Groovy Per Application - Multifactor Authentication Triggers
You may determine the multifactor authentication policy for a registered service using a Groovy script. The parameters passed are as follows:
| Parameter | Description |
|---|---|
registeredService |
The object representing the corresponding service definition in the registry. |
authentication |
The object representing the Authentication object. |
httpRequest |
The object representing the HTTP servlet request. |
service |
The object representing the service request, associated with this http request. |
applicationContext |
The object representing the Spring application context. |
logger |
The object responsible for issuing log messages such as logger.info(...). |
The expected outcome of the script is either null in case multifactor authentication should be skipped by this trigger,
or the identifier of the multifactor provider that should be considered for activation.
-
The script may be defined in the service definition using its full path:
1 2 3 4 5 6 7 8 9 10
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "^(https|imaps)://.*", "id" : 100, "name": "test", "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "script" : "file:///etc/cas/config/mfa-policy.groovy" } }
The script itself may be designed as follows:
1 2 3 4 5 6
def run(final Object... args) { def (authentication,registeredService,httpRequest,service,applicationContext,logger) = args logger.debug("Determine mfa provider for ${registeredService.name} and ${authentication.principal.id}") def memberOf = authentication.principal.attributes['memberOf'] as List return memberOf.contains('CN=NEED-MFA') ? 'mfa-duo' : null }
The
scriptattribute supports the Spring Expression Language syntax. -
The script may be embedded directly in the service definition, as such:
1 2 3 4 5 6 7 8 9 10
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "^(https|imaps)://.*", "id" : 100, "name": "test", "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "script" : "groovy { ... }" } }