shib-cas-authn3 icon indicating copy to clipboard operation
shib-cas-authn3 copied to clipboard

Published 20 hours ago verified publisher icon Unicon

Shibcas and mfa-gauth

Open millecentdix opened this issue 6 years ago • 4 comments

Hi,

I am using Shibcas with my Shibboleth IDP v3 and a CAS v5.3. All works fine with login and password. When I use multifactor "Google Authenticator" on my CAS, I have a strange return :

2019-02-15 16:17:54,149 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:44] - principalName found and being passed on: XXXXXX 2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute credentialType with values [UsernamePasswordCredential, GoogleAuthenticatorTokenCredential] 2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute samlAuthenticationStatementAuthMethod with values [urn:oasis:names:tc:SAML:1.0:am:password, urn:oasis:names:tc:SAML:1.0:am:unspecified] 2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute uid with values XXXXXXX 2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute isFromNewLogin with values true 2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute bypassMultifactorAuthentication with values false 2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationDate with values 2019-02-15T16:17:53.562+01:00[Europe/Paris] 2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationMethod with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler] 2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authnContextClass with values mfa-gauth 2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute successfulAuthenticationHandlers with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler] 2019-02-15 16:17:54,159 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute longTermAuthenticationRequestTokenUsed with values false 2019-02-15 16:17:54,160 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:51] - Found attributes from CAS. Processing...

So my Shibboleth sent to the SP : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Is there a missing configuration or a translation to add ?

Thanks for reading.

millecentdix avatar Feb 16 '19 15:02 millecentdix

I think the initial MFA REFEDS for this plugin only supported Duo, but it looks like the latest version supports REFEDS MFA generally. I'm curious to know if it works with 3.3.0 as we're also using mfa-gauth via CAS for TOTP and would love to have a way to enforce that through the SAML layer if an SP requires it.

vwbusguy avatar Dec 09 '19 19:12 vwbusguy

The README only references Duo, but gauth is there in the code as a provider: https://github.com/Unicon/shib-cas-authn3/blob/master/src/main/java/net/unicon/idp/authn/provider/extra/CasMultifactorRefedsToGoogleAuthenticatorAuthnMethodParameterBuilder.java

vwbusguy avatar Dec 09 '19 19:12 vwbusguy

Try setting this in your idp.properties:

shibcas.casToShibTranslators = net.unicon.idp.externalauth.CasDuoSecurityRefedsAuthnMethodTranslator
shibcas.parameterBuilders = CasMultifactorRefedsToGoogleAuthenticatorAuthnMethodParameterBuilder

And make sure you have the refeds mfa profile in general-auth.xml: https://github.com/Unicon/shib-cas-authn3#configuration

vwbusguy avatar Dec 09 '19 19:12 vwbusguy

I saw that in code me too and tried this configuration without success. Tested in the last 3.3.0 this afternoon.

millecentdix avatar Dec 17 '19 14:12 millecentdix