WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Custom Multifactor Authentication
To create your own custom multifactor authentication provider, you will need to design components that primarily register a customized authentication flow into the CAS webflow engine under a unique identifier. Later on, you will also need to consider strategies by which your custom multifactor authentication provider can be triggered.
Designing a custom multifactor authentication provider can be a challenging task, specially if you're not familiar with the CAS programming model, APIs and the underlying frameworks and technologies that make this possible, such as Spring Webflow.
Provider ID
Each multifactor provider is assigned a unique identifier that is typically mapped or made equal to the underlying webflow. The unique identifier can be any arbitrary string of your choosing, provided it’s kept distinct and sensible as it, depending on use case, may be used in other systems and by other applications to act as a trigger.
For the purposes of this guide, let’s choose mfa-custom
as our provider id.
Register Webflow Configuration
The custom provider itself is its own standalone webflow that is then registered with the primary authentication flow.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public class CustomAuthenticatorWebflowConfigurer extends AbstractCasMultifactorWebflowConfigurer {
public static final String MFA_EVENT_ID = "mfa-custom";
/*
Define the appropriate constructor based on the parent class
public CustomAuthenticatorWebflowConfigurer(...) {
}
*/
@Override
protected void doInitialize() throws Exception {
registerMultifactorProviderAuthenticationWebflow(getLoginFlow(),
MFA_EVENT_ID, yourCustomMfaFlowDefinitionRegistry);
}
}
The CustomAuthenticatorWebflowConfigurer
must be able to construct the webflow definition dynamically
using CAS-provided APIs. See the CAS codebase to review and learn from other implementations
Design Provider
Multifactor authentication providers in CAS are represented in forms of MultifactorAuthenticationProvider
instances.
The outline of the provider is briefly displayed below and much of its behavior is removed in favor of defaults.
1
2
3
public class CustomMultifactorAuthenticationProvider extends AbstractMultifactorAuthenticationProvider {
private static final long serialVersionUID = 4789727148634156909L;
}
Register Provider
The custom webflow configuration needs to be registered with CAS. The outline of the configuration registration is sampled and summarized below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
package org.example.cas;
@AutoConfiguration
public class CustomAuthenticatorSubsystemConfiguration {
...
@Bean
public FlowDefinitionRegistry customFlowRegistry() {
var builder = new FlowDefinitionRegistryBuilder(applicationContext, flowBuilderServices);
builder.addFlowBuilder(new FlowModelFlowBuilder(
new DefaultFlowModelHolder(new DynamicFlowModelBuilder())),
"mfa-custom");
return builder.build();
}
@Bean
public MultifactorAuthenticationProvider customAuthenticationProvider() {
var p = new CustomMultifactorAuthenticationProvider();
p.setId("mfa-custom");
return p;
}
@Bean
public CasWebflowConfigurer customWebflowConfigurer() {
return new CustomAuthenticatorWebflowConfigurer(...);
}
@Bean
public CasWebflowExecutionPlanConfigurer customWebflowExecutionPlanConfigurer() {
return plan -> plan.registerWebflowConfigurer(customWebflowConfigurer());
}
...
}
Do not forget to register the configuration class with CAS. See this guide for better details.
Triggers
The custom authentication webflow can be triggered using any of the supported options.