CAS Multifactor Authentication with U2F and Bypass


In some CAS deployments multifactor authentication can be done using U2F keys. Sometimes not all the users have the key, but they want to use the service. On the other hand there are machine to machine users that cannot push the button on USB key. For this two kinds of users U2F bypass is the only way to use CAS in such deployment.

Environment

  • CAS 6.2.2

Configuring Authentication

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://10.30.10.10:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].searchFilter=cn={user}
cas.authn.ldap[0].baseDn=ou=users,dc=domain11
cas.authn.ldap[0].bindDn=cn=admin,dc=domain11
cas.authn.ldap[0].bindCredential=1221

cas.authn.ldap[0].principalAttributeList=memberOf,memberof,cn

Configuring U2F as second factor

cas.authn.mfa.globalProviderId=mfa-u2f

cas.authn.mfa.u2f.rank=0
cas.authn.mfa.u2f.name=AAA

cas.authn.mfa.u2f.expireRegistrations=300
cas.authn.mfa.u2f.expireRegistrationsTimeUnit=SECONDS
cas.authn.mfa.u2f.expireDevices=30
cas.authn.mfa.u2f.expireDevicesTimeUnit=DAYS

cas.authn.mfa.u2f.json.location=file:///etc/cas/config/u2.json

Default Bypass Configuration

We have CAS configured with LDAP and U2F support and we need to bypass second factor to certain users. To do so we can: 1) In LDAP add description field to exact users. 2) In cas.properties add “description” attribute to cas.authn.ldap[0].principalAttributeList option

cas.authn.ldap[0].principalAttributeList=memberOf,memberof,cn,description

3) Set bypass type and bypass criteria

cas.authn.mfa.u2f.bypass.type=DEFAULT 
cas.authn.mfa.u2f.bypass.principalAttributeName=description

All users with description attribute present should bypass second factor.

Egor Ivanov

Related Posts

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Release Notes Moved

CAS Release Notes are moved to the CAS site.

CAS 6.2.0 RC5 Feature Release

...in which I present an overview of CAS 6.2.0 RC5 release.

CAS 6.2.0 RC4 Feature Release

...in which I present an overview of CAS 6.2.0 RC4 release.

CAS 6.2.0 RC3 Feature Release

...in which I present an overview of CAS 6.2.0 RC3 release.

Apereo CAS - Bootiful CAS Client

Easy to use CAS Client

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Checking Out Pull Requests Locally

Check out GitHub pull requests as local branches using a simple bash function.

CAS 6.2.0 RC2 Feature Release

...in which I present an overview of CAS 6.2.0 RC2 release.