Sorry, realized I forgot to include version information. We are running CAS 6.1.7.1.
On Tuesday, October 13, 2020 at 12:02:48 PM UTC+3 Otto Myyrä wrote: > Hello. > > We are having trouble actually triggering the mfa-authentication with a > groovy trigger script despite the trigger script running (and logging what > it's doing) seemingly just fine. > > We authenticate from ldap and also support spnego authentication and then > trigger mfa with a groovy trigger if spnego isn't in use. The groovy script > runs and does what it's supposed to do and then returns what it's > (apparently) supposed to return but the mfa process does not trigger after > that regardless. > > If we activate mfa globally based on a principal attribute instead of a > groovy trigger, then the mfa works as it should. If we try to do it with > the groovy script it won't activate. Would any of you have any idea what > we're doing wrong? > > Here's the mfa configuration in cas.properties: > ## > #DUO MFA provider > cas.authn.mfa.duo[0].duoSecretKey=[redacted] > cas.authn.mfa.duo[0].rank=1 > cas.authn.mfa.duo[0].duoApplicationKey=[redacted] > cas.authn.mfa.duo[0].duoIntegrationKey=[redacted] > cas.authn.mfa.duo[0].duoApiHost=[redacted] > cas.authn.mfa.duo[0].trustedDeviceEnabled=false > cas.authn.mfa.duo[0].id=mfa-duo > cas.authn.mfa.duo[0].registrationUrl=https://[redacted] > cas.authn.mfa.duo[0].name=Login (CAS) > cas.authn.mfa.duo[0].order=1 > > cas.authn.mfa.groovyScript=file:/etc/cas/mfaGroovyTrigger.groovy > cas.authn.mfa.provider-selection-enabled=true > > > #cas.authn.mfa.globalPrincipalAttributeNameTriggers=LGUserType,Company,CostCenter > #cas.authn.mfa.globalPrincipalAttributeValueRegex=23K65.* > #cas.authn.mfa.globalPrincipalAttributeValueRegex=donotmatch > > (the commented out lines are the tests with the principal attribute, those > work) > > > This is the groovy trigger script: > > import java.util.* > > class MFACustomTrigger { > def String run(final Object... args) { > def service = args[0] > def registeredService = args[1] > def authentication = args[2] > def httpRequest = args[3] > def logger = args[4] > > logger.info("Evaluating authentication attributes [{}]", > authentication.attributes) > logger.info("Evaluating principal attributes [{}]", > authentication.principal.attributes) > > def isSpnego = authentication.attributes['credentialType'] > def cc = authentication.principal.attributes['costCenter'] > > if (isSpnego.contains('SpnegoCredential')) { > logger.info("Spnego active, bypassing MFA [{}]", > isSpnego) > return null > } else { > cc.each { > if (it.matches('23K65.+')) { > logger.info("CostCenter TIHA > [{}]", cc) > logger.info("Activating MFA for > this authentication session") > return "mfa-duo" > } else { > logger.info("CostCenter something > else [{}]", cc) > return null > } > } > } > } > } > > Good ideas, suggestions, general advice and pointers to best practices are > more than welcome. > Thank you in advance. > BR, > Otto Myyrä > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/16dc9505-b4de-478b-8a33-eb586f95f2a6n%40apereo.org.
