Redis FIDO2 WebAuthn Multifactor Registration

Device registrations may be kept inside a Redis database instance by including the following module in the WAR overlay:

1
2
3
4
5
<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-webauthn-redis</artifactId>
    <version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-webauthn-redis:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
    imports {
        mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
    }
}

dependencies {
    implementation "org.apereo.cas:cas-server-support-webauthn-redis"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
    /*
        The following platform references should be included automatically and are listed here for reference only.

        implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
        implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
        
    */
    implementation "org.apereo.cas:cas-server-support-webauthn-redis"
}

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.authn.mfa.web-authn.redis.cluster.nodes[0].host=
  • Server's host address.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.nodes[0].port=
  • Server's port number.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.nodes[0].replica-of=
  • Set the id of the master node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.nodes[0].type=
  • Indicate the type/role of this node. Accepted values are: MASTER, REPLICA.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.password=
  • The cluster connection's password.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.username=
  • The cluster connection's username.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.enabled=false
  • Enable the pooling configuration.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.sentinel.master=
  • Name of Redis server.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.database=0
  • Database index used by the connection factory.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.enabled=true
  • Whether the module is enabled or not, defaults to true.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.host=localhost
  • Redis server host.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.password=
  • Login password of the redis server.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.port=6379
  • Redis server port.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.username=
  • Login username of the redis server.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

  • cas.authn.mfa.web-authn.redis.cluster.adaptive-topology-refresh=false
  • Whether adaptive topology refreshing using all available refresh triggers should be used.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.dynamic-refresh-sources=true
  • Whether to discover and query all cluster nodes for obtaining the cluster topology. When set to false, only the initial seed nodes are used as sources for topology discovery.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.max-redirects=0
  • The max number of redirects to follow.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.nodes=
  • List of nodes available in the redis cluster.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.nodes[0].id=
  • Identifier of this node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.nodes[0].name=
  • Name of this node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.cluster.topology-refresh-period=
  • Enables periodic refresh of cluster topology and sets the refresh period.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.fairness=false
  • Returns whether or not the pool serves threads waiting to borrow objects fairly. True means that waiting threads are served as if waiting in a FIFO queue.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.lifo=true
  • Returns whether the pool has LIFO (last in, first out) behaviour with respect to idle objects - always returning the most recently used object from the pool, or as a FIFO (first in, first out) queue, where the pool always returns the oldest object in the idle object pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.max-active=8
  • Max number of connections that can be allocated by the pool at a given time. Use a negative value for no limit.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.max-idle=8
  • Max number of "idle" connections in the pool. Use a negative value to indicate an unlimited number of idle connections.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.max-wait=PT5S
  • Maximum amount of time (in milliseconds) a connection allocation should block before throwing an exception when the pool is exhausted. Use a negative value to block indefinitely.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.min-evictable-idle-time-millis=0
  • Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)). When non-positive, no objects will be evicted from the pool due to idle time alone.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.min-idle=0
  • Target for the minimum number of idle connections to maintain in the pool. This setting only has an effect if it is positive.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.num-tests-per-eviction-run=0
  • Sets the maximum number of objects to examine during each run (if any) of the idle object evictor thread. When positive, the number of tests performed for a run will be the minimum of the configured value and the number of idle instances in the pool. When negative, the number of tests performed will be ceil(getNumIdle()/ abs(getNumTestsPerEvictionRun())) which means that when the value is -n roughly one nth of the idle objects will be tested per run.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.soft-min-evictable-idle-time-millis=0
  • Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)), with the extra condition that at least minIdle object instances remain in the pool. This setting is overridden by getMinEvictableIdleTimeMillis() (that is, if getMinEvictableIdleTimeMillis() is positive, then getSoftMinEvictableIdleTimeMillis() is ignored).

