Travis, Yes, I have a few services now - one that should be (but isn't) forcing MFA, one that explicitly bypasses it, and one 'default', which takes on the global configuration.
And as an added double-check I still have the serviceUI enabled on the front page. -Dave On Friday, September 21, 2018 at 4:03:35 PM UTC-4, Travis Schmidt wrote: > > Just to cover all the bases, you have verified that CAS is validating > against the service you set the MFA for and is not getting hit by some > other service entry that matches the service you are trying to log into? > > On Fri, Sep 21, 2018 at 12:58 PM Dave B <[email protected] <javascript:>> > wrote: > >> Thank you both for the replies! >> >> It makes sense that "cas.authn.mfa.globalProviderId=mfa-gauth" is the >> problem, only if I comment it out, then I can't seem to get the service >> registry entry I pasted earlier to force MFA, though debug logs show some >> stuff about mfa-gauth in the DefaultAuthenticationEventExecutionPlan which >> indicates to me it's at least... considered(?), but nothing telling. >> >> I have no other cas.authn.mfa configuration directives in cas.properties >> at this point except for >> cas.authn.mfa.gauth.label >> cas.authn.mfa.gauth.issuer >> >> I wonder if it's possible I'm hitting some kind of default bypass >> condition? Any other ideas? >> >> Thanks again, >> Dave >> >> >> >> On Friday, September 21, 2018 at 3:40:10 PM UTC-4, David Curry wrote: >>> >>> I think the problem is this line: >>> >>> cas.authn.mfa.globalProviderId=mfa-gauth >>> >>> >>> According to the documentation, that enables MFA for all services, >>> regardless of any other settings. Since you don't want that, you should >>> probably turn it off. >>> >>> We have basically the same settings that Matt just posted here, and like >>> his setup, it only does MFA on the few services where we've explicitly told >>> it to. >>> >>> --Dave >>> >>> -- >>> >>> DAVID A. CURRY, CISSP >>> *DIRECTOR OF INFORMATION SECURITY* >>> INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> +1 212 229-5300 x4728 • [email protected] >>> >>> [image: The New School] >>> >>> >>> On Fri, Sep 21, 2018 at 3:37 PM Matthew Uribe <[email protected]> >>> wrote: >>> >>>> Hi Dave, >>>> >>>> I'm still on CAS 5.2, so perhaps things have changed, but I'm doing >>>> exactly what you describe with Duo. >>>> >>>> In my cas.properties: >>>> >>>> #Configure Duo authentication properties >>>> cas.authn.mfa.globalFailureMode: OPEN >>>> # Aims Two-Factor >>>> cas.authn.mfa.duo[0].duoApiHost: such.and.such >>>> cas.authn.mfa.duo[0].duoIntegrationKey: D...........A5 >>>> cas.authn.mfa.duo[0].duoSecretKey: N.....................E5 >>>> cas.authn.mfa.duo[0].trustedDeviceEnabled: false >>>> cas.authn.mfa.duo[0].duoApplicationKey: 01234567890 >>>> cas.authn.mfa.duo[0].id: mfa-duo >>>> >>>> >>>> Then in service registry: >>>> >>>> "multifactorPolicy" : { >>>> "@class" : >>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >>>> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", >>>> [ "mfa-duo" ] ] >>>> } >>>> >>>> >>>> Services which don't include a multifactorPolicy don't require MFA. >>>> >>>> Matt >>>> >>>> >>>> On Friday, September 21, 2018 at 12:56:53 PM UTC-6, Dave B wrote: >>>>> >>>>> Running latest CAS 5.3 and just implemented MFA. My goal is to have >>>>> MFA disabled globally but able to be turned on based only on inclusion >>>>> service registry. >>>>> >>>>> However, I can not get MFA to work on any service unless >>>>> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. >>>>> >>>>> With the settings below, ALL services, regardless of inclusion of >>>>> "multifactorPolicy", require MFA. My only option is to explicitly >>>>> exclude >>>>> (bypass) all other services for which I don't want to require MFA. >>>>> >>>>> Is this intended behavior? >>>>> >>>>> Relevant config: >>>>> cas.properties: >>>>> cas.authn.mfa.globalProviderId=mfa-gauth >>>>> cas.authn.mfa.globalFailureMode=CLOSED >>>>> >>>>> >>>>> "multifactorPolicy" : { >>>>> "@class" : >>>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >>>>> "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", >>>>> [ "mfa-gauth" ] ], >>>>> "failureMode" : "CLOSED" >>>>> }, >>>>> >>>>> Thanks for any help! >>>>> -Dave >>>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1bcee0d-d6e3-4727-bfb9-1400cb3fb396%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1bcee0d-d6e3-4727-bfb9-1400cb3fb396%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d50ddc6-99d6-4a42-bb84-d6c802c34c6a%40apereo.org.
