Yes, I created a new Duo protected application for this using their admin panels. I assume this is what you mean by new service? I'm not sure how I would check if the problem is on the Duo side though?
On Mon, Jul 24, 2023 at 6:41 AM Ray Bon <[email protected]> wrote: > Baron, > > Try creating a new service in Duo to check if the problem is on their side. > > Ray > > On Fri, 2023-07-21 at 15:02 -1000, Baron Fujimoto wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > We're trying to upgrade from CAS 6.6 using the old Duo iFrame MFA to CAS 7 > using the new Duo Universal Prompt. > > In our CAS 6.6/iFrame version, we configured this with the following > properties: > > cas.authn.mfa.duo[0].duo-application-key=<private WebSDK integration key> > cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> > cas.authn.mfa.duo[0].duo-integration-key=<Duo integration key> > cas.authn.mfa.duo[0].duo-application-key=<Duo secret key> > > For our CAS 7/Universal Prompt version, we're using: > > cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> > cas.authn.mfa.duo[0].duo-integration-key=<Duo client ID> > cas.authn.mfa.duo[0].duo-application-key=<Duo client secret> > > Our duo-api-host does not differ for these two, and our Duo admin panel is > configured to "Show Universal Prompt" for our Duo application we reference > in our CAS 7 properties. > > However, after entering a username and password, we get the following > error: > === > MFA Provider Unavailable > > CAS was unable to reach your configured MFA provider at this time. Due to > failure policies configured for the service you are attempting to access, > authentication can not be granted at this time. > === > > Our CAS log reports: > WARN > [org.apereo.cas.adaptors.duo.authn.UniversalPromptDuoSecurityAuthenticationService] > - <invalid_client> > > Any ideas what we may have amiss or how we may further troubleshoot this? > > I've been using the following resources for reference: > Duo documentation – > - <https://duo.com/docs/universal-prompt-update-guide > <https://urldefense.com/v3/__https://duo.com/docs/universal-prompt-update-guide__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW4k9LuGc$> > > > - <https://duo.com/docs/cas#update-cas > <https://urldefense.com/v3/__https://duo.com/docs/cas*update-cas__;Iw!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW6-WyS_i$> > > > CAS documentation – > - < > https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html#universal-prompt > <https://urldefense.com/v3/__https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html*universal-prompt__;Iw!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW0G7Wbl8$> > > > Fawnoos documentation – > - < > https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/ > <https://urldefense.com/v3/__https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW1sm2ICa$> > > > > I note that the Duo documentation says to create the Duo application type > as "CAS (Central Authentication Service)" whereas Fawnoos says to use > WebSDK. Does this matter? > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW5pjucQZ$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW1mTPZ7I$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW0Nuzh3a$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW8-Sx0_R$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel%40uvic.ca > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel*40uvic.ca?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW83Bjqu4$> > . > -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3LbTMitmiBnuEtBqheyrA7S7_0dombq0aEruOa%3Dh9qnQ%40mail.gmail.com.
