Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

Thanks Travis 

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9c8d0b-9cc7-40f5-b103-0b9e3c93c937%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

Yes that would indeed be the case.  Also if you need to use multiple Duo
instances, I think you would have better luck with the latest 5.3.6 release
for both CAS and CAS Management which was moved to it's own repository
starting with 5.3: https://github.com/apereo/cas-management

Travis

On Thu, Dec 6, 2018 at 10:56 AM Mukunthini Jeyakumar 
wrote:

> Hi Travis,
>
> Does management webapp work with discovery endpoint only in cas 5.3? I'm
> using CAS 5,2,8
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9a0185b-dd99-4ce1-ab52-efbb649df489%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYHGmyOxLTcosu7MM4maN10xvZPMeO%2B0dsz67GBmbc1ZQ%40mail.gmail.com.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

Hi Travis,

Does management webapp work with discovery endpoint only in cas 5.3? I'm 
using CAS 5,2,8

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9a0185b-dd99-4ce1-ab52-efbb649df489%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

There are 2 getopt jars, java-getopt looks good, the other one was corrupted.

Download getopt-1.0.13.jar from https://mvnreposit 
ory.com/artifact/gnu-getopt/getopt/1.0.13, it worked

Thanks Ray.



Hi Travis,


Now I've the Discovery endpoint configured, I can see 2 mfa service provider 
types but both mapped to "Duo security" in mgmt. webapp

mfa-duo2|mfa-duo":"Duo Security|Duo Security


https://cas-sever.com/cas/status/discovery


{"profile":{"registeredServiceTypes":{"SAML2 Service 
Provider":"org.apereo.cas.support.saml.services.SamlRegisteredService","CAS 
Client":"org.apereo.cas.services.RegexRegisteredService"},"multifactorAuthenticationProviderTypes":{"mfa-duo2|mfa-duo":"Duo
 Security|Duo Security"},"registeredServiceTypesSupported":{"SAML2 Service 
Provider":"org.apereo.cas.support.saml.services.SamlRegisteredService","WS 
Federation Relying 
Party":"org.apereo.cas.ws.idp.services.WSFederationRegisteredService","OpenID 
Connect Relying Party":"org.apereo.cas.services.OidcRegisteredService","OAuth2 
Client":"org.apereo.cas.support.oauth.services.OAuthRegisteredService","CAS 
Client":"org.apereo.cas.services.RegexRegisteredService"},"multifactorAuthenticationProviderTypesSupported":{"mfa-gauth":"Google
 Authenticator","mfa-swivel":"Swivel 
Secure","mfa-yubikey":"YubiKey","mfa-authy":"Authy","mfa-radius":"RADIUS 
(RSA,WiKID)","mfa-u2f":"FIDO U2F","mfa-duo":"Duo 
Security","mfa-azure":"Microsoft Azure"}}}



Here is the mfa provider config


cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=Duo_Allow
cas.authn.mfa.duo[0].duoApiHost=api-dcc11a82.duosecurity.com
cas.authn.mfa.duo[0].duoIntegrationKey=xxx

cas.authn.mfa.duo[0].duoSecretKey=x

cas.authn.mfa.duo[0].duoApplicationKey=xxx


cas.authn.mfa.duo[1].id=mfa-duo2
cas.authn.mfa.duo[1].name=Duo_Deny
cas.authn.mfa.duo[1].duoApiHost=api-dcc11a82.duosecurity.com
cas.authn.mfa.duo[1].duoIntegrationKey=xx

cas.authn.mfa.duo[1].duoSecretKey=xxxff
cas.authn.mfa.duo[1].duoApplicationKey=x


Any config required on management properties to map those profiles?


