This is a project to develop free and open source compatibly licensed extensions for the CAS server v4.1.x product implementing
- support for authenticating using multiple authentication factors
- support for relying parties (CAS-using applications) understanding how strongly the user authenticated from the ticket validation response, and
- support for relying parties exerting authentication strength requirements.
Minimum supported version of CAS in versions is 4.1.x. MFA integration with CAS 3.x as part of this project is NO LONGER maintained, as CAS v3.x itself is EOLed. CAS v4.2.x is NOT supported.
- JDK 7+
- Apache Maven 3.3.x
- CAS 4.1.x
duo-two-factor(via DuoSecurity)
Use the following maven overlay as an example.
An authn-methods.conf file is expected to be found at /etc/cas with the following content:
[ {
"rank" : 1,
"name" : "duo-two-factor"
} ]
The following UI messages should be put into messages.properties file:
# Multifactor Authentication Messages
UNACCEPTABLE_AUTHENTICATION_METHOD=Ticket ''{0}'' did not fulfill the required authentication method ''{1}''.
UNRECOGNIZED_AUTHENTICATION_METHOD=This CAS server does not recognize the authentication method [''{0}''] specified on the validation request.
service.mfa.unrecognized.authn.method.header=Unrecognized Authentication Method
service.mfa.unrecognized.authn.method.message=You are trying to log in to <strong>''{0}''</strong> with a required authentication method of <strong>''{1}''</strong>. \
Unfortunately, CAS doesn't recognize that authentication method and so does not know how to require you to authenticate in that way.
service.mfa.service.requires.mfa.header=This service requires a specific authentication method in addition to username and password.
service.mfa.service.requires.mfa.message=The additional required authentication method is [''{0}'']. After successfully providing username and password, you will be prompted for this additional authentication factor.
service.mfa.service.mfa.inprogress.header=Multifactor Authentication is in progress...
service.mfa.service.mfa.inprogress.message=The additional required authentication method is [''{0}'']. The authentication is requested by [''{1}''].
screen.mfa.welcome.instructions=Enter your one-time password
screen.mfa.button.cancel=Not you?
screen.mfa.welcome.back=Welcome back, {0}!
service.mfa.unknown.principal.header=User not recognized
service.mfa.unknown.principal.message=CAS cannot establish an authentication context because it doesn't recognize one or more of the \
provided credentials. It is likely that the newly provided credentials are resolved in such a way that do not match at least one of the \
authenticated user ids (otherwise known as the 'Principal').
service.mfa.generic.error.heading=An authentication error has occurred!
service.mfa.generic.error.message=Additional information: {0}The following settings are required for MFA in cas.properties:
# mfa.method.userAttribute=
# mfa.destroy.prev.sso=
# mfa.default.authn.method=
# mfa.authn.methods.config.location=
# mfa.method.response.attribute=
duo.api.host=
duo.integration.key=
duo.secret.key=
duo.application.key=Services that wish to declare their authentication method, must do so inside the service registry configuration.
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^https://.*",
"properties" : {
"@class" : "java.util.HashMap",
"authn_method" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "duo-two-factor" ] ]
}
}
}
CAS may aso initiate the sequence for a desired authentication method based on a configured principal attribute. Upon successful authentication, the principal attributes that are constructed by CAS will be queried for the given attribute. Its value will route the login flow to execute the appropriate authentication level.
mfa.method.userAttribute=memberOfThe attribute value should be duo-two-factor.
Activates MFA for a given application, only if the authenticated user carries an attribute that matches the given pattern.
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^https://.*",
"properties" : {
"@class" : "java.util.HashMap",
"authn_method" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "duo-two-factor" ] ]
},
"mfa_attribute_name" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "isMemberOf" ] ]
},
"mfa_attribute_pattern" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "faculty|staff" ] ]
}
}
}
Opt-in mode requested by applications on demand when MFA is required:
https://<cas-server-url>/cas/login?service=xyz&authn_method=duo-two-factor