This was also fixed recently but not released in 6.5.x build, the fix is in earliest 6.6.0-RC4 from what I can tell,
https://github.com/apereo/cas/commit/c7d1bf17af0e06930363730aeffbdb7cb3241f2f On Wednesday, July 13, 2022 at 11:49:25 AM UTC-5 [email protected] wrote: > We recently upgraded our CAS instance to 6.5 as well as began enforcing > MFA for all our staff and faculty. Overall things have been going well but > we've had a few people ask about alternative MFA options. As of right now > we use mfa-gauth. > > My goal would be to make it so that users could enroll into mfa in and > "and/or" kind of scenario. They could activate mfa-gauth or mfa-u2f > depending on their preference. Or they decide to enroll in both they would > then be prompted with a selection page at login to choose the mfa method > they plan to use for that given session. Either way Staff and Faculty will > be required to enroll in at least one. > > For context on the current setup. Right now we use mfa-gauth which is > triggered with the use of the "cas.authn.mfa.groovy-script.location" > setting. Our groovy script connects to a back end redis database and > attempts to find the user in the database. If the user has mfatype: > mfa-gauth set as a key/value in the database then mfa is triggered for that > user. For Faculty and Staff a cronjob runs to add users to that database > from a group in AD which enforces mfa for those groups. For students we > have a custom opt-in page where they can just click an "activate" button > and they are then added to the database. > > In my dev environment I've got u2f dependencies and settings added and > successfully tested the u2f method by manually updating my record in the > corresponding dev redis db from mfatype: mfa-gauth to mfatype: mfa-u2f. So > at this point I've determined that I can do either or but now I'm stuck on > how to go about supporting the ability to enroll in both... > > I enabled the "cas.authn.mfa.core.provider-selection-enabled=true" option > in my dev environment and so far the only way I've been able to trigger the > selection page is by commenting out my groovy script setting and adding > this instead > "cas.authn.mfa.triggers.global.global-provider-id=mfa-gauth,mfa-u2f" so I > at least know I can test the selection page now but that setting isn't > going to work for production as it would force everyone into mfa and would > prompt everyone with a selection page even if they were enrolled in only > one option. To try and simplify things a bit I took redis out of the > equation and tried to just hard code a return value in the script so that > it would just always trigger. I can return a single provider no issue but > trying to add a list of providers in the return just causes the script to > be ignored and mfa is never prompted. > > Hopefully someone can give me some guidance here. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d5088ef7-a2d6-47bc-a1fc-0514b649b271n%40apereo.org.
