
>>
>>
>> /etc/cas/selectiveDuo.groovy
>>
>> def boolean run(final Object... args) {
>> def authentication = args[0]
>> def principal = args[1]
>> def service = args[2]
>> def provider = args[3]
>> def logger = args[4]
>> def httpRequest = args[5]
>>
>> logger.info("Evaluating principal attributes ${principal.attributes}")
>>
>> def bypass = principal.attributes['uid']
>> if ((bypass.contains("testuser") && provider.id == "mfa-duo") {
>> logger.info("Skipping bypass for principal ${principal.id
>> <http://principal.id/>}")
>> return false
>> }
>>
>> return true
>> }
>>
>>
>> When I try to login though, whenever a user would be sent to DUO, I get a
>> 500 error:
>>
>>
>> <https://lh3.googleusercontent.com/-bqF7r6WYFDU/Wn2r6Zgza6I/AAAAAAAASso/CtOtDNX7IF0Y2Ua0Eb8GyWbXuYdCSbEJgCLcBGAs/s1600/Screen%2BShot%2B2018-02-09%2Bat%2B9.10.22%2BAM.png>
>>
>> Here's a small snippet from the output:
>>
>> 2018-02-09 09:04:05,717 DEBUG
>> [org.apereo.cas.web.FlowExecutionExceptionResolver] - <Ignoring the received
>> exception due to a type mismatch>
>> org.springframework.webflow.execution.FlowExecutionException: Exception
>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>> at
>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re
>> <http://gine.impl.flowexecutionimpl.re/>sume(FlowExecutionImpl.java:263)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.8.0_151]
>>
>> Caused by:
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
>> Error encoding flow execution
>> at
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114)
>> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.as
>> <http://gine.impl.flowexecutionimpl.as/>signKey(FlowExecutionImpl.java:419)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>
>> Caused by: java.io <http://java.io/>.NotSerializableException:
>> org.springframework.core.io <http://org.springframework.core.io/>.UrlResource
>> at
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>> ~[?:1.8.0_151]
>>
>> 2018-02-09 09:04:05,717 ERROR
>> [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to
>> error page from request [/login] due to exception [Exception thrown in state
>> 'viewLoginFormDuo' of flow 'mfa-duo']>
>> org.springframework.webflow.execution.FlowExecutionException: Exception
>> thrown in state 'viewLoginFormDuo' of flow 'mfa-duo'
>> at
>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.re
>> <http://gine.impl.flowexecutionimpl.re/>sume(FlowExecutionImpl.java:263)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:169)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ~[?:1.8.0_151]
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> ~[?:1.8.0_151]
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[?:1.8.0_151]
>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
>>
>> Caused by:
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepositoryException:
>> Error encoding flow execution
>> at
>> org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.getKey(ClientFlowExecutionRepository.java:114)
>> ~[spring-webflow-client-repo-1.0.3.jar:1.0.3]
>> at org.springframework.webflow.engine.impl.FlowExecutionImpl.as
>> <http://gine.impl.flowexecutionimpl.as/>signKey(FlowExecutionImpl.java:419)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.engine.impl.RequestControlContextImpl.assignFlowExecutionKey(RequestControlContextImpl.java:193)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.engine.ViewState.doEnter(ViewState.java:170)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at org.springframework.webflow.engine.State.enter(State.java:194)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.engine.Transition.execute(Transition.java:228)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:395)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>> at
>> org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
>> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
>>
>> Caused by: java.io <http://java.io/>.NotSerializableException:
>> org.springframework.core.io <http://org.springframework.core.io/>.UrlResource
>> at
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
>> ~[?:1.8.0_151]
>> at
>> java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
>> ~[?:1.8.0_151]
>>
>>
>> I posted the output to pastebin since it was too large for just posting
>> here: https://pastebin.com/yNPk4u7n <https://pastebin.com/yNPk4u7n>
>>
>> --
>> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> <https://gitter.im/apereo/cas>
>> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
>> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3ba67e2-e0ca-4a8e-853b-041343564b9f%40apereo.org?utm_medium=email&utm_source=footer>.
>>
>> --
>> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> <https://gitter.im/apereo/cas>
>> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
>> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected]
>> <mailto:[email protected]>.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-ddfd969c5924%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/651df904-b94c-4d3b-9915-ddfd969c5924%40apereo.org?utm_medium=email&utm_source=footer>.
>
>
> --
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-B9647B352CB5%40gmail.com
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2A0C53A0-2FFF-4F1E-AAAE-B9647B352CB5%40gmail.com?utm_medium=email&utm_source=footer>.
>
>
> --
> - Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
> - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas>
> - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
> - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midKW9nbuUSutNPX5%2BKbmKPfaGnMRfjmVosqwBESC9KNgw%40mail.gmail.com
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5midKW9nbuUSutNPX5%2BKbmKPfaGnMRfjmVosqwBESC9KNgw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4B953717-A37E-4E87-AD49-2BF69A7124C1%40gmail.com.
