We're considering contingencies to MFA failures in light of recent service problems with Duo.
We're currently still using CAS 5.0.x. I'm assuming the property of interest for us here is cas.authn.mfa.globalFailureMode. The documentation doesn't really make this clear, but specifically what MFA is/isn't "communicated to the client if provider" is unavailable for PHANTOM/OPEN modes? How does these differ from NONE? <https://apereo.github.io/cas/5.0.x/installation/Configuring-Multifactor-Authentication.html#fail-open-vs-fail-closed> We also MFA enabled for each registered service with the following: "multifactorPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ], "failureMode" : "OPEN" } I appears however, that setting cas.authn.mfa.globalFailureMode=NONE in cas.properties is not sufficient to disable/bypass MFA. I am still prompted for it. Should globalFailureMode in cas.properties take precedence over failureMode in the service registration, or vice versa? Or is this not the right way to achieve this goal? We are thinking that OPEN may not be desired in the rare cases where Duo may be technically available (how does CAS detemine Duo's availability?), but the service has degraded unacceptably. -- Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180901040127.ryteg5l4s3ccqeve%40combobulate.mgt.hawaii.edu.