Thanks Travis,
Moving to a newer version of CAS 5 is not an option for us now. Our Duo
rep said that he has customers doing what I asked but before I bug him
for help I was hoping someone on this list had this scenario working in
a 5.1 environment?
On 9/7/2018 2:48 PM, Travis Schmidt wrote:
This PR https://github.com/apereo/cas/pull/3498, against 5.3.x
addresses this issue.
On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson
<gibson_br...@wheatoncollege.edu
<mailto:gibson_br...@wheatoncollege.edu>> wrote:
Hi all,
We have Duo working in our test CAS 5.1.2 environment. Now we'd
like to point different CAS-protected services at different Duo
Protected Applications so we can set different group policies for
each. I created 2 CAS applications inside Duo's admin portal, I
called them
"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"
I then edited my cas.properties file and created a second set of
Duo settings, here is what it looks like with the important data
scrubbed out
cas.authn.mfa.duo[0].duoSecretKey=/<Key-for CAS ID=mfa-duo>/
cas.authn.mfa.duo[0].duoApplicationKey=/<40 character random string>/
cas.authn.mfa.duo[0].duoIntegrationKey=/<Intregration-Key-for CAS
ID=mfa-duo>/
cas.authn.mfa.duo[0].duoApiHost=/<api-server-name>/
cas.authn.mfa.duo[0].id=*mfa-duo*
cas.authn.mfa.duo[0].name=Duo_Profile1
cas.authn.mfa.duo[1].duoSecretKey=/<Key-for CAS ID=mfa-duo2>/
cas.authn.mfa.duo[1].duoApplicationKey=/<different 40 character
random string>/
cas.authn.mfa.duo[1].duoIntegrationKey=/<Intregration-Key-for CAS
ID=mfa-duo2>/
cas.authn.mfa.duo[1].duoApiHost=/<api-server-name>/
cas.authn.mfa.duo[1].id=*mfa-duo2*
cas.authn.mfa.duo[1].name=Duo_Profile2
I then edited the .json files for 2 services and added these
sections for multifactor authentication, note the duo ID I am
referencing differently in each...
=========== Service 1============================
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
*mfa-duo*
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: /<our AD group>/
bypassEnabled: false
}
===============================================
=========== Service 2============================
multifactorPolicy:
{
@class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
*mfa-duo2*
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: /<our AD group>/
bypassEnabled: false
}
===============================================
When I log into both services I do get prompted to do 2 factor
auth but when I authenticate on my phone app they both list the
protected app named
/*"CAS ID=mfa-duo"*/
How do you get different CAS-protected services to point to
different CAS instances in Duo (and therefore different group
policies)?
Thanks!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a953d903-552c-5bce-387c-138d23786905%40wheatoncollege.edu.