Thank you for the reply! I'll try it with those default service parameters.
We offer optional MFA for the users so they can use a more secure way to authenticate. If a malicious third-party can bypass MFA simply by not providing the service param, it offers no extra protection for the user. Even if MFA is optional for users, if you opt-in for it, it should be required after that. After reading some more CAS source code, it seems that the trigger mechanism does not support this and instead decides that no MFA is chosen if the REST request fails and MFA is not mandatory for all users. I'll have to see what we can do to prevent this. Tomi On Thursday, 12 January 2023 at 19:36:22 UTC+2 Ray Bon wrote: > Tomi, > > If MFA is optional, then it can not be enforced, so the bypass makes sense. > > MFA would/should be triggered when the user visits a service (you can add > MFA required to the service definition or set it globally, etc.). > > You can set a default service that is redirected to after login, > https://apereo.github.io/cas/6.6.x/authentication/Configuring-SSO.html > cas.view.default-redirect-url > > There is also this property on the same page, > cas.sso.allow-missing-service-parameter > > Ray > > On Thu, 2023-01-12 at 00:38 -0800, 'Tomi Karlstedt' via CAS Community > wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi, > > Our implementation uses the CAS login form to log users in and checks > username/password from a separate service. We're adding an optional MFA for > users and we want to save the chosen MFA provider per user into the same > service that handles usernames and passwords. > > There's a way to trigger MFA from a REST endpoint (implemented by > RestEndpointMultifactorAuthenticationTrigger) which seems to suite us well. > However, the current implementation of the REST MFA trigger seems to let > users bypass MFA by simply not including the service parameter when logging > in. To me this seems like a glaring bug in the implementation. > > My question is, can we force the service parameter (server side) or set a > default service somehow in the logging flow to mitigate this immediately? > > Tomi > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0bdc810d-4914-44ee-af7b-7660c4a409b1n%40apereo.org.
