Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

Fri, 07 Sep 2018 12:41:48 -0700 

Thanks Travis,
Moving to a newer version of CAS 5 is not an option for us now. Our Duo rep said that he has customers doing what I asked but before I bug him for help I was hoping someone on this list had this scenario working in a 5.1 environment? 




On 9/7/2018 2:48 PM, Travis Schmidt wrote:

This PR https://github.com/apereo/cas/pull/3498, against 5.3.x 
addresses this issue.




On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson 
<gibson_br...@wheatoncollege.edu 
<mailto:gibson_br...@wheatoncollege.edu>> wrote:


    Hi all,

    We have Duo working in our test CAS 5.1.2 environment. Now we'd
    like to point different CAS-protected services at different Duo
    Protected Applications so we can set different group policies for
    each. I created 2 CAS applications inside Duo's admin portal, I
    called them

    "CAS ID=mfa-duo"
    "CAS ID=mfa-duo2"

    I then edited my cas.properties file and created a second set of
    Duo settings, here is what it looks like with the important data
    scrubbed out

    cas.authn.mfa.duo[0].duoSecretKey=/<Key-for CAS ID=mfa-duo>/
    cas.authn.mfa.duo[0].duoApplicationKey=/<40 character random string>/
    cas.authn.mfa.duo[0].duoIntegrationKey=/<Intregration-Key-for CAS
    ID=mfa-duo>/
    cas.authn.mfa.duo[0].duoApiHost=/<api-server-name>/
    cas.authn.mfa.duo[0].id=*mfa-duo*
    cas.authn.mfa.duo[0].name=Duo_Profile1

    cas.authn.mfa.duo[1].duoSecretKey=/<Key-for CAS ID=mfa-duo2>/
    cas.authn.mfa.duo[1].duoApplicationKey=/<different 40 character
    random string>/
    cas.authn.mfa.duo[1].duoIntegrationKey=/<Intregration-Key-for CAS
    ID=mfa-duo2>/
    cas.authn.mfa.duo[1].duoApiHost=/<api-server-name>/
    cas.authn.mfa.duo[1].id=*mfa-duo2*
    cas.authn.mfa.duo[1].name=Duo_Profile2


    I then edited the .json files for 2 services and added these
    sections for multifactor authentication, note the duo ID I am
    referencing differently in each...

    =========== Service 1============================
      multifactorPolicy:
      {
        @class:
    org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
        multifactorAuthenticationProviders:
        [
          java.util.HashSet
          [
    *mfa-duo*
          ]
        ]
        failureMode: CLOSED
        principalAttributeNameTrigger: memberOf
        principalAttributeValueToMatch: /<our AD group>/
        bypassEnabled: false
      }
    ===============================================
    =========== Service 2============================
      multifactorPolicy:
      {
        @class:
    org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
        multifactorAuthenticationProviders:
        [
          java.util.HashSet
          [
    *mfa-duo2*
          ]
        ]
        failureMode: CLOSED
        principalAttributeNameTrigger: memberOf
        principalAttributeValueToMatch: /<our AD group>/
        bypassEnabled: false
      }
    ===============================================

    When I log into both services I do get prompted to do 2 factor
    auth but when I authenticate on my phone app they both list the
    protected app named

    /*"CAS ID=mfa-duo"*/

    How do you get different CAS-protected services to point to
    different CAS instances in Duo (and therefore different group
    policies)?

    Thanks!

    -- 
    - Website: https://apereo.github.io/cas

    - Gitter Chatroom: https://gitter.im/apereo/cas
    - List Guidelines: https://goo.gl/1VRrw7
    - Contributions: https://goo.gl/mh7qDG
    ---
    You received this message because you are subscribed to the Google
    Groups "CAS Community" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to cas-user+unsubscr...@apereo.org
    <mailto:cas-user+unsubscr...@apereo.org>.
    To view this discussion on the web visit
    
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
    
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com?utm_medium=email&utm_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a953d903-552c-5bce-387c-138d23786905%40wheatoncollege.edu.






















					Reply via email to