Skip to content
This repository has been archived by the owner on Oct 24, 2020. It is now read-only.

Shibcas and mfa-gauth #37

Open
millecentdix opened this issue Feb 16, 2019 · 4 comments
Open

Shibcas and mfa-gauth #37

millecentdix opened this issue Feb 16, 2019 · 4 comments

Comments

@millecentdix
Copy link

Hi,

I am using Shibcas with my Shibboleth IDP v3 and a CAS v5.3. All works fine with login and password.
When I use multifactor "Google Authenticator" on my CAS, I have a strange return :

2019-02-15 16:17:54,149 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:44] - principalName found and being passed on: XXXXXX
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute credentialType with values [UsernamePasswordCredential, GoogleAuthenticatorTokenCredential]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute samlAuthenticationStatementAuthMethod with values [urn:oasis:names:tc:SAML:1.0:am:password, urn:oasis:names:tc:SAML:1.0:am:unspecified]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute uid with values XXXXXXX
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute isFromNewLogin with values true
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute bypassMultifactorAuthentication with values false
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationDate with values 2019-02-15T16:17:53.562+01:00[Europe/Paris]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationMethod with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authnContextClass with values mfa-gauth
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute successfulAuthenticationHandlers with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,159 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute longTermAuthenticationRequestTokenUsed with values false
2019-02-15 16:17:54,160 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:51] - Found attributes from CAS. Processing...

So my Shibboleth sent to the SP : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Is there a missing configuration or a translation to add ?

Thanks for reading.

@vwbusguy
Copy link

vwbusguy commented Dec 9, 2019

I think the initial MFA REFEDS for this plugin only supported Duo, but it looks like the latest version supports REFEDS MFA generally. I'm curious to know if it works with 3.3.0 as we're also using mfa-gauth via CAS for TOTP and would love to have a way to enforce that through the SAML layer if an SP requires it.

@vwbusguy
Copy link

vwbusguy commented Dec 9, 2019

@vwbusguy
Copy link

vwbusguy commented Dec 9, 2019

Try setting this in your idp.properties:

shibcas.casToShibTranslators = net.unicon.idp.externalauth.CasDuoSecurityRefedsAuthnMethodTranslator
shibcas.parameterBuilders = CasMultifactorRefedsToGoogleAuthenticatorAuthnMethodParameterBuilder

And make sure you have the refeds mfa profile in general-auth.xml: https://github.com/Unicon/shib-cas-authn3#configuration

@millecentdix
Copy link
Author

I saw that in code me too and tried this configuration without success. Tested in the last 3.3.0 this afternoon.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants