-
Notifications
You must be signed in to change notification settings - Fork 16
Shibcas and mfa-gauth #37
Comments
I think the initial MFA REFEDS for this plugin only supported Duo, but it looks like the latest version supports REFEDS MFA generally. I'm curious to know if it works with 3.3.0 as we're also using mfa-gauth via CAS for TOTP and would love to have a way to enforce that through the SAML layer if an SP requires it. |
The README only references Duo, but gauth is there in the code as a provider: https://github.com/Unicon/shib-cas-authn3/blob/master/src/main/java/net/unicon/idp/authn/provider/extra/CasMultifactorRefedsToGoogleAuthenticatorAuthnMethodParameterBuilder.java |
Try setting this in your idp.properties:
And make sure you have the refeds mfa profile in general-auth.xml: https://github.com/Unicon/shib-cas-authn3#configuration |
I saw that in code me too and tried this configuration without success. Tested in the last 3.3.0 this afternoon. |
Hi,
I am using Shibcas with my Shibboleth IDP v3 and a CAS v5.3. All works fine with login and password.
When I use multifactor "Google Authenticator" on my CAS, I have a strange return :
2019-02-15 16:17:54,149 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:44] - principalName found and being passed on: XXXXXX
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute credentialType with values [UsernamePasswordCredential, GoogleAuthenticatorTokenCredential]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute samlAuthenticationStatementAuthMethod with values [urn:oasis:names:tc:SAML:1.0:am:password, urn:oasis:names:tc:SAML:1.0:am:unspecified]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute uid with values XXXXXXX
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute isFromNewLogin with values true
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute bypassMultifactorAuthentication with values false
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationDate with values 2019-02-15T16:17:53.562+01:00[Europe/Paris]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationMethod with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authnContextClass with values mfa-gauth
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute successfulAuthenticationHandlers with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,159 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute longTermAuthenticationRequestTokenUsed with values false
2019-02-15 16:17:54,160 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:51] - Found attributes from CAS. Processing...
So my Shibboleth sent to the SP : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Is there a missing configuration or a translation to add ?
Thanks for reading.
The text was updated successfully, but these errors were encountered: