Here’s the error that’s returned if the “CAS” integration is used when 
configuring on duo.com <http://duo.com/> website.  I have opened an issue with 
Duo.

2018-02-13 10:53:37,995 DEBUG 
[org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService] - 
<Received Duo admin response [{"code": 40301, "message": "Access forbidden", 
"message_detail": "Wrong integration type for this API.", "stat": "FAIL"}]>


> On Feb 13, 2018, at 7:34 AM, Brian Davidson <awk.br...@gmail.com> wrote:
> 
> Man,
> 
> Just providing clarification on this other issue that I hadn’t gotten back to 
> you on.  I think the issue in this specific email is an issue with duo.com 
> <http://duo.com/>, while the other issue in this thread is an issue with CAS.
> 
> In order for CAS to be able to use Duo you must obtain an integration key, 
> shared secret and api host from Duo.  You do this by logging in to duo.com 
> <http://duo.com/> as an administrator and selecting “Add new application”.  
> You are then presented with a list of 137 types of applications you can 
> integrate with:
> 
> 1Password
> Duo Admin API
> Duo Auth API
> CAS
> Cisco RADIUS VPN
> etc.
> 
> 
> If you select the CAS integration, you’ll receive en error (not authorized, I 
> believe) when trying to use the Duo preauth endpoint, which is what the CAS 
> Duo adapter uses:
> 
> https://github.com/apereo/cas/blob/468d834242d8c027d4f2333bb7b4d1c99b645630/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/BaseDuoSecurityAuthenticationService.java#L170
>  
> <https://github.com/apereo/cas/blob/468d834242d8c027d4f2333bb7b4d1c99b645630/support/cas-server-support-duo-core/src/main/java/org/apereo/cas/adaptors/duo/authn/BaseDuoSecurityAuthenticationService.java#L170>
> 
> 
> When setting up the application at duo.com <http://duo.com/> if you instead 
> choose Duo Auth API, the preauth endpoint works correctly.  There are no user 
> configurable permissions that I’ve been able to find on Duo’s site, so this 
> is a backend thing that they will need to change.  I will be opening a ticket 
> with them to address this.
> 
> Here’s the Duo documentation for the preauth endpoint:
> 
> https://duo.com/docs/authapi#/preauth <https://duo.com/docs/authapi#/preauth>
> 
> Thanks again for all of the help!
> 
> Brian
> 
>> On Feb 10, 2018, at 8:15 AM, Man H <info.ings...@gmail.com> wrote:
>> 
>> Could you be more specific
>> 
>> We did find that CAS was unable to check to see if the user exists in Duo if 
>> we used the “CAS” integration in Duo.  But it works if we set up the 
>> integration as “Auth API”.
>> 
> 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/30619062-0F41-483C-977D-B64032D9F726%40gmail.com.

Reply via email to