Thanks


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/54269b50-8ed2-4f25-b035-630870bfd59b%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Ray Bon]

It could be a problem with the remote repo or a corrupt cache somewhere between 
you and the source.
You can install manually. Get files from 
http://central.maven.org/maven2/gnu/getopt/java-getopt/1.0.13/

Ray

On Wed, 2018-11-28 at 12:48 -0800, Mukunthini Jeyakumar wrote:
Hi,

I've tried deleting  getopt folder and even tried delete the whole repository : 
/root/.m2/repository, didn't help
This error only appear if I add the discovery profile dependency, If I remove I 
don't see it.

Thanks

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543439089.2846.73.camel%40uvic.ca.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

 Hi,

I've tried deleting  getopt folder and even tried delete the whole 
repository : /root/.m2/repository, didn't help
This error only appear if I add the discovery profile dependency, If I 
remove I don't see it.

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8f77ca31-78d3-4e26-9960-06a7766f6d0a%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

 I've tried deleting getopt folder and the whole repository download dir 
/root/.m2/repository, didn't help.
If I remove the dependency 'cas-server-support-discovery-profile", the 
build works.

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/70818ece-26fa-49e7-9042-b93a58359d98%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Ray Bon]

Mukunthini,

That error means that your install of getopt is corrupt (there should be no 
body tag in pom). You can delete the getopt folder and next build it will be 
downloaded again.

Ray

On Wed, 2018-11-28 at 11:49 -0800, Mukunthini Jeyakumar wrote:
Hi Travis,

When I add the dependency in pom.xml for discovery profile 
(https://apereo.github.io/cas/5.2.x/installation/Configuration-Discovery.html), 
got issues on maven build.


 org.apereo.cas
 cas-server-support-discovery-profile
 ${cas.version}


here is the error/warning I'm getting

[WARNING] The POM for gnu-getopt:getopt:jar:1.0.13 is invalid, transitive 
dependencies (if any) will not be available: 1 problem was encountered while 
building the effective model
[FATAL] Non-parseable POM 
/root/.m2/repository/gnu-getopt/getopt/1.0.13/getopt-1.0.13.pom: end tag name 
 must match start tag name  from line 888 (position: START_TAG seen 
...  08-Nov-2014 19:04 207\r\n... 
@888:18)  @ line 888, column 18


Thanks

--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543435245.2846.50.camel%40uvic.ca.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

Hi Travis,

When I add the dependency in pom.xml for discovery profile 
(https://apereo.github.io/cas/5.2.x/installation/Configuration-Discovery.html), 
got issues on maven build.


 org.apereo.cas
 cas-server-support-discovery-profile
 ${cas.version}
 

here is the error/warning I'm getting

[WARNING] The POM for gnu-getopt:getopt:jar:1.0.13 is invalid, transitive 
dependencies (if any) will not be available: 1 problem was encountered 
while building the effective model
[FATAL] Non-parseable POM 
/root/.m2/repository/gnu-getopt/getopt/1.0.13/getopt-1.0.13.pom: end tag 
name  must match start tag name  from line 888 (position: 
START_TAG seen ...  08-Nov-2014 19:04 
207\r\n... @888:18)  @ line 888, column 18


Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/25772321-92d9-4f14-adf9-932d0cb13bb4%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

Hi Travis,

I've all the monitoring endpoints enabled already in cas properties.

cas.monitor.endpoints.enabled:  true
endpoints.enabled:  true
# Mark the endpoints not sensitive
cas.monitor.endpoints.sensitive:false
endpoints.sensitive:false
 
I've tried to enable discovery endpoints specifically , didn't work either.
cas.monitor.endpoints.discovery.enabled:true
cas.monitor.endpoints.discovery.sensitive:  false

here are the 2 duo profiles I have,

cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=Duo_Allow
cas.authn.mfa.duo[0].duoApiHost=api-dcc11a82.duosecurity.com
cas.authn.mfa.duo[0].duoIntegrationKey=xxx
cas.authn.mfa.duo[0].duoSecretKey=xxx
cas.authn.mfa.duo[0].duoApplicationKey=xxx

cas.authn.mfa.duo[1].id=mfa-duo2
cas.authn.mfa.duo[1].name=Duo_Deny
cas.authn.mfa.duo[1].duoApiHost=api-dcc11a82.duosecurity.com
cas.authn.mfa.duo[1].duoIntegrationKey=
cas.authn.mfa.duo[1].duoSecretKey=
cas.authn.mfa.duo[1].duoApplicationKey=x

Anything need to be added in management properties? 

