Just to cover all the bases, you have verified that CAS is validating against the service you set the MFA for and is not getting hit by some other service entry that matches the service you are trying to log into?
On Fri, Sep 21, 2018 at 12:58 PM Dave B <[email protected]> wrote: > Thank you both for the replies! > > It makes sense that "cas.authn.mfa.globalProviderId=mfa-gauth" is the > problem, only if I comment it out, then I can't seem to get the service > registry entry I pasted earlier to force MFA, though debug logs show some > stuff about mfa-gauth in the DefaultAuthenticationEventExecutionPlan which > indicates to me it's at least... considered(?), but nothing telling. > > I have no other cas.authn.mfa configuration directives in cas.properties > at this point except for > cas.authn.mfa.gauth.label > cas.authn.mfa.gauth.issuer > > I wonder if it's possible I'm hitting some kind of default bypass > condition? Any other ideas? > > Thanks again, > Dave > > > > On Friday, September 21, 2018 at 3:40:10 PM UTC-4, David Curry wrote: >> >> I think the problem is this line: >> >> cas.authn.mfa.globalProviderId=mfa-gauth >> >> >> According to the documentation, that enables MFA for all services, >> regardless of any other settings. Since you don't want that, you should >> probably turn it off. >> >> We have basically the same settings that Matt just posted here, and like >> his setup, it only does MFA on the few services where we've explicitly told >> it to. >> >> --Dave >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 212 229-5300 x4728 • [email protected] >> >> [image: The New School] >> >> >> On Fri, Sep 21, 2018 at 3:37 PM Matthew Uribe <[email protected]> wrote: >> >>> Hi Dave, >>> >>> I'm still on CAS 5.2, so perhaps things have changed, but I'm doing >>> exactly what you describe with Duo. >>> >>> In my cas.properties: >>> >>> #Configure Duo authentication properties >>> cas.authn.mfa.globalFailureMode: OPEN >>> # Aims Two-Factor >>> cas.authn.mfa.duo[0].duoApiHost: such.and.such >>> cas.authn.mfa.duo[0].duoIntegrationKey: D...........A5 >>> cas.authn.mfa.duo[0].duoSecretKey: N.....................E5 >>> cas.authn.mfa.duo[0].trustedDeviceEnabled: false >>> cas.authn.mfa.duo[0].duoApplicationKey: 01234567890 >>> cas.authn.mfa.duo[0].id: mfa-duo >>> >>> >>> Then in service registry: >>> >>> "multifactorPolicy" : { >>> "@class" : >>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", >>> [ "mfa-duo" ] ] >>> } >>> >>> >>> Services which don't include a multifactorPolicy don't require MFA. >>> >>> Matt >>> >>> >>> On Friday, September 21, 2018 at 12:56:53 PM UTC-6, Dave B wrote: >>>> >>>> Running latest CAS 5.3 and just implemented MFA. My goal is to have >>>> MFA disabled globally but able to be turned on based only on inclusion >>>> service registry. >>>> >>>> However, I can not get MFA to work on any service unless >>>> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. >>>> >>>> With the settings below, ALL services, regardless of inclusion of >>>> "multifactorPolicy", require MFA. My only option is to explicitly exclude >>>> (bypass) all other services for which I don't want to require MFA. >>>> >>>> Is this intended behavior? >>>> >>>> Relevant config: >>>> cas.properties: >>>> cas.authn.mfa.globalProviderId=mfa-gauth >>>> cas.authn.mfa.globalFailureMode=CLOSED >>>> >>>> >>>> "multifactorPolicy" : { >>>> "@class" : >>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >>>> "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", >>>> [ "mfa-gauth" ] ], >>>> "failureMode" : "CLOSED" >>>> }, >>>> >>>> Thanks for any help! >>>> -Dave >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1bcee0d-d6e3-4727-bfb9-1400cb3fb396%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1bcee0d-d6e3-4727-bfb9-1400cb3fb396%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYg-xv81EMGUzRTfsqNto3gFsUuOHyytAOSJy8HotQFRA%40mail.gmail.com.
