Here's one that we managed to get working, you can try similar settings to
see if they help
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.globalPrincipalAttributePredicate=file:/etc/cas/attributeCollection/DetermineMFA.groovy
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[0].duoApplicationKey=${key_duo_app}
cas.authn.mfa.duo[0].duoIntegrationKey=${key_duo_integration}
cas.authn.mfa.duo[0].duoApiHost=${duo_api_host}
cas.authn.mfa.duo[0].duoSecretKey=${key_duo}
On Tuesday, October 13, 2020 at 3:05:48 AM UTC-6 Otto Myyrä wrote:
> Sorry, realized I forgot to include version information. We are running
> CAS 6.1.7.1.
>
> On Tuesday, October 13, 2020 at 12:02:48 PM UTC+3 Otto Myyrä wrote:
>
>> Hello.
>>
>> We are having trouble actually triggering the mfa-authentication with a
>> groovy trigger script despite the trigger script running (and logging what
>> it's doing) seemingly just fine.
>>
>> We authenticate from ldap and also support spnego authentication and then
>> trigger mfa with a groovy trigger if spnego isn't in use. The groovy script
>> runs and does what it's supposed to do and then returns what it's
>> (apparently) supposed to return but the mfa process does not trigger after
>> that regardless.
>>
>> If we activate mfa globally based on a principal attribute instead of a
>> groovy trigger, then the mfa works as it should. If we try to do it with
>> the groovy script it won't activate. Would any of you have any idea what
>> we're doing wrong?
>>
>> Here's the mfa configuration in cas.properties:
>> ##
>> #DUO MFA provider
>> cas.authn.mfa.duo[0].duoSecretKey=[redacted]
>> cas.authn.mfa.duo[0].rank=1
>> cas.authn.mfa.duo[0].duoApplicationKey=[redacted]
>> cas.authn.mfa.duo[0].duoIntegrationKey=[redacted]
>> cas.authn.mfa.duo[0].duoApiHost=[redacted]
>> cas.authn.mfa.duo[0].trustedDeviceEnabled=false
>> cas.authn.mfa.duo[0].id=mfa-duo
>> cas.authn.mfa.duo[0].registrationUrl=https://[redacted]
>> cas.authn.mfa.duo[0].name=Login (CAS)
>> cas.authn.mfa.duo[0].order=1
>>
>> cas.authn.mfa.groovyScript=file:/etc/cas/mfaGroovyTrigger.groovy
>> cas.authn.mfa.provider-selection-enabled=true
>>
>>
>> #cas.authn.mfa.globalPrincipalAttributeNameTriggers=LGUserType,Company,CostCenter
>> #cas.authn.mfa.globalPrincipalAttributeValueRegex=23K65.*
>> #cas.authn.mfa.globalPrincipalAttributeValueRegex=donotmatch
>>
>> (the commented out lines are the tests with the principal attribute,
>> those work)
>>
>>
>> This is the groovy trigger script:
>>
>> import java.util.*
>>
>> class MFACustomTrigger {
>> def String run(final Object... args) {
>> def service = args[0]
>> def registeredService = args[1]
>> def authentication = args[2]
>> def httpRequest = args[3]
>> def logger = args[4]
>>
>> logger.info("Evaluating authentication attributes [{}]",
>> authentication.attributes)
>> logger.info("Evaluating principal attributes [{}]",
>> authentication.principal.attributes)
>>
>> def isSpnego = authentication.attributes['credentialType']
>> def cc = authentication.principal.attributes['costCenter']
>>
>> if (isSpnego.contains('SpnegoCredential')) {
>> logger.info("Spnego active, bypassing MFA [{}]",
>> isSpnego)
>> return null
>> } else {
>> cc.each {
>> if (it.matches('23K65.+')) {
>> logger.info("CostCenter TIHA
>> [{}]", cc)
>> logger.info("Activating MFA for
>> this authentication session")
>> return "mfa-duo"
>> } else {
>> logger.info("CostCenter
>> something else [{}]", cc)
>> return null
>> }
>> }
>> }
>> }
>> }
>>
>> Good ideas, suggestions, general advice and pointers to best practices
>> are more than welcome.
>> Thank you in advance.
>> BR,
>> Otto Myyrä
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/31b7e5a4-7a5c-45b6-ae6e-ce588d685c47n%40apereo.org.
