By: Danilo Alves user 28 Oct 2020 at 4:50 p.m. CDT

4 Responses

Hi, First, a feedback about Gluu, is a fantastic software.. Congratulation! I'm using the Gluu Casa with 2FA. And I think about force enroll the 2FA if not have. Because the default interception script skip 2FA if don't have a availabe 2FA method. I think in redirect to Casa and enroll a 2FA, if not, don't allowed the login. Example with 2FA: ``` (PythonService.java:243) - Casa. authenticate for step 1 (PythonService.java:243) - Casa. MFA Status: None (PythonService.java:243) - Casa. getAvailMethodsUser [otp] (PythonService.java:243) - Casa. getSuitableAcr. On mobile = False (PythonService.java:243) - Casa. getSuitableAcr. otp was selected for user danilo.alves (PythonService.java:243) - ACR User Founded: otp (PythonService.java:243) - OTP. Authenticate for step 1 (PythonService.java:243) - OTP. Authenticate for step 1. otp_auth_method: 'authenticate' (PythonService.java:243) - Casa. determineSkip2FA with general policy EVERY_LOGIN (PythonService.java:243) - Casa. getNextStep called 1 (PythonService.java:243) - Casa. getExtraParametersForStep 2 (PythonService.java:243) - extras are [otp_auth_method, otp_count_login_steps, otp_secret_key, otp_enrollment_request, ACR, methods, trustedDevicesInfo, casa_contextPath, casa_prefix, casa_faviconUrl, casa_extraCss, casa_logoUrl] (PythonService.java:243) - Casa. getCountAuthenticationSteps called (PythonService.java:243) - Casa. getCountAuthenticationSteps Steps [Module]: 2 (PythonService.java:243) - Casa. getPageForStep called 2 (PythonService.java:243) - [CUSTOM] Casa. ACR: otp (PythonService.java:243) - OTP. Get page for step 2. otp_auth_method: 'authenticate' (PythonService.java:243) - Casa. getExtraParametersForStep 2 (PythonService.java:243) - extras are [otp_auth_method, otp_count_login_steps, otp_secret_key, otp_enrollment_request, ACR, methods, trustedDevicesInfo, casa_contextPath, casa_prefix, casa_faviconUrl, casa_extraCss, casa_logoUrl] (PythonService.java:243) - Casa. isValidAuthenticationMethod called (PythonService.java:243) - Casa. prepareForStep 2 (PythonService.java:243) - Casa. prepareForStep. ACR = otp (PythonService.java:243) - Casa. getAvailMethodsUser [] (PythonService.java:243) - OTP. Prepare for step 2 (PythonService.java:243) - OTP. Prepare for step 2. otp_auth_method: 'authenticate' (PythonService.java:243) - Casa. getExtraParametersForStep 2 (PythonService.java:243) - extras are [otp_auth_method, otp_count_login_steps, otp_secret_key, otp_enrollment_request, ACR, methods, trustedDevicesInfo, casa_contextPath, casa_prefix, casa_faviconUrl, casa_extraCss, casa_logoUrl] ``` Example without 2FA: ``` (PythonService.java:243) - Casa. getPageForStep called 1 (PythonService.java:243) - Casa. isValidAuthenticationMethod called (PythonService.java:243) - Casa. prepareForStep 1 (PythonService.java:243) - Casa. prepareUIParams. Reading UI branding params (PythonService.java:243) - Casa. getExtraParametersForStep 1 (PythonService.java:243) - extras are [casa_contextPath, casa_prefix, casa_faviconUrl, casa_extraCss, casa_logoUrl] ``` Can you help-me? Best regards..

CentOS 7.0

closed

By Michael Schwartz Account Admin 28 Oct 2020 at 10:23 p.m. CDT

Copy

@Madhumita.Subramaniam Can you take a look at this. I think what he's saying is that an organization admin should have the ability to force enrollment of 2FA from one of the available options. I agree that this would be a nice feature. I think we'd have to update the Casa script and maybe tie it to a property in Casa? Can you make a feature request for 4.2.3 for this?

By Madhumita Subramaniam staff 29 Oct 2020 at 12:41 a.m. CDT

Copy

Hi Danilo, Please take a look at this - https://gluu.org/docs/casa/4.2/administration/2fa-basics/#forcing-users-to-enroll-a-specific-credential-before-2fa-is-available Feel free to write back if you have more questions / concerns.

By Danilo Alves user 29 Oct 2020 at 8:08 a.m. CDT

Copy

Hi @Madhumita.Subramaniam, Thanks for your attention.. I done two test: 1. I added "2fa_requisite" property on OTP only. And I didn't have success. 2. I added "2fa_requisite" property on OTP, Super Gluu and Casa, but also didn't have success. The Gluu Casa not forced enroll a 2FA. I attached print with the new properties and a GIF logging process. Properties: * https://ibb.co/Z8PjRrS * https://ibb.co/x6wQ111 * https://ibb.co/DrC592T * https://ibb.co/p14SGhD Login: * https://ibb.co/Z8ZDXMc

By Jose Gonzalez staff 30 Oct 2020 at 4:59 p.m. CDT

Copy

Danilo, As Michael commented earlier, this feature is not yet supported in Casa. If you read carefully the advice Madhumita pointed to, it applies when you have already landed into the application. Actually if you scroll down to "Enrolling credentials upon registration or first login" you'll find some suggestions about implementing the feature in question.

You need to Login in order to post an answer

Force Enroll 2FA

By: Danilo Alves user 28 Oct 2020 at 4:50 p.m. CDT

Answers

By Michael Schwartz Account Admin 28 Oct 2020 at 10:23 p.m. CDT

By Madhumita Subramaniam staff 29 Oct 2020 at 12:41 a.m. CDT

By Danilo Alves user 29 Oct 2020 at 8:08 a.m. CDT

By Jose Gonzalez staff 30 Oct 2020 at 4:59 p.m. CDT

Post an answer