CAS Multifactor Authentication with U2F and Bypass


In some CAS deployments multifactor authentication can be done using U2F keys. Sometimes not all the users have the key, but they want to use the service. On the other hand there are machine to machine users that cannot push the button on USB key. For this two kinds of users U2F bypass is the only way to use CAS in such deployment.

Environment

  • CAS 6.2.2

Configuring Authentication

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://10.30.10.10:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].searchFilter=cn={user}
cas.authn.ldap[0].baseDn=ou=users,dc=domain11
cas.authn.ldap[0].bindDn=cn=admin,dc=domain11
cas.authn.ldap[0].bindCredential=1221

cas.authn.ldap[0].principalAttributeList=memberOf,memberof,cn

Configuring U2F as second factor

cas.authn.mfa.globalProviderId=mfa-u2f

cas.authn.mfa.u2f.rank=0
cas.authn.mfa.u2f.name=AAA

cas.authn.mfa.u2f.expireRegistrations=300
cas.authn.mfa.u2f.expireRegistrationsTimeUnit=SECONDS
cas.authn.mfa.u2f.expireDevices=30
cas.authn.mfa.u2f.expireDevicesTimeUnit=DAYS

cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2.json

Default Bypass Configuration

We have CAS configured with LDAP and U2F support and we need to bypass second factor to certain users. To do so we can: 1) In LDAP add description field to exact users. 2) In cas.properties add “description” attribute to cas.authn.ldap[0].principalAttributeList option

cas.authn.ldap[0].principalAttributeList=memberOf,memberof,cn,description

3) Set bypass type and bypass criteria

cas.authn.mfa.u2f.bypass.type=DEFAULT 
cas.authn.mfa.u2f.bypass.principalAttributeName=description

All users with description attribute present should bypass second factor.

Egor Ivanov

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.