Hello, I really hope you already found a solution, but if not, for my part, I did :
cas.authn.mfa.globalProviderId=mfa-yubikey,mfa-gauth And it works ! Regards, Le vendredi 20 décembre 2019 20:30:06 UTC+1, randomuser878 a écrit : > > Hello > > Using cas 6.1.2 and compiled cas-management (master branch, thanks to > Travis et.al) for fixing the attribute and pac4J compatible changes and > 6.x tree. > > Trying this: > https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/ > > Assigned: cas.authn.mfa.provider-selection-enabled=true > I also tried/set rank value the same (i.e. 100) for mfa-google and > mfa-yubi key. > When setup only for one MFA then I get MFA for that device. > When choosing two mfa values, the mfa is entirely bypassed. Never see > the selection as shown on the blog article. Shown json export from > cas-management > I am certain I am missing something obvious. Any clue is greatly > appreciated. > > Is this implementation mandatory for this > integration: > cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/mfaGroovySelector.groovy > If such, any clues how to proceed. > > Also did the parameter search for any additional parameter to no avail. > gradlew runShell > java -jar build/libs/cas-server-support-shell-6.1.2.jar > > cas>find --name mfa.provider > Property: cas.authn.adaptive.risk.response.mfa-provider > Group: cas.authn.adaptive.risk.response > Default Value: [blank] > Type: java.lang.String > Summary: If an authentication attempt is deemed risky, force a > multi-factor authentication event noted by the provider id here. > Description: If an authentication attempt is deemed risky, force a > multi-factor authentication event noted by the provider id here. > Deprecated: no > ---------------------------------------------------------------------- > Property: cas.authn.mfa.provider-selector-groovy-script > Group: cas.authn.mfa > Default Value: [blank] > Type: org.springframework.core.io.Resource > Summary: In the event that multiple multifactor authentication providers > are determined for a multifactor authentication transaction, by default CAS > will attempt to sort the collection of providers based on their rank and > will pick one with the highest priority. > Description: In the event that multiple multifactor authentication > providers are determined for a multifactor authentication transaction, by > default CAS will attempt to sort the collection of providers based on their > rank and will pick one with the highest priority. This use case may arise > if multiple triggers are defined where each decides on a different > multifactor authentication provider, or the same provider instance is > configured multiple times with many instances. Provider selection may also > be carried out using Groovy scripting strategies more dynamically. The > following example should serve as an outline of how to select multifactor > providers based on a Groovy script. > Deprecated: no > ---------------------------------------------------------------------- > Property: cas.authn.mfa.provider-selection-enabled > Group: cas.authn.mfa > Default Value: false > Type: java.lang.Boolean > Summary: In the event that multiple multifactor authentication providers > are determined for a multifactor authentication transaction, this setting > will allow one to interactively choose a provider out of the list of > available providers. > Description: In the event that multiple multifactor authentication > providers are determined for a multifactor authentication transaction, this > setting will allow one to interactively choose a provider out of the list > of available providers. A trigger may be designed to support more than one > provider, and rather than letting CAS auto-determine the selected provider > via scripts or ranking strategies, this method puts the choice back onto > the user to decide which provider makes the most sense at any given time. > Deprecated: no > > > JSON output from cas-management, changed sensitive info > { > @class: org.apereo.cas.services.RegexRegisteredService > serviceId: ^https://somewhere.and.nowhere(\\z|/.*) > name: SAMPLE > id: 1 > expirationPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy > deleteWhenExpired: false > notifyWhenDeleted: false > notifyWhenExpired: false > } > proxyPolicy: > { > @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy > } > proxyTicketExpirationPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy > numberOfUses: 0 > } > serviceTicketExpirationPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy > numberOfUses: 0 > } > evaluationOrder: 1 > usernameAttributeProvider: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider > canonicalizationMode: NONE > encryptUsername: false > } > logoutType: BACK_CHANNEL > requiredHandlers: > [ > java.util.HashSet > [] > ] > environments: > [ > java.util.HashSet > [] > ] > attributeReleasePolicy: > { > @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy > principalAttributesRepository: > { > @class: > org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository > mergingStrategy: MULTIVALUED > ignoreResolvedAttributes: false > } > consentPolicy: > { > @class: > org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy > enabled: true > order: 0 > } > authorizedToReleaseCredentialPassword: false > authorizedToReleaseProxyGrantingTicket: false > excludeDefaultAttributes: false > authorizedToReleaseAuthenticationAttributes: true > order: 0 > allowedAttributes: > [ > java.util.ArrayList > [ > mail > cn > groupMembership > ] > ] > } > multifactorPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy > multifactorAuthenticationProviders: > [ > java.util.HashSet > [ > mfa-gauth > mfa-yubikey > ] > ] > failureMode: PHANTOM ( also tried with CLOSED to no avail) > principalAttributeNameTrigger: groupMembership > principalAttributeValueToMatch: cn=SOME_GROUP_DN > bypassEnabled: false > forceExecution: false > bypassTrustedDeviceEnabled: false > } > accessStrategy: > { > @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy > order: 0 > enabled: true > ssoEnabled: true > delegatedAuthenticationPolicy: > { > @class: > org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy > allowedProviders: > [ > java.util.ArrayList > [] > ] > permitUndefined: true > exclusive: false > } > requireAllAttributes: true > requiredAttributes: > { > @class: java.util.LinkedHashMap > } > rejectedAttributes: > { > @class: java.util.LinkedHashMap > } > caseInsensitive: false > } > properties: > { > @class: java.util.LinkedHashMap > } > contacts: > [ > java.util.ArrayList > [] > ] > } > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6b54831f-8f5e-46cc-a1e1-21810825a035o%40apereo.org.
