HI all, I'm attempting to configure CAS so that the MFA provider is determined via an ldap attribute. I have the following config
``` server.ssl.keyStore=file:/etc/cas/thekeystore cas.server.name=https://idp.wikimedia.org:8443 cas.server.prefix=https://idp.wikimedia.org:8443/cas cas.authn.mfa.globalPrincipalAttributeNameTriggers=businessCategory cas.authn.mfa.gauth.json.location=file:///etc/cas/config/gauthdevices.json cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2fdevices.json logging.config: file:/etc/cas/config/log4j2.xml cas.serviceRegistry.json.location=file:/etc/cas/services cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider cas.authn.ldap[0].principalAttributeList=cn,memberOf,mail,businessCategory cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].connectionStrategy=ACTIVE_PASSIVE cas.authn.ldap[0].ldapurl=ldaps://ldap-ro.eqiad.wikimedia.org:636 ldaps://ldap-ro.codfw.wikimedia.org:636 cas.authn.ldap[0].useStartTLS=false cas.authn.ldap[0].basedn=dc=wikimedia,dc=org cas.authn.ldap[0].searchFilter=cn={user} cas.authn.ldap[0].binddn=cn=user,ou=profile,dc=wikimedia,dc=org cas.authn.ldap[0].bindcredential=**removed** cas.authn.accept.users= logging.level.org.apereo=DEBUG ``` And my user has `businessCategory: mfa-gauth` configuered in ldap. however when i try to authenticate i see the following in the debug logs ``` 2019-08-14 17:35:06,797 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <Located attribute value [[mfa-gauth]] for [[businessCategory]]> 2019-08-14 17:35:06,797 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Attribute value [[mfa-gauth]] is not a single-valued attribute> 2019-08-14 17:35:06,799 DEBUG [org.apereo.cas.authentication.MultifactorAuthenticationUtils] - <Ignoring [mfa-gauth] since no matching transition could be found> 2019-08-14 17:35:06,799 DEBUG [org.apereo.cas.authentication.DefaultMultifactorAuthenticationProviderResolver] - <No set of events based on the attribute(s) [[businessCategory]] could be matched> ``` so it looks like ldap sends this value as an array and CAS doesn't like that. Is anyone able to give advice on how i could get ldap to send this [or some other attribute] as a string or fix this issue on the CAS side Cheers John -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/027b362c-8152-457e-94b4-1136043f4bfc%40apereo.org.
