I like the idea of a configurable timeout for mfa globally or mfa provider-service level. The other ideas related to being able to disable it quickly or set discreet failure modes for populations and at the service level (which i think we can do already?) are really nice features/value adds.
*Having the request marked as a failure if it takes too long will allow the existing process/contingency to kick in. This, in my opinion is critical.* We never hit fail-open in the last DUO event we had because the duo service never hung up. The contingency that is in place never materialized: CAS 5.2.6 and CAS 5.2.7 are the versions in use when our two DUO failures occurred btw. On Friday, August 31, 2018 at 11:01:37 PM UTC-5, baron wrote: > > We're considering contingencies to MFA failures in light of recent service > problems with Duo. > > We're currently still using CAS 5.0.x. I'm assuming the property of > interest for us here is cas.authn.mfa.globalFailureMode. The documentation > doesn't really make this clear, but specifically what MFA is/isn't > "communicated to the client if provider" is unavailable for PHANTOM/OPEN > modes? How does these differ from NONE? > > < > https://apereo.github.io/cas/5.0.x/installation/Configuring-Multifactor-Authentication.html#fail-open-vs-fail-closed> > > > > We also MFA enabled for each registered service with the following: > > "multifactorPolicy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy", > "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ > "mfa-duo" ] ], > "failureMode" : "OPEN" > } > > I appears however, that setting cas.authn.mfa.globalFailureMode=NONE in > cas.properties is not sufficient to disable/bypass MFA. I am still prompted > for it. Should globalFailureMode in cas.properties take precedence over > failureMode in the service registration, or vice versa? Or is this not the > right way to achieve this goal? > > We are thinking that OPEN may not be desired in the rare cases where Duo > may be technically available (how does CAS detemine Duo's availability?), > but the service has degraded unacceptably. > > -- > Baron Fujimoto <ba...@hawaii.edu <javascript:>> :: UH Information > Technology Services > minutas cantorum, minutas balorum, minutas carboratum desendus pantorum > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f126146-db42-487e-9120-1e1de96eebdd%40apereo.org.