The first entry is what is used as the name for the auth context.  You most
likely Iikely authed against the second Duo, but it will just return the
first one.  I also think that the two are treated equally in an sso
situation.  So one fills MFA requirement for the other and vice versa.

On Fri, Sep 7, 2018 at 12:41 PM Brian Gibson <
gibson_br...@wheatoncollege.edu> wrote:

> Thanks Travis,
>
> Moving to a newer version of CAS 5 is not an option for us now. Our Duo
> rep said that he has customers doing what I asked but before I bug him for
> help I was hoping someone on this list had this scenario working in a 5.1
> environment?
>
>
>
>
>
> On 9/7/2018 2:48 PM, Travis Schmidt wrote:
>
> This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses
> this issue.
>
>
> On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson <
> gibson_br...@wheatoncollege.edu> wrote:
>
>> Hi all,
>>
>> We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
>> point different CAS-protected services at different Duo Protected
>> Applications so we can set different group policies for each. I created 2
>> CAS applications inside Duo's admin portal, I called them
>>
>> "CAS ID=mfa-duo"
>> "CAS ID=mfa-duo2"
>>
>> I then edited my cas.properties file and created a second set of Duo
>> settings, here is what it looks like with the important data scrubbed out
>>
>> cas.authn.mfa.duo[0].duoSecretKey=*<Key-for CAS ID=mfa-duo>*
>> cas.authn.mfa.duo[0].duoApplicationKey=*<40 character random string>*
>> cas.authn.mfa.duo[0].duoIntegrationKey=*<Intregration-Key-for CAS
>> ID=mfa-duo>*
>> cas.authn.mfa.duo[0].duoApiHost=*<api-server-name>*
>> cas.authn.mfa.duo[0].id=*mfa-duo*
>> cas.authn.mfa.duo[0].name=Duo_Profile1
>>
>> cas.authn.mfa.duo[1].duoSecretKey=*<Key-for CAS ID=mfa-duo2>*
>> cas.authn.mfa.duo[1].duoApplicationKey=*<different 40 character random
>> string>*
>> cas.authn.mfa.duo[1].duoIntegrationKey=*<Intregration-Key-for CAS
>> ID=mfa-duo2>*
>> cas.authn.mfa.duo[1].duoApiHost=*<api-server-name>*
>> cas.authn.mfa.duo[1].id=*mfa-duo2*
>> cas.authn.mfa.duo[1].name=Duo_Profile2
>>
>>
>> I then edited the .json files for 2 services and added these sections for
>> multifactor authentication, note the duo ID I am referencing differently in
>> each...
>>
>> =========== Service 1============================
>>   multifactorPolicy:
>>   {
>>     @class:
>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>>     multifactorAuthenticationProviders:
>>     [
>>       java.util.HashSet
>>       [
>>         *mfa-duo*
>>       ]
>>     ]
>>     failureMode: CLOSED
>>     principalAttributeNameTrigger: memberOf
>>     principalAttributeValueToMatch: *<our AD group>*
>>     bypassEnabled: false
>>   }
>> ===============================================
>> =========== Service 2============================
>>   multifactorPolicy:
>>   {
>>     @class:
>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>>     multifactorAuthenticationProviders:
>>     [
>>       java.util.HashSet
>>       [
>>         *mfa-duo2*
>>       ]
>>     ]
>>     failureMode: CLOSED
>>     principalAttributeNameTrigger: memberOf
>>     principalAttributeValueToMatch: *<our AD group>*
>>     bypassEnabled: false
>>   }
>> ===============================================
>>
>> When I log into both services I do get prompted to do 2 factor auth but
>> when I authenticate on my phone app they both list the protected app named
>>
>> *"CAS ID=mfa-duo"*
>>
>> How do you get different CAS-protected services to point to different CAS
>> instances in Duo (and therefore different group policies)?
>>
>> Thanks!
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu?utm_medium=email&utm_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
>
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a953d903-552c-5bce-387c-138d23786905%40wheatoncollege.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a953d903-552c-5bce-387c-138d23786905%40wheatoncollege.edu?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZ7TqRVipGZQcU6DXVJ6%2BU6GoYoAouNq7KSGrkEbYHYqg%40mail.gmail.com.

Reply via email to