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/87190504-b92d-4f25-ae62-20051736b425%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

They would only show in the mgmt webapp if you have configured the
cas/status/discovery endpoint on your cas-server and the mgmt webapp server
is able to reach it on startup.  Otherwise only default values are shown.



On Wed, Nov 14, 2018 at 11:37 AM Mukunthini Jeyakumar 
wrote:

> Other recipients:
> Hi Travis, I'm in the same situation trying to configure multiple duo
> instances to apply different duo group policies. I've configured
> cas.properties with 2 duo instances and those are not showing up on
> management webapp to select as Multifactor
> Hi Travis,
>
> I'm in the same situation trying to configure multiple duo instances to
> apply different duo group policies.  I've configured cas.properties with 2
> duo instances and those are not showing up on management webapp to select
> as Multifactor Provider. I'm using cas 5.2.8 and JPA service registry.
>
> Thanks
> Thini
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc8e6c4e-c953-4811-8470-ca49985b0a4c%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEZgXqC00uGg4Tij91814_HhOG4jm-fC%2Bt%3D%3D31d_Gy1YAQ%40mail.gmail.com.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

Other recipients: 
Hi Travis, I'm in the same situation trying to configure multiple duo 
instances to apply different duo group policies. I've configured 
cas.properties with 2 duo instances and those are not showing up on 
management webapp to select as Multifactor 
Hi Travis,

I'm in the same situation trying to configure multiple duo instances to 
apply different duo group policies.  I've configured cas.properties with 2 
duo instances and those are not showing up on management webapp to select 
as Multifactor Provider. I'm using cas 5.2.8 and JPA service registry.

Thanks
Thini

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc8e6c4e-c953-4811-8470-ca49985b0a4c%40apereo.org.

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Mukunthini Jeyakumar]

Hi Travis,

I'm in the same situation trying to configure multiple duo instances to 
apply different duo group policies.  I've configured cas.properties with 2 
duo instances and those are not showing up on management webapp to select 
as Multifactor Provider. I'm using cas 5.2.8 and JPA service registry.

Thanks
Thini

On Friday, September 7, 2018 at 4:00:44 PM UTC-4, Travis Schmidt wrote:

