Package org.apereo.cas.configuration.model.support.mfa

Class PrincipalAttributeMultifactorAuthenticationProperties

java.lang.Object
org.apereo.cas.configuration.model.support.mfa.PrincipalAttributeMultifactorAuthenticationProperties
All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-core-authentication", automated=true) public class PrincipalAttributeMultifactorAuthenticationProperties extends Object implements Serializable
This is PrincipalAttributeMultifactorAuthenticationProperties.
Since:
6.4.0
See Also:

  • Constructor Details

    • PrincipalAttributeMultifactorAuthenticationProperties

      public PrincipalAttributeMultifactorAuthenticationProperties()

  • Method Details

    • getGlobalPrincipalAttributePredicate

      public SpringResourceProperties getGlobalPrincipalAttributePredicate()
      This is a more generic variant of the globalPrincipalAttributeNameTriggers. It may be useful in cases where there is more than one provider configured and available in the application runtime and you need to design a strategy to dynamically decide on the provider that should be activated for the request. The decision is handed off to a Predicate implementation that define in a Groovy script whose location is taught to CAS.

    • getGlobalPrincipalAttributeNameTriggers

      public String getGlobalPrincipalAttributeNameTriggers()
      MFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.
      • Trigger MFA based on a principal attribute(s) whose value(s) matches a regex pattern. Note that this behavior is only applicable if there is only a single MFA provider configured, since that would allow CAS to know what provider to next activate.
      • Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. This option is more relevant if you have more than one provider configured or if you have the flexibility of assigning provider ids to attributes as values.
      Needless to say, the attributes need to have been resolved for the principal prior to this step. Matching and comparison operations are case insensitive.

    • getGlobalPrincipalAttributeValueRegex

      public String getGlobalPrincipalAttributeValueRegex()
      The regular expression that is cross matches against the principal attribute to determine if the account is qualified for multifactor authentication. Matching and comparison operations are case insensitive.

    • isDenyIfUnmatched

      public boolean isDenyIfUnmatched()
      Force CAS to deny and block the authentication attempt altogether if attribute name/value configuration cannot produce a successful match to trigger multifactor authentication.

    • isReverseMatch

      public boolean isReverseMatch()
      Principal attribute triggers by default look for a positive match and the presence of a pattern in attribute values. If you are looking to reverse that behavior and trigger MFA when the attribute value does NOT match the given pattern, then set this flag to true. This option does not apply when a predicate trigger is used to decide on the provider, and is only relevant when globalPrincipalAttributeNameTriggers and globalPrincipalAttributeValueRegex are used.

    • setGlobalPrincipalAttributePredicate

      public PrincipalAttributeMultifactorAuthenticationProperties setGlobalPrincipalAttributePredicate(SpringResourceProperties globalPrincipalAttributePredicate)
      This is a more generic variant of the globalPrincipalAttributeNameTriggers. It may be useful in cases where there is more than one provider configured and available in the application runtime and you need to design a strategy to dynamically decide on the provider that should be activated for the request. The decision is handed off to a Predicate implementation that define in a Groovy script whose location is taught to CAS.
      Returns:
      this.

    • setGlobalPrincipalAttributeNameTriggers

      public PrincipalAttributeMultifactorAuthenticationProperties setGlobalPrincipalAttributeNameTriggers(String globalPrincipalAttributeNameTriggers)
      MFA can be triggered for all users/subjects carrying a specific attribute that matches one of the conditions below.
      • Trigger MFA based on a principal attribute(s) whose value(s) matches a regex pattern. Note that this behavior is only applicable if there is only a single MFA provider configured, since that would allow CAS to know what provider to next activate.
      • Trigger MFA based on a principal attribute(s) whose value(s) EXACTLY matches an MFA provider. This option is more relevant if you have more than one provider configured or if you have the flexibility of assigning provider ids to attributes as values.
      Needless to say, the attributes need to have been resolved for the principal prior to this step. Matching and comparison operations are case insensitive.
      Returns:
      this.

    • setGlobalPrincipalAttributeValueRegex

      public PrincipalAttributeMultifactorAuthenticationProperties setGlobalPrincipalAttributeValueRegex(String globalPrincipalAttributeValueRegex)
      The regular expression that is cross matches against the principal attribute to determine if the account is qualified for multifactor authentication. Matching and comparison operations are case insensitive.
      Returns:
      this.

    • setDenyIfUnmatched

      public PrincipalAttributeMultifactorAuthenticationProperties setDenyIfUnmatched(boolean denyIfUnmatched)
      Force CAS to deny and block the authentication attempt altogether if attribute name/value configuration cannot produce a successful match to trigger multifactor authentication.
      Returns:
      this.

    • setReverseMatch

      public PrincipalAttributeMultifactorAuthenticationProperties setReverseMatch(boolean reverseMatch)
      Principal attribute triggers by default look for a positive match and the presence of a pattern in attribute values. If you are looking to reverse that behavior and trigger MFA when the attribute value does NOT match the given pattern, then set this flag to true. This option does not apply when a predicate trigger is used to decide on the provider, and is only relevant when globalPrincipalAttributeNameTriggers and globalPrincipalAttributeValueRegex are used.
      Returns:
      this.