Hi all,

We have Duo working in our test CAS 5.1.2 environment. Now we'd like to point different CAS-protected services at different Duo Protected Applications so we can set different group policies for each. I created 2 CAS applications inside Duo's admin portal, I called them

"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"

I then edited my cas.properties file and created a second set of Duo settings, here is what it looks like with the important data scrubbed out

cas.authn.mfa.duo[0].duoSecretKey=/<Key-for CAS ID=mfa-duo>/
cas.authn.mfa.duo[0].duoApplicationKey=/<40 character random string>/
cas.authn.mfa.duo[0].duoIntegrationKey=/<Intregration-Key-for CAS ID=mfa-duo>/
cas.authn.mfa.duo[0].duoApiHost=/<api-server-name>/
cas.authn.mfa.duo[0].id=*mfa-duo*
cas.authn.mfa.duo[0].name=Duo_Profile1

cas.authn.mfa.duo[1].duoSecretKey=/<Key-for CAS ID=mfa-duo2>/
cas.authn.mfa.duo[1].duoApplicationKey=/<different 40 character random string>/ cas.authn.mfa.duo[1].duoIntegrationKey=/<Intregration-Key-for CAS ID=mfa-duo2>/
cas.authn.mfa.duo[1].duoApiHost=/<api-server-name>/
cas.authn.mfa.duo[1].id=*mfa-duo2*
cas.authn.mfa.duo[1].name=Duo_Profile2


I then edited the .json files for 2 services and added these sections for multifactor authentication, note the duo ID I am referencing differently in each...

=========== Service 1============================
  multifactorPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    multifactorAuthenticationProviders:
    [
      java.util.HashSet
      [
*mfa-duo*
      ]
    ]
    failureMode: CLOSED
    principalAttributeNameTrigger: memberOf
    principalAttributeValueToMatch: /<our AD group>/
    bypassEnabled: false
  }
===============================================
=========== Service 2============================
  multifactorPolicy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    multifactorAuthenticationProviders:
    [
      java.util.HashSet
      [
*mfa-duo2*
      ]
    ]
    failureMode: CLOSED
    principalAttributeNameTrigger: memberOf
    principalAttributeValueToMatch: /<our AD group>/
    bypassEnabled: false
  }
===============================================

When I log into both services I do get prompted to do 2 factor auth but when I authenticate on my phone app they both list the protected app named

/*"CAS ID=mfa-duo"*/

How do you get different CAS-protected services to point to different CAS instances in Duo (and therefore different group policies)?

Thanks!

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu.

Reply via email to