Travis, It looks like I'm on 5.3.3 stable release. Nothing exactly like that or quite like that at all in the debug logs, though to be fair I'm not so great at reading this kind of log output -- without enabling mfa-gauth globally, it references gauth as an authentication handler, but it never seems to get called. Passes LDAP and finishes workflow.
With gauth enabled globally, I will get: DEBUG [org.apereo.cas.authentication.AbstractMultifactorAuthenticationProvider] - <Using global multi-factor failure mode for [AbstractRegisteredService(serviceId=[...] [...] WHAT: [event=mfa-gauth,timestamp=Sat Sep 22 14:45:33 EDT 2018,source=GlobalMultifactorAuthenticationPolicyEventResolver] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS It really doesn't seem to care about the service registry asking for mfa-gauth - though other values there are respected (such as bypass when global mfa-gauth is enabled). Thanks for the help! -Dave On Saturday, September 22, 2018 at 2:29:40 PM UTC-4, Travis Schmidt wrote: > > Are you using latest 5.3.3 relaease or 5.3.4-SNAPSHOT? If you put logs in > debug do you see an entry like this? > > 2018-09-22 11:22:10,821 DEBUG > [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - > <Attempting to resolve authentication event using resolver > [RegisteredServiceMultifactorAuthenticationPolicyEventResolver]> > > > > On Sat, Sep 22, 2018 at 10:57 AM Dave B <[email protected] <javascript:>> > wrote: > >> In testing, I have found that without >> "cas.authn.mfa.globalProviderId=mfa-gauth" set in cas.properties, the only >> way I can activate the MFA gauth flow is to set triggers, like: >> cas.authn.mfa.globalPrincipalAttributeNameTriggers=something >> cas.authn.mfa.globalPrincipalAttributeValueRegex=something >> >> So, unless I have something misconfigured, I assume that the presence of >> multifactorPolicy with multifactorAuthenicationProviders specified in a >> service registry entry is not sufficient to "trigger" the MFA flow. At >> least in my case. >> >> >> >> On Friday, September 21, 2018 at 2:56:53 PM UTC-4, Dave B wrote: >>> >>> Running latest CAS 5.3 and just implemented MFA. My goal is to have MFA >>> disabled globally but able to be turned on based only on inclusion service >>> registry. >>> >>> However, I can not get MFA to work on any service unless >>> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. >>> >>> With the settings below, ALL services, regardless of inclusion of >>> "multifactorPolicy", require MFA. My only option is to explicitly exclude >>> (bypass) all other services for which I don't want to require MFA. >>> >>> Is this intended behavior? >>> >>> Relevant config: >>> cas.properties: >>> cas.authn.mfa.globalProviderId=mfa-gauth >>> cas.authn.mfa.globalFailureMode=CLOSED >>> >>> >>> "multifactorPolicy" : { >>> "@class" : >>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >>> "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ >>> "mfa-gauth" ] ], >>> "failureMode" : "CLOSED" >>> }, >>> >>> Thanks for any help! >>> -Dave >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d50562a2-ba8b-455f-8e46-bef22f222888%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d50562a2-ba8b-455f-8e46-bef22f222888%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fcddf170-7c66-459c-b034-51cd4ba02db8%40apereo.org.
