CAS MFA YubiKey Web Support

This is the multifactor extensions for CAS sub-module for Yubikey Web components.

License

License

Categories

Categories

Net KeY Data Data Formats Formal Verification
GroupId

GroupId

net.unicon
ArtifactId

ArtifactId

cas-mfa-yubikey-web
Last Version

Last Version

1.0.0-RC10
Release Date

Release Date

Type

Type

war
Description

Description

CAS MFA YubiKey Web Support
This is the multifactor extensions for CAS sub-module for Yubikey Web components.
Project Organization

Project Organization

Unicon Inc.

Download cas-mfa-yubikey-web

How to add to project

<!-- https://jarcasting.com/artifacts/net.unicon/cas-mfa-yubikey-web/ -->
<dependency>
    <groupId>net.unicon</groupId>
    <artifactId>cas-mfa-yubikey-web</artifactId>
    <version>1.0.0-RC10</version>
    <type>war</type>
</dependency>
// https://jarcasting.com/artifacts/net.unicon/cas-mfa-yubikey-web/
implementation 'net.unicon:cas-mfa-yubikey-web:1.0.0-RC10'
// https://jarcasting.com/artifacts/net.unicon/cas-mfa-yubikey-web/
implementation ("net.unicon:cas-mfa-yubikey-web:1.0.0-RC10")
'net.unicon:cas-mfa-yubikey-web:war:1.0.0-RC10'
<dependency org="net.unicon" name="cas-mfa-yubikey-web" rev="1.0.0-RC10">
  <artifact name="cas-mfa-yubikey-web" type="war" />
</dependency>
@Grapes(
@Grab(group='net.unicon', module='cas-mfa-yubikey-web', version='1.0.0-RC10')
)
libraryDependencies += "net.unicon" % "cas-mfa-yubikey-web" % "1.0.0-RC10"
[net.unicon/cas-mfa-yubikey-web "1.0.0-RC10"]

Dependencies

compile (1)

Group / Artifact Type Version
net.unicon.cas : cas-addons jar 1.16

Project Modules

There are no modules declared in this project.

What is this project? Maven Central Build Status

Gitter

This is a project to develop free and open source compatibly licensed extensions for the CAS server v4.1.x product implementing

  • support for authenticating using multiple authentication factors
  • support for relying parties (CAS-using applications) understanding how strongly the user authenticated from the ticket validation response, and
  • support for relying parties exerting authentication strength requirements.

NOTICE

Minimum supported version of CAS in versions is 4.1.x. MFA integration with CAS 3.x as part of this project is NO LONGER maintained, as CAS v3.x itself is EOLed. CAS v4.2.x is NOT supported.

Requirements

  • JDK 7+
  • Apache Maven 3.3.x
  • CAS 4.1.x

MultiFactor Support

  • duo-two-factor (via DuoSecurity)

Configuration

Maven Overlay

Use the following maven overlay as an example.

AuthN Methods

An authn-methods.conf file is expected to be found at /etc/cas with the following content:

[ {
  "rank" : 1,
  "name" : "duo-two-factor"
} ]

Messages

The following UI messages should be put into messages.properties file:

# Multifactor Authentication Messages
UNACCEPTABLE_AUTHENTICATION_METHOD=Ticket ''{0}'' did not fulfill the required authentication method ''{1}''.
UNRECOGNIZED_AUTHENTICATION_METHOD=This CAS server does not recognize the authentication method [''{0}''] specified on the validation request.
service.mfa.unrecognized.authn.method.header=Unrecognized Authentication Method
service.mfa.unrecognized.authn.method.message=You are trying to log in to <strong>''{0}''</strong> with a required authentication method of <strong>''{1}''</strong>. \
Unfortunately, CAS doesn't recognize that authentication method and so does not know how to require you to authenticate in that way.
service.mfa.service.requires.mfa.header=This service requires a specific authentication method in addition to username and password.
service.mfa.service.requires.mfa.message=The additional required authentication method is [''{0}'']. After successfully providing username and password, you will be prompted for this additional authentication factor.
service.mfa.service.mfa.inprogress.header=Multifactor Authentication is in progress...
service.mfa.service.mfa.inprogress.message=The additional required authentication method is [''{0}'']. The authentication is requested by [''{1}''].
screen.mfa.welcome.instructions=Enter your one-time password
screen.mfa.button.cancel=Not you?
screen.mfa.welcome.back=Welcome back, {0}!
service.mfa.unknown.principal.header=User not recognized
service.mfa.unknown.principal.message=CAS cannot establish an authentication context because it doesn't recognize one or more of the \
provided credentials. It is likely that the newly provided credentials are resolved in such a way that do not match at least one of the \
authenticated user ids (otherwise known as the 'Principal').

service.mfa.generic.error.heading=An authentication error has occurred!
service.mfa.generic.error.message=Additional information: {0}

Properties

The following settings are required for MFA in cas.properties:

# mfa.method.userAttribute=
# mfa.destroy.prev.sso=
# mfa.default.authn.method=
# mfa.authn.methods.config.location=
# mfa.method.response.attribute=

duo.api.host=
duo.integration.key=
duo.secret.key=
duo.application.key=

Per Application

Services that wish to declare their authentication method, must do so inside the service registry configuration.

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "^https://.*",
  "properties" : {
    "@class" : "java.util.HashMap",
    "authn_method" : {
      "@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "duo-two-factor" ] ]
    }
  }
}

Per Attribute

CAS may aso initiate the sequence for a desired authentication method based on a configured principal attribute. Upon successful authentication, the principal attributes that are constructed by CAS will be queried for the given attribute. Its value will route the login flow to execute the appropriate authentication level.

mfa.method.userAttribute=memberOf

The attribute value should be duo-two-factor.

Per Application & Attribute

Activates MFA for a given application, only if the authenticated user carries an attribute that matches the given pattern.

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "^https://.*",
  "properties" : {
    "@class" : "java.util.HashMap",
    "authn_method" : {
      "@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "duo-two-factor" ] ]
    },
    "mfa_attribute_name" : {
      "@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "isMemberOf" ] ]
    },
    "mfa_attribute_pattern" : {
      "@class" : "org.jasig.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "faculty|staff" ] ]
    }
  }
}

Opt-In

Opt-in mode requested by applications on demand when MFA is required:

https://<cas-server-url>/cas/login?service=xyz&authn_method=duo-two-factor
net.unicon

Unicon, Inc.

Versions

Version
1.0.0-RC10
1.0.0-RC9
1.0.0-RC8
1.0.0-RC7
1.0.0-RC6
1.0.0-RC5
1.0.0-RC4
1.0.0-RC3
1.0.0-RC2
1.0.0-RC1
1.0.0-M6
1.0.0-M5