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.test-on-borrow=false
  • Returns whether objects borrowed from the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed, and a new attempt will be made to borrow an object from the pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.test-on-create=false
  • Returns whether objects created for the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, then borrowObject() will fail.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.test-on-return=false
  • Returns whether objects borrowed from the pool will be validated when they are returned to the pool via the returnObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. Returning objects that fail validation are destroyed rather then being returned the pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.pool.test-while-idle=false
  • Returns whether objects sitting idle in the pool will be validated by the idle object evictor ( if any - see setTimeBetweenEvictionRunsMillis(long)). Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.sentinel.node=
  • list of host:port pairs.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.sentinel.password=
  • Login password of the sentinel server.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.certificate-file=
  • May be used when making SSL connections to build the trust manager. Sets the certificate file to use for client authentication. This is typically an X.509 certificate file (or chain file) in PEM format.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.connect-timeout=PT10S
  • Connection timeout.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.key-certificate-chain-file=
  • May be used when making SSL connections to build the key manager. Sets the key certificate file to use for client authentication. This is typically an X.509 certificate file (or chain file) in PEM format.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.key-file=
  • May be used when making SSL connections. Sets the key file for client authentication. The key is reloaded on each connection attempt that allows to replace certificates during runtime. This is typically a PKCS#8 private key file in PEM format.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.key-password=
  • The password of the #keyFile, or null if it's not password-protected.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.protocol-version=RESP3
  • Redis protocol version.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.read-from=
  • Setting that describes how Lettuce routes read operations to replica nodes. Note that modes referencing MASTER/SLAVE are deprecated (but still supported) in the Lettuce redis client dependency so migrate config to UPSTREAM/REPLICA. Available values are as follows:

    • UPSTREAM: Read from the current upstream node.
    • UPSTREAMPREFERRED: Read from the upstream node, but if it is unavailable, read from replica nodes.
    • MASTER: Read from the current upstream node.
    • MASTERPREFERRED: Read from the upstream node, but if it is unavailable, read from replica nodes.
    • SLAVE: Read from replica nodes.
    • SLAVEPREFERRED: Read from the replica nodes, but if none is unavailable, read from the upstream node.
    • REPLICA: Read from replica nodes.
    • REPLICAPREFERRED: Read from the replica nodes, but if none is unavailable, read from the upstream node.
    • ANY: Read from any node of the cluster.
    • ANYREPLICA: Read from any replica node of the cluster.
    • NEAREST: Read from the nearest node.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.scan-count=0
  • Redis scan count option. When and if specified, SCAN operations would be "counted" or limited by this setting. While SCAN does not provide guarantees about the number of elements returned at every iteration, it is possible to empirically adjust the behavior of SCAN using the COUNT option. Basically with COUNT the user specified the amount of work that should be done at every call in order to retrieve elements from the collection. This is just a hint for the implementation, however generally speaking this is what you could expect most of the times from the implementation.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.share-native-connections=
  • The shared native connection is never closed by Lettuce connection, therefore it is not validated by default when connections are retrieved. If this setting is true, a shared connection will be used for regular operations and a connection provider will be used to select a connection for blocking and tx operations only, which should not share a connection. If native connection sharing is disabled, new (or pooled) connections will be used for all operations. By default, multiple connections share a single thread-safe native connection. If you enable connection pooling, then native connection sharing will be disabled and the connection pool will be used for all operations. You may however explicitly control connection sharing via this setting as an override.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.start-tls=false
  • Start mutual TLS. In order to support TLS, Redis should be configured with a X.509 certificate and a private key. In addition, it is necessary to specify a CA certificate bundle file or path to be used as a trusted root when validating certificates.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.timeout=PT60S
  • Command timeout.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.uri=
  • Database URI.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.use-ssl=false
  • Whether or not to use SSL for connection factory.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

  • cas.authn.mfa.web-authn.redis.verify-peer=true
  • Control how peer verification is handled with redis connections. Peer verification is a security feature that checks if the host you're connecting to is who it says it is. This is often done by checking a digital certificate.

    org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnRedisMultifactorProperties.

    How can I configure this property?

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.