Hi all, I did get this resolved after coming across a blog post here: https://apereo.github.io/2018/01/08/cas-mfa-duosecurity/
I stripped my Duo configuration to only what was included in the blog post, and all is working as expected now. -Matt On Tuesday, July 9, 2019 at 8:17:29 AM UTC-6, Matthew Uribe wrote: > > Hello Community, > > We use Duo for 2FA and have successfully used it with CAS for a single > application. Recently we decided to enable 2FA for all applications using > cas.authn.mfa.globalProviderId=mfa-duo and are now finding that each > application requires that the user authenticate to the CAS login page. > Setting the Duo page to "Remember me for 7 days" doesn't seem to make a > difference. Whether the service is using CAS or SAML doesn't seem to make a > difference. Enabling 2FA at the service level, rather than globally, yields > the same results. Any service which is 2FA enabled is requiring that users > auth for each application, which is obviously counter to the idea of a > single sign on. Has anyone else who uses 2FA run into this? I can't imagine > this is the best outcome, but as I look through the available settings > here > <https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#duosecurity> > > I don't see what else I might need to configure. > > To put it another way, Duo only prompts once, at the first authentication, > but thereafter, each application is redirected to the login page for > username password auth. > > The relevant portion of my cas.properties is: > > #Configure Duo authentication properties > cas.authn.mfa.globalFailureMode: OPEN > cas.authn.mfa.globalProviderId: mfa-duo > #cas.sso.renewedAuthn=false #(This was only for experimentation purpose - > made no difference) > cas.authn.mfa.duo[0].duoApiHost: redacted > cas.authn.mfa.duo[0].duoIntegrationKey: redacted > cas.authn.mfa.duo[0].duoSecretKey: redacted > cas.authn.mfa.duo[0].trustedDeviceEnabled: false #(Also tried setting > this to true - made no difference) > cas.authn.mfa.duo[0].duoApplicationKey: redacted > cas.authn.mfa.duo[0].id: mfa-duo > > > Any help would be greatly appreciated. > > Thanks, > Matt Uribe > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a23a0ec-7f55-418b-bf54-76c1f2145977%40apereo.org.
