We utilize Duo with CAS too. We plan to upgrade to 7.3.0 in January. If you need more time you can reach out to Duo support for an extension. I believe the final cutoff date for extenders is March 31st, but for everyone else it is February 2nd.
On Friday, December 19, 2025 at 3:33:18 PM UTC-5 Ray Bon wrote: > Baron, > > The duo versions for java are here > https://help.duo.com/s/article/9451?language=en_US#api-clients > Cas 7.2.x does not have the minimums, and the last commit was late > September. > Anyone wanting to use duo will have to upgrade to 7.3.x > See line 56 in > https://github.com/apereo/cas/blob/7.3.x/gradle/libs.versions.toml > > Ray > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of Baron > Fujimoto <[email protected]> > *Sent:* December 19, 2025 08:56 > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] Re: Duo root certificate authority bundle > replacement? > > Following up with additional information. We now believe the Duo > Unsupported Client reports actually do implicate CAS. Initially we were > dissuaded because the Client IP in these reports were not known to be > associated with our CAS servers, but we've since learned that all the > servers' traffic was NAT'd behind the reported IP. > > I don't recall seeing this issue being discussed previously on the list, > but this seems like a significant issue for those using > "cas-server-support-duo". Are such users actually just rare, or is everyone > already running CAS 7.3? > > On Thu, Dec 18, 2025 at 5:40 PM Baron Fujimoto <[email protected]> wrote: > > We are currently running CAS 7.0.x with the "cas-server-support-duo" > dependency in our build.gradle overlay. > > In response to an advisory from Duo re "Duo root certificate authority > bundle replacement" (action required by 2025-02-02) > > <https://help.duo.com/s/article/9451> > > We tried to determine if we were affected by this. Duo reports in our > Unsupported Clients log many entries that are tied to our Identification > Key for the Duo app used by our CAS service. It's unclear to us though > whether these entries represented CAS itself, or clients using our CAS > service. > > Our initial analysis suggested to us that these entries represented CAS > clients using our CAS service. However, we received the following response > to our query to Duo support: > > *With CAS, since this is a third party application that has integrated > Duo, our team recently got a confirmation from CAS that they have made an > update available for the upcoming CA bundle replacement, and you must > perform some upgrade or configuration action to use it.* > > > And they provided links to the CAS 7.3.0 Duo Security MFA documentation: > <https://apereo.github.io/cas/7.3.x/mfa/DuoSecurity-Authentication.html> > > So is the CAS server actually affected by this issue if using > "cas-server-support-duo"? If so, what is the minimum CAS server version > required to address this? If there are release notes or something > comparable that covers this, a pointer to those would be appreciated as > well. > > -- > Baron Fujimoto <[email protected]> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0JdPHB41TGic9YN_kYWQp_dkrRq0awoATj-xe-RzAUAA%40mail.gmail.com > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0JdPHB41TGic9YN_kYWQp_dkrRq0awoATj-xe-RzAUAA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e09b24a-5b03-4f1d-8060-0118bc6cd6aan%40apereo.org.
