Redis YubiKey Registration

Support is enabled by including the following dependencies in the WAR overlay:



1
2
3
4
5



<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-yubikey-redis</artifactId>
    <version>${cas.version}</version>
</dependency>





1



implementation "org.apereo.cas:cas-server-support-yubikey-redis:${project.'cas.version'}"





1
2
3
4
5
6
7
8
9



dependencyManagement {
    imports {
        mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
    }
}

dependencies {
    implementation "org.apereo.cas:cas-server-support-yubikey-redis"
}





1
2
3
4
5
6
7
8
9
10



dependencies {
    /*
        The following platform references should be included automatically and are listed here for reference only.

        implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
        implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
        
    */
    implementation "org.apereo.cas:cas-server-support-yubikey-redis"
}

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.authn.mfa.yubikey.redis.cluster.nodes[0].host=

    • Server's host address.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.nodes[0].port=

    • Server's port number.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.nodes[0].replica-of=

    • Set the id of the master node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.nodes[0].type=

    • Indicate the type/role of this node. Accepted values are: MASTER, REPLICA.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.password=

    • The cluster connection's password.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.username=

    • The cluster connection's username.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.enabled=false

    • Enable the pooling configuration.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.sentinel.master=

    • Name of Redis server.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.database=0

    • Database index used by the connection factory.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.enabled=true

    • Whether the module is enabled or not, defaults to true.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.host=localhost

    • Redis server host.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.password=

    • Login password of the redis server.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.port=6379

    • Redis server port.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.username=

    • Login username of the redis server.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

  • cas.authn.mfa.yubikey.redis.cluster.dynamic-refresh-sources=true

    • Whether to discover and query all cluster nodes for obtaining the cluster topology. When set to false, only the initial seed nodes are used as sources for topology discovery.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.max-redirects=0

    • The max number of redirects to follow.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.nodes=

    • List of nodes available in the redis cluster.

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.nodes[0].id=

    • Identifier of this node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.nodes[0].name=

    • Name of this node.

    org.apereo.cas.configuration.model.support.redis.RedisClusterNodeProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.cluster.topology-refresh-period=

    • Enables periodic refresh of cluster topology and sets the refresh period.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisClusterProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.fairness=false

    • Returns whether or not the pool serves threads waiting to borrow objects fairly. True means that waiting threads are served as if waiting in a FIFO queue.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.lifo=true

    • Returns whether the pool has LIFO (last in, first out) behaviour with respect to idle objects - always returning the most recently used object from the pool, or as a FIFO (first in, first out) queue, where the pool always returns the oldest object in the idle object pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.max-active=8

    • Max number of connections that can be allocated by the pool at a given time. Use a negative value for no limit.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.max-idle=8

    • Max number of "idle" connections in the pool. Use a negative value to indicate an unlimited number of idle connections.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.max-wait=PT5S

    • Maximum amount of time (in milliseconds) a connection allocation should block before throwing an exception when the pool is exhausted. Use a negative value to block indefinitely.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.min-evictable-idle-time-millis=0

    • Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)). When non-positive, no objects will be evicted from the pool due to idle time alone.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.min-idle=0

    • Target for the minimum number of idle connections to maintain in the pool. This setting only has an effect if it is positive.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.num-tests-per-eviction-run=0

    • Sets the maximum number of objects to examine during each run (if any) of the idle object evictor thread. When positive, the number of tests performed for a run will be the minimum of the configured value and the number of idle instances in the pool. When negative, the number of tests performed will be ceil(getNumIdle()/ abs(getNumTestsPerEvictionRun())) which means that when the value is -n roughly one nth of the idle objects will be tested per run.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.soft-min-evictable-idle-time-millis=0

    • Sets the minimum amount of time an object may sit idle in the pool before it is eligible for eviction by the idle object evictor (if any - see setTimeBetweenEvictionRunsMillis(long)), with the extra condition that at least minIdle object instances remain in the pool. This setting is overridden by getMinEvictableIdleTimeMillis() (that is, if getMinEvictableIdleTimeMillis() is positive, then getSoftMinEvictableIdleTimeMillis() is ignored).

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.test-on-borrow=false

    • Returns whether objects borrowed from the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed, and a new attempt will be made to borrow an object from the pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.test-on-create=false

    • Returns whether objects created for the pool will be validated before being returned from the borrowObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, then borrowObject() will fail.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.test-on-return=false

    • Returns whether objects borrowed from the pool will be validated when they are returned to the pool via the returnObject() method. Validation is performed by the validateObject() method of the factory associated with the pool. Returning objects that fail validation are destroyed rather then being returned the pool.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.test-while-idle=false

    • Returns whether objects sitting idle in the pool will be validated by the idle object evictor ( if any - see setTimeBetweenEvictionRunsMillis(long)). Validation is performed by the validateObject() method of the factory associated with the pool. If the object fails to validate, it will be removed from the pool and destroyed.

