Ok, error was apparently a typo in the copied client secret from Duo; I think I probably inadvertently introduced an extra char or something when pasting the string from my clipboard – it wasn't obvious since Duo only displays the last four characters in their UI. But when I copied and pasted the obscured string again into the CAS config, voila. Mea culpa... *sigh* ¯\_(ツ)_/¯
On Mon, Jul 24, 2023 at 8:54 AM Baron Fujimoto <[email protected]> wrote: > Yes, I created a new Duo protected application for this using their admin > panels. I assume this is what you mean by new service? I'm not sure how I > would check if the problem is on the Duo side though? > > > > On Mon, Jul 24, 2023 at 6:41 AM Ray Bon <[email protected]> wrote: > >> Baron, >> >> Try creating a new service in Duo to check if the problem is on their >> side. >> >> Ray >> >> On Fri, 2023-07-21 at 15:02 -1000, Baron Fujimoto wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> We're trying to upgrade from CAS 6.6 using the old Duo iFrame MFA to CAS >> 7 using the new Duo Universal Prompt. >> >> In our CAS 6.6/iFrame version, we configured this with the following >> properties: >> >> cas.authn.mfa.duo[0].duo-application-key=<private WebSDK integration key> >> cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> >> cas.authn.mfa.duo[0].duo-integration-key=<Duo integration key> >> cas.authn.mfa.duo[0].duo-application-key=<Duo secret key> >> >> For our CAS 7/Universal Prompt version, we're using: >> >> cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> >> cas.authn.mfa.duo[0].duo-integration-key=<Duo client ID> >> cas.authn.mfa.duo[0].duo-application-key=<Duo client secret> >> >> Our duo-api-host does not differ for these two, and our Duo admin panel >> is configured to "Show Universal Prompt" for our Duo application we >> reference in our CAS 7 properties. >> >> However, after entering a username and password, we get the following >> error: >> === >> MFA Provider Unavailable >> >> CAS was unable to reach your configured MFA provider at this time. Due to >> failure policies configured for the service you are attempting to access, >> authentication can not be granted at this time. >> === >> >> Our CAS log reports: >> WARN >> [org.apereo.cas.adaptors.duo.authn.UniversalPromptDuoSecurityAuthenticationService] >> - <invalid_client> >> >> Any ideas what we may have amiss or how we may further troubleshoot this? >> >> I've been using the following resources for reference: >> Duo documentation – >> - <https://duo.com/docs/universal-prompt-update-guide >> <https://urldefense.com/v3/__https://duo.com/docs/universal-prompt-update-guide__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW4k9LuGc$> >> > >> - <https://duo.com/docs/cas#update-cas >> <https://urldefense.com/v3/__https://duo.com/docs/cas*update-cas__;Iw!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW6-WyS_i$> >> > >> CAS documentation – >> - < >> https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html#universal-prompt >> <https://urldefense.com/v3/__https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html*universal-prompt__;Iw!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW0G7Wbl8$> >> > >> Fawnoos documentation – >> - < >> https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/ >> <https://urldefense.com/v3/__https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW1sm2ICa$> >> > >> >> I note that the Duo documentation says to create the Duo application type >> as "CAS (Central Authentication Service)" whereas Fawnoos says to use >> WebSDK. Does this matter? >> -- >> Baron Fujimoto <[email protected]> ::: UH Information Technology Services >> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum >> >> >> -- >> - Website: https://apereo.github.io/cas >> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW5pjucQZ$> >> - Gitter Chatroom: https://gitter.im/apereo/cas >> <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW1mTPZ7I$> >> - List Guidelines: https://goo.gl/1VRrw7 >> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW0Nuzh3a$> >> - Contributions: https://goo.gl/mh7qDG >> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW8-Sx0_R$> >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel%40uvic.ca >> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel*40uvic.ca?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW83Bjqu4$> >> . >> > > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL29j%2BziUzZ10SdUm21nX1bG9d3gd-GSox9jtJjBpZRS9g%40mail.gmail.com.
