{"host": "idp-test1005.wikimedia.org", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2865, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/cas/config/cas.properties]", "content": "--- /etc/cas/config/cas.properties.orig\n+++ /etc/cas/config/cas.properties\n@@ -160,3 +160,27 @@\n # of any offered scope, clients will need to use groups.\n cas.authn.oidc.discovery.claims=sub,name,groups,email,family_name,preferred_username,profile,memberOf\n \n+cas.authn.mfa.web-authn.core.enabled=true\n+cas.authn.mfa.web-authn.core.display-name-attribute=Wikimedia Foundation\n+\n+cas.authn.mfa.web-authn.core.relying-party-id=idp-test.wikimedia.org\n+cas.authn.mfa.web-authn.core.allowed-origins=https://idp-test.wikimedia.org\n+\n+# Database configuration.\n+cas.authn.mfa.web-authn.jpa.driver-class=org.mariadb.jdbc.Driver\n+cas.authn.mfa.web-authn.jpa.dialect=org.hibernate.dialect.MariaDBDialect\n+cas.authn.mfa.web-authn.jpa.url=jdbc:mariadb://m1-master.eqiad.wmnet/cas_staging?useSSL=true&disableSslHostnameVerification=true\n+cas.authn.mfa.web-authn.jpa.password=cas\n+cas.authn.mfa.web-authn.jpa.user=changeme\n+\n+# We encourage users to have backup devices, but this requires them to be able to register multiple\n+# hardware tokens.\n+cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true\n+\n+# You're not allowed to sign in using only your FIDO2 key.\n+cas.authn.mfa.web-authn.core.allow-primary-authentication=false\n+\n+# Allows us to support more device types. YubiKeys provide trusted attestation, but cheaper devices\n+# such as IDTrust keys do not.\n+cas.authn.mfa.web-authn.core.allow-untrusted-attestation=True\n+"}, {"resource": "Class[Profile::Idp]", "parameters": "--- Class[Profile::Idp].orig\n+++ Class[Profile::Idp]\n\n@@\n- enable_webauthn => False\n+ enable_webauthn => True\n@@\n- webauthn_relaying_party => wikimedia.org\n+ webauthn_relaying_party => idp-test.wikimedia.org\n"}, {"resource": "Class[Apereo_cas]", "parameters": "--- Class[Apereo_cas].orig\n+++ Class[Apereo_cas]\n\n@@\n- webauthn_relaying_party => wikimedia.org\n+ webauthn_relaying_party => idp-test.wikimedia.org\n@@\n- enable_webauthn => False\n+ enable_webauthn => True\n"}], "perc_changed": "0.10%"}, "core": {"total": 2865, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/cas/config/cas.properties]", "content": "--- /etc/cas/config/cas.properties.orig\n+++ /etc/cas/config/cas.properties\n@@ -160,3 +160,27 @@\n # of any offered scope, clients will need to use groups.\n cas.authn.oidc.discovery.claims=sub,name,groups,email,family_name,preferred_username,profile,memberOf\n \n+cas.authn.mfa.web-authn.core.enabled=true\n+cas.authn.mfa.web-authn.core.display-name-attribute=Wikimedia Foundation\n+\n+cas.authn.mfa.web-authn.core.relying-party-id=idp-test.wikimedia.org\n+cas.authn.mfa.web-authn.core.allowed-origins=https://idp-test.wikimedia.org\n+\n+# Database configuration.\n+cas.authn.mfa.web-authn.jpa.driver-class=org.mariadb.jdbc.Driver\n+cas.authn.mfa.web-authn.jpa.dialect=org.hibernate.dialect.MariaDBDialect\n+cas.authn.mfa.web-authn.jpa.url=jdbc:mariadb://m1-master.eqiad.wmnet/cas_staging?useSSL=true&disableSslHostnameVerification=true\n+cas.authn.mfa.web-authn.jpa.password=cas\n+cas.authn.mfa.web-authn.jpa.user=changeme\n+\n+# We encourage users to have backup devices, but this requires them to be able to register multiple\n+# hardware tokens.\n+cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true\n+\n+# You're not allowed to sign in using only your FIDO2 key.\n+cas.authn.mfa.web-authn.core.allow-primary-authentication=false\n+\n+# Allows us to support more device types. YubiKeys provide trusted attestation, but cheaper devices\n+# such as IDTrust keys do not.\n+cas.authn.mfa.web-authn.core.allow-untrusted-attestation=True\n+"}], "perc_changed": "0.03%"}, "main": {"total": 2865, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/cas/config/cas.properties]", "content": "--- /etc/cas/config/cas.properties.orig\n+++ /etc/cas/config/cas.properties\n@@ -160,3 +160,27 @@\n # of any offered scope, clients will need to use groups.\n cas.authn.oidc.discovery.claims=sub,name,groups,email,family_name,preferred_username,profile,memberOf\n \n+cas.authn.mfa.web-authn.core.enabled=true\n+cas.authn.mfa.web-authn.core.display-name-attribute=Wikimedia Foundation\n+\n+cas.authn.mfa.web-authn.core.relying-party-id=idp-test.wikimedia.org\n+cas.authn.mfa.web-authn.core.allowed-origins=https://idp-test.wikimedia.org\n+\n+# Database configuration.\n+cas.authn.mfa.web-authn.jpa.driver-class=org.mariadb.jdbc.Driver\n+cas.authn.mfa.web-authn.jpa.dialect=org.hibernate.dialect.MariaDBDialect\n+cas.authn.mfa.web-authn.jpa.url=jdbc:mariadb://m1-master.eqiad.wmnet/cas_staging?useSSL=true&disableSslHostnameVerification=true\n+cas.authn.mfa.web-authn.jpa.password=cas\n+cas.authn.mfa.web-authn.jpa.user=changeme\n+\n+# We encourage users to have backup devices, but this requires them to be able to register multiple\n+# hardware tokens.\n+cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true\n+\n+# You're not allowed to sign in using only your FIDO2 key.\n+cas.authn.mfa.web-authn.core.allow-primary-authentication=false\n+\n+# Allows us to support more device types. YubiKeys provide trusted attestation, but cheaper devices\n+# such as IDTrust keys do not.\n+cas.authn.mfa.web-authn.core.allow-untrusted-attestation=True\n+"}, {"resource": "Class[Profile::Idp]", "parameters": "--- Class[Profile::Idp].orig\n+++ Class[Profile::Idp]\n\n@@\n- enable_webauthn => False\n+ enable_webauthn => True\n@@\n- webauthn_relaying_party => wikimedia.org\n+ webauthn_relaying_party => idp-test.wikimedia.org\n"}, {"resource": "Class[Apereo_cas]", "parameters": "--- Class[Apereo_cas].orig\n+++ Class[Apereo_cas]\n\n@@\n- webauthn_relaying_party => wikimedia.org\n+ webauthn_relaying_party => idp-test.wikimedia.org\n@@\n- enable_webauthn => False\n+ enable_webauthn => True\n"}], "perc_changed": "0.10%"}}}