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.pool.time-between-eviction-runs-millis=-1

    • Sets the amount of time (in milliseconds) between runs of the idle object evictor thread. When non-positive, no idle object evictor thread will be run. If positive, the idle object evictor thread will run at least once every timeBetweenEvictionRunsMillis milliseconds, and will attempt to evict objects from the pool that are idle longer than getMinEvictableIdleTimeMillis() (if positive) or getSoftMinEvictableIdleTimeMillis() (if positive).

    org.apereo.cas.configuration.model.support.redis.RedisPoolProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.sentinel.node=

    • list of host:port pairs.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.sentinel.password=

    • Login password of the sentinel server.

    org.apereo.cas.configuration.model.support.redis.RedisSentinelProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.certificate-file=

    • May be used when making SSL connections to build the trust manager. Sets the certificate file to use for client authentication. This is typically an X.509 certificate file (or chain file) in PEM format.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.connect-timeout=PT10S

    • Connection timeout.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.keep-alive-count=0

    • The maximum number of keepalive probes TCP should send before dropping the connection. By default, leaving this number at zero disables keepalive.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.keep-alive-idle-timeout=PT2H

    • The time the connection needs to remain idle before TCP starts sending keepalive probes if keepalive is enabled.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.keep-alive-interval=PT60S

    • The time the connection needs to remain idle before TCP starts sending keepalive probes.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.key-certificate-chain-file=

    • May be used when making SSL connections to build the key manager. Sets the key certificate file to use for client authentication. This is typically an X.509 certificate file (or chain file) in PEM format.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.key-file=

    • May be used when making SSL connections. Sets the key file for client authentication. The key is reloaded on each connection attempt that allows CAS to replace certificates during runtime. This is typically a PKCS#8 private key file in PEM format.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.key-password=

    • The password of the #keyFile, or null if it's not password-protected.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.protocol-version=RESP3

    • Redis protocol version.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.read-from=

    • Setting that describes how Lettuce routes read operations to replica nodes. Note that modes referencing MASTER/SLAVE are deprecated (but still supported) in the Lettuce redis client dependency so migrate config to UPSTREAM/REPLICA. Available values are as follows:

    • UPSTREAM: Read from the current upstream node.
    • UPSTREAMPREFERRED: Read from the upstream node, but if it is unavailable, read from replica nodes.
    • MASTER: Read from the current upstream node.
    • MASTERPREFERRED: Read from the upstream node, but if it is unavailable, read from replica nodes.
    • SLAVE: Read from replica nodes.
    • SLAVEPREFERRED: Read from the replica nodes, but if none is unavailable, read from the upstream node.
    • REPLICA: Read from replica nodes.
    • REPLICAPREFERRED: Read from the replica nodes, but if none is unavailable, read from the upstream node.
    • ANY: Read from any node of the cluster.
    • ANYREPLICA: Read from any replica node of the cluster.
    • NEAREST: Read from the nearest node.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.share-native-connections=

    • The shared native connection is never closed by Lettuce connection, therefore it is not validated by default when connections are retrieved. If this setting is true, a shared connection will be used for regular operations and a connection provider will be used to select a connection for blocking and tx operations only, which should not share a connection. If native connection sharing is disabled, new (or pooled) connections will be used for all operations. By default, multiple connections share a single thread-safe native connection. If you enable connection pooling, then native connection sharing will be disabled and the connection pool will be used for all operations. You may however explicitly control connection sharing via this setting as an override.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.start-tls=false

    • Start mutual TLS. In order to support TLS, Redis should be configured with a X.509 certificate and a private key. In addition, it is necessary to specify a CA certificate bundle file or path to be used as a trusted root when validating certificates.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.timeout=PT60S

    • Command timeout.

    This settings supports the java.time.Duration syntax [?].

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.uri=

    • Database URI.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.use-ssl=false

    • Whether or not to use SSL for connection factory.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

  • cas.authn.mfa.yubikey.redis.verify-peer=true

    • Control how peer verification is handled with redis connections. Peer verification is a security feature that checks if the host you're connecting to is who it says it is. This is often done by checking a digital certificate.

    org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyRedisMultifactorProperties.

    Copy Configuration Property How can I configure this property?

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, especially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.