Shibcas and mfa-gauth

[millecentdix]

Hi,

I am using Shibcas with my Shibboleth IDP v3 and a CAS v5.3. All works fine with login and password.
When I use multifactor "Google Authenticator" on my CAS, I have a strange return :

2019-02-15 16:17:54,149 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:44] - principalName found and being passed on: XXXXXX
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute credentialType with values [UsernamePasswordCredential, GoogleAuthenticatorTokenCredential]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute samlAuthenticationStatementAuthMethod with values [urn:oasis:names:tc:SAML:1.0:am:password, urn:oasis:names:tc:SAML:1.0:am:unspecified]
2019-02-15 16:17:54,150 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute uid with values XXXXXXX
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute isFromNewLogin with values true
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute bypassMultifactorAuthentication with values false
2019-02-15 16:17:54,151 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationDate with values 2019-02-15T16:17:53.562+01:00[Europe/Paris]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authenticationMethod with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute authnContextClass with values mfa-gauth
2019-02-15 16:17:54,152 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute successfulAuthenticationHandlers with values [LdapAuthenticationHandler, GoogleAuthenticatorAuthenticationHandler]
2019-02-15 16:17:54,159 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:94] - Added attribute longTermAuthenticationRequestTokenUsed with values false
2019-02-15 16:17:54,160 - DEBUG [net.unicon.idp.externalauth.ShibcasAuthServlet:51] - Found attributes from CAS. Processing...

So my Shibboleth sent to the SP : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Is there a missing configuration or a translation to add ?

Thanks for reading.

[vwbusguy]

I think the initial MFA REFEDS for this plugin only supported Duo, but it looks like the latest version supports REFEDS MFA generally. I'm curious to know if it works with 3.3.0 as we're also using mfa-gauth via CAS for TOTP and would love to have a way to enforce that through the SAML layer if an SP requires it.

[vwbusguy]

The README only references Duo, but gauth is there in the code as a provider: https://github.com/Unicon/shib-cas-authn3/blob/master/src/main/java/net/unicon/idp/authn/provider/extra/CasMultifactorRefedsToGoogleAuthenticatorAuthnMethodParameterBuilder.java

[vwbusguy]

Try setting this in your idp.properties:

shibcas.casToShibTranslators = net.unicon.idp.externalauth.CasDuoSecurityRefedsAuthnMethodTranslator
shibcas.parameterBuilders = CasMultifactorRefedsToGoogleAuthenticatorAuthnMethodParameterBuilder

And make sure you have the refeds mfa profile in general-auth.xml: https://github.com/Unicon/shib-cas-authn3#configuration

[millecentdix]

I saw that in code me too and tried this configuration without success. Tested in the last 3.3.0 this afternoon.