U2F support worked fine in initial tests, but we need some support to enable it selectively/gradually (based on an LDAP setting) as not everyone will have a token immediately. There's an upstream change pending for that. We'll also need some local tooling to keep track/revoke device IDs.
In addition this needs further infrastructure changes when using it in an HA setup (e.g. replication of device IDs)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T233921 Further steps for CAS/web SSO | |||
| Resolved | jbond | T233937 Add U2F/FIDO as second factor for CAS |
Change 539336 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] apereo_cas: add ability to use groovy script to determine MFA
The upstream PR i have is to support multiple MFA providers, further i have just created a script to use groovy to to the select the mf provider based on an ldap attribute.
that said if we only want to support one provider we could do something like the following
cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf cas.authn.mfa.globalPrincipalAttributeValueRegex=mfa
Then anyone who was a member of the mfa ldap group would have mfa enabled. We would need to update build.gradle so we only had one supported mfa provider.
Although i think it would be useful to support multiple mfa providers. cas configurations allows you to deny services based on a user not having MFA. allowing something like TOTP creates a bridge until people have there HW token. further we could still ensure resources are only accessible with u2f as well. as in we could have services that allow access with:
Also usefull https://github.com/apereo/cas/pull/4188
also raised this on the mailing list
John and I have discussed next steps on IRC: Initially we'll make U2F opt-in via a memberOf/LDAP check. At a later step we'll add TOTP support (ideally in a way that allows to import the existing registrations from the wikitech endpoint) and by then we'll need MFA selection either by means of the Groovy script or via the selector support included in 6.1: https://apereo.github.io/2019/05/13/cas61x-mfa-selection-strategies/
Change 539515 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] apereo_cas: configure to used MFA based obn ldap group membership
Change 539515 merged by Jbond:
[operations/puppet@production] apereo_cas: configure to used MFA based on ldap group membership
Change 539336 merged by Jbond:
[operations/puppet@production] apereo_cas: add ability to use groovy script to determine MFA
Opt-in U2F support can now be selected via the LDAP user attribute "mfa-method=u2f". (Other 2FA options can be figured in the same manner, but are currently disabled in our build).
The MFA method is enabled via a Groovy script via the cas.authn.mfa.globalPrincipalAttributesPredicate config option.
Other options which were evaluated are:
@Volans just asked if there is a way to register multiple u2f devices to the same account. Of the top of my head im not sure how to achive that but placing a not here as something to investigate
Just a bit of a note, since I asked for this exact thing on IRC. It'd be cool to be able to select from more than one U2F token. :)
Just a bit of a note, since I asked for this exact thing on IRC. It'd be cool to be able to select from more than one U2F token. :)
As mentioned on IRC, it is possible to add this functionality to CAS, although it would require adding some hooks to the auth process so we could allow the user to pick which token they wish to use.; Although I think that before we even start considering features like this we need to have a good user management portal so users can register, remove and choose there default u2f token.
closing this i think the idea to support multiple options is out of scope of this task