Class PrincipalAttributeMultifactorAuthenticationProperties
java.lang.Object
org.apereo.cas.configuration.model.support.mfa.PrincipalAttributeMultifactorAuthenticationProperties
- All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-core-authentication",
automated=true)
public class PrincipalAttributeMultifactorAuthenticationProperties
extends Object
implements Serializable
- Since:
- 6.4.0
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionMFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.This is a more generic variant of theglobalPrincipalAttributeNameTriggers
.The regular expression that is cross matches against the principal attribute to determine if the account is qualified for multifactor authentication.boolean
Force CAS to deny and block the authentication attempt altogether if attribute name/value configuration cannot produce a successful match to trigger multifactor authentication.boolean
Principal attribute triggers by default look for a positive match and the presence of a pattern in attribute values.setDenyIfUnmatched
(boolean denyIfUnmatched) Force CAS to deny and block the authentication attempt altogether if attribute name/value configuration cannot produce a successful match to trigger multifactor authentication.setGlobalPrincipalAttributeNameTriggers
(String globalPrincipalAttributeNameTriggers) MFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.setGlobalPrincipalAttributePredicate
(SpringResourceProperties globalPrincipalAttributePredicate) This is a more generic variant of theglobalPrincipalAttributeNameTriggers
.setGlobalPrincipalAttributeValueRegex
(String globalPrincipalAttributeValueRegex) The regular expression that is cross matches against the principal attribute to determine if the account is qualified for multifactor authentication.setReverseMatch
(boolean reverseMatch) Principal attribute triggers by default look for a positive match and the presence of a pattern in attribute values.
-
Constructor Details
-
PrincipalAttributeMultifactorAuthenticationProperties
public PrincipalAttributeMultifactorAuthenticationProperties()
-
-
Method Details
-
getGlobalPrincipalAttributePredicate
This is a more generic variant of theglobalPrincipalAttributeNameTriggers
. It may be useful in cases where there is more than one provider configured and available in the application runtime and you need to design a strategy to dynamically decide on the provider that should be activated for the request. The decision is handed off to a Predicate implementation that define in a Groovy script whose location is taught to CAS. -
getGlobalPrincipalAttributeNameTriggers
MFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.- Trigger MFA based on a principal attribute(s) whose value(s) matches a regex pattern. Note that this behavior is only applicable if there is only a single MFA provider configured, since that would allow CAS to know what provider to next activate.
- Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. This option is more relevant if you have more than one provider configured or if you have the flexibility of assigning provider ids to attributes as values.
-
getGlobalPrincipalAttributeValueRegex
The regular expression that is cross matches against the principal attribute to determine if the account is qualified for multifactor authentication. Matching and comparison operations are case insensitive. -
isDenyIfUnmatched
public boolean isDenyIfUnmatched()Force CAS to deny and block the authentication attempt altogether if attribute name/value configuration cannot produce a successful match to trigger multifactor authentication. -
isReverseMatch
public boolean isReverseMatch()Principal attribute triggers by default look for a positive match and the presence of a pattern in attribute values. If you are looking to reverse that behavior and trigger MFA when the attribute value does NOT match the given pattern, then set this flag totrue
. This option does not apply when a predicate trigger is used to decide on the provider, and is only relevant whenglobalPrincipalAttributeNameTriggers
andglobalPrincipalAttributeValueRegex
are used. -
setGlobalPrincipalAttributePredicate
public PrincipalAttributeMultifactorAuthenticationProperties setGlobalPrincipalAttributePredicate(SpringResourceProperties globalPrincipalAttributePredicate) This is a more generic variant of theglobalPrincipalAttributeNameTriggers
. It may be useful in cases where there is more than one provider configured and available in the application runtime and you need to design a strategy to dynamically decide on the provider that should be activated for the request. The decision is handed off to a Predicate implementation that define in a Groovy script whose location is taught to CAS.- Returns:
this
.
-
setGlobalPrincipalAttributeNameTriggers
public PrincipalAttributeMultifactorAuthenticationProperties setGlobalPrincipalAttributeNameTriggers(String globalPrincipalAttributeNameTriggers) MFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.- Trigger MFA based on a principal attribute(s) whose value(s) matches a regex pattern. Note that this behavior is only applicable if there is only a single MFA provider configured, since that would allow CAS to know what provider to next activate.
- Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. This option is more relevant if you have more than one provider configured or if you have the flexibility of assigning provider ids to attributes as values.
- Returns:
this
.
-
setGlobalPrincipalAttributeValueRegex
public PrincipalAttributeMultifactorAuthenticationProperties setGlobalPrincipalAttributeValueRegex(String globalPrincipalAttributeValueRegex) The regular expression that is cross matches against the principal attribute to determine if the account is qualified for multifactor authentication. Matching and comparison operations are case insensitive.- Returns:
this
.
-
setDenyIfUnmatched
public PrincipalAttributeMultifactorAuthenticationProperties setDenyIfUnmatched(boolean denyIfUnmatched) Force CAS to deny and block the authentication attempt altogether if attribute name/value configuration cannot produce a successful match to trigger multifactor authentication.- Returns:
this
.
-
setReverseMatch
Principal attribute triggers by default look for a positive match and the presence of a pattern in attribute values. If you are looking to reverse that behavior and trigger MFA when the attribute value does NOT match the given pattern, then set this flag totrue
. This option does not apply when a predicate trigger is used to decide on the provider, and is only relevant whenglobalPrincipalAttributeNameTriggers
andglobalPrincipalAttributeValueRegex
are used.- Returns:
this
.
-