[cas-user] Re: How to enable MFA by service rather than globally

Sat, 22 Sep 2018 10:57:31 -0700 

In testing, I have found that without 
"cas.authn.mfa.globalProviderId=mfa-gauth" set in cas.properties, the only 
way I can activate the MFA gauth flow is to set triggers, like:
cas.authn.mfa.globalPrincipalAttributeNameTriggers=something
cas.authn.mfa.globalPrincipalAttributeValueRegex=something

So, unless I have something misconfigured, I assume that the presence of 
multifactorPolicy with multifactorAuthenicationProviders specified in a 
service registry entry is not sufficient to "trigger" the MFA flow.  At 
least in my case.  



On Friday, September 21, 2018 at 2:56:53 PM UTC-4, Dave B wrote:
>
> Running latest CAS 5.3 and just implemented MFA.  My goal is to have MFA 
> disabled globally but able to be turned on based only on inclusion service 
> registry.
>
> However, I can not get MFA to work on any service unless 
> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. 
>
> With the settings below, ALL services, regardless of inclusion of 
> "multifactorPolicy", require MFA.  My only option is to explicitly exclude 
> (bypass) all other services for which I don't want to require MFA.
>
> Is this intended behavior? 
>
> Relevant config:
> cas.properties:
> cas.authn.mfa.globalProviderId=mfa-gauth
> cas.authn.mfa.globalFailureMode=CLOSED
>
>
>   "multifactorPolicy" : {
>     "@class" : 
> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>     "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ 
> "mfa-gauth" ] ],
>     "failureMode" : "CLOSED"
>    },
>
> Thanks for any help!
> -Dave
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d50562a2-ba8b-455f-8e46-bef22f222888%40apereo.org.

Reply via email to