I think the problem is this line: cas.authn.mfa.globalProviderId=mfa-gauth
According to the documentation, that enables MFA for all services, regardless of any other settings. Since you don't want that, you should probably turn it off. We have basically the same settings that Matt just posted here, and like his setup, it only does MFA on the few services where we've explicitly told it to. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] [image: The New School] On Fri, Sep 21, 2018 at 3:37 PM Matthew Uribe <[email protected]> wrote: > Hi Dave, > > I'm still on CAS 5.2, so perhaps things have changed, but I'm doing > exactly what you describe with Duo. > > In my cas.properties: > > #Configure Duo authentication properties > cas.authn.mfa.globalFailureMode: OPEN > # Aims Two-Factor > cas.authn.mfa.duo[0].duoApiHost: such.and.such > cas.authn.mfa.duo[0].duoIntegrationKey: D...........A5 > cas.authn.mfa.duo[0].duoSecretKey: N.....................E5 > cas.authn.mfa.duo[0].trustedDeviceEnabled: false > cas.authn.mfa.duo[0].duoApplicationKey: 01234567890 > cas.authn.mfa.duo[0].id: mfa-duo > > > Then in service registry: > > "multifactorPolicy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", > "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ > "mfa-duo" ] ] > } > > > Services which don't include a multifactorPolicy don't require MFA. > > Matt > > > On Friday, September 21, 2018 at 12:56:53 PM UTC-6, Dave B wrote: >> >> Running latest CAS 5.3 and just implemented MFA. My goal is to have MFA >> disabled globally but able to be turned on based only on inclusion service >> registry. >> >> However, I can not get MFA to work on any service unless >> cas.authn.mfa.globalProviderId set to a value, in my case mfa-gauth. >> >> With the settings below, ALL services, regardless of inclusion of >> "multifactorPolicy", require MFA. My only option is to explicitly exclude >> (bypass) all other services for which I don't want to require MFA. >> >> Is this intended behavior? >> >> Relevant config: >> cas.properties: >> cas.authn.mfa.globalProviderId=mfa-gauth >> cas.authn.mfa.globalFailureMode=CLOSED >> >> >> "multifactorPolicy" : { >> "@class" : >> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", >> "multifactorAuthenicationProviders" : [ "java.util.LinkedHashSet", [ >> "mfa-gauth" ] ], >> "failureMode" : "CLOSED" >> }, >> >> Thanks for any help! >> -Dave >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9ca7d75-0826-4fb5-86aa-9a67d2d3e3a3%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMyy20nLL9Hw79aM2iAy8bYc_Tx4XidgmD0EfAsEww%3Drw%40mail.gmail.com.
