I'm trying to enable MFA-Duo using according to the docs at <https://apereo.github.io/cas/development/installation/DuoSecurity-Authentication.html> <https://apereo.github.io/cas/development/installation/Configuration-Properties.html#duosecurity>
I've had partial success with an application trigger using a service definition that includes "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ], "failureMode" : "OPEN" } After providing my username and password to the app that uses the Java CAS client (v3.4.2), Duo is invoked. However, after providing the Duo factor it successfully validates the ticket but throws an exception generating the SAML response: DEBUG [org.apereo.cas.support.saml.web.SamlValidateController] - <Successfully validated service ticket AAE***Cq2 for service [https://example.edu/app]> ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.> java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT] at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT] ... Ultimately what we'd like to do though is invoke MFA-Duo globally, and not via an application triggered policy. It looks like the CAS properties listed here may be relevant, but it's not clear to me how they should be used. <https://apereo.github.io/cas/development/installation/Configuration-Properties.html#multifactor-authentication> For example, there is a cas.authn.mfa.globalPrincipalAttributeNameTriggers property, that seems to correspond to principalAttributeNameTrigger in the "Principal Attribute Per Application" example, but no corresponding principalAttributeValueToMatch documented. Merely specifying something an attribute for .globalPrincipalAttributeNameTriggers (e.g. cas.authn.mfa..globalPrincipalAttributeNameTriggers=uid) doesn't appear to be sufficent to invoke MFA-Duo. I'm not sure what the following parameters are for: cas.authn.mfa.requestParameter - related to the "Opt-In Request Parameter"? cas.authn.mfa.authenticationContextAttribute=authnContextClass cas.authn.mfa.contentType=application/cas - are any of these related to or able to use the Authentication attributes that are returned? (successfulAuthenticationHandlers, authenticationMethod, samlAuthenticationStatementAuthMethod) Aloha, -baron -- Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- CAS gitter chatroom: https://gitter.im/apereo/cas CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html CAS documentation website: https://apereo.github.io/cas CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20161012025817.GV23083%40praenomen.mgt.hawaii.edu. For more options, visit https://groups.google.com/a/apereo.org/d/optout.