> The first entry is what is used as the name for the auth context.  You 
> most likely Iikely authed against the second Duo, but it will just return 
> the first one.  I also think that the two are treated equally in an sso 
> situation.  So one fills MFA requirement for the other and vice versa.
>
> On Fri, Sep 7, 2018 at 12:41 PM Brian Gibson  > wrote:
>
>> Thanks Travis,
>>
>> Moving to a newer version of CAS 5 is not an option for us now. Our Duo 
>> rep said that he has customers doing what I asked but before I bug him for 
>> help I was hoping someone on this list had this scenario working in a 5.1 
>> environment?
>>
>>
>>
>>
>>
>> On 9/7/2018 2:48 PM, Travis Schmidt wrote:
>>
>> This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses 
>> this issue.   
>>
>>
>> On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson <
>> gibson...@wheatoncollege.edu > wrote:
>>
>>> Hi all,
>>>
>>> We have Duo working in our test CAS 5.1.2 environment. Now we'd like to 
>>> point different CAS-protected services at different Duo Protected 
>>> Applications so we can set different group policies for each. I created 2 
>>> CAS applications inside Duo's admin portal, I called them 
>>>
>>> "CAS ID=mfa-duo"
>>> "CAS ID=mfa-duo2"
>>>
>>> I then edited my cas.properties file and created a second set of Duo 
>>> settings, here is what it looks like with the important data scrubbed out
>>>
>>> cas.authn.mfa.duo[0].duoSecretKey=**
>>> cas.authn.mfa.duo[0].duoApplicationKey=*<40 character random string>*
>>> cas.authn.mfa.duo[0].duoIntegrationKey=*>> ID=mfa-duo>*
>>> cas.authn.mfa.duo[0].duoApiHost=**
>>> cas.authn.mfa.duo[0].id=*mfa-duo*
>>> cas.authn.mfa.duo[0].name=Duo_Profile1
>>>
>>> cas.authn.mfa.duo[1].duoSecretKey=**
>>> cas.authn.mfa.duo[1].duoApplicationKey=*>> string>*
>>> cas.authn.mfa.duo[1].duoIntegrationKey=*>> ID=mfa-duo2>*
>>> cas.authn.mfa.duo[1].duoApiHost=**
>>> cas.authn.mfa.duo[1].id=*mfa-duo2*
>>> cas.authn.mfa.duo[1].name=Duo_Profile2
>>>
>>>
>>> I then edited the .json files for 2 services and added these sections 
>>> for multifactor authentication, note the duo ID I am referencing 
>>> differently in each...
>>>
>>> === Service 1
>>>   multifactorPolicy:
>>>   {
>>> @class: 
>>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>>> multifactorAuthenticationProviders:
>>> [
>>>   java.util.HashSet
>>>   [
>>> *mfa-duo*
>>>   ]
>>> ]
>>> failureMode: CLOSED
>>> principalAttributeNameTrigger: memberOf
>>> principalAttributeValueToMatch: **
>>> bypassEnabled: false
>>>   }
>>> ===
>>> === Service 2
>>>   multifactorPolicy:
>>>   {
>>> @class: 
>>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>>> multifactorAuthenticationProviders:
>>> [
>>>   java.util.HashSet
>>>   [
>>> *mfa-duo2*
>>>   ]
>>> ]
>>> failureMode: CLOSED
>>> principalAttributeNameTrigger: memberOf
>>> principalAttributeValueToMatch: **
>>> bypassEnabled: false
>>>   }
>>> ===
>>>
>>> When I log into both services I do get prompted to do 2 factor auth but 
>>> when I authenticate on my phone app they both list the protected app named 
>>>
>>> *"CAS ID=mfa-duo"*
>>>
>>> How do you get different CAS-protected services to point to different 
>>> CAS instances in Duo (and therefore different group policies)?
>>>
>>> Thanks!
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
>>>  
>>> 
>>> .
>>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" 

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

The first entry is what is used as the name for the auth context.  You most
likely Iikely authed against the second Duo, but it will just return the
first one.  I also think that the two are treated equally in an sso
situation.  So one fills MFA requirement for the other and vice versa.

On Fri, Sep 7, 2018 at 12:41 PM Brian Gibson <
gibson_br...@wheatoncollege.edu> wrote:

> Thanks Travis,
>
> Moving to a newer version of CAS 5 is not an option for us now. Our Duo
> rep said that he has customers doing what I asked but before I bug him for
> help I was hoping someone on this list had this scenario working in a 5.1
> environment?
>
>
>
>
>
> On 9/7/2018 2:48 PM, Travis Schmidt wrote:
>
> This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses
> this issue.
>
>
> On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson <
> gibson_br...@wheatoncollege.edu> wrote:
>
>> Hi all,
>>
>> We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
>> point different CAS-protected services at different Duo Protected
>> Applications so we can set different group policies for each. I created 2
>> CAS applications inside Duo's admin portal, I called them
>>
>> "CAS ID=mfa-duo"
>> "CAS ID=mfa-duo2"
>>
>> I then edited my cas.properties file and created a second set of Duo
>> settings, here is what it looks like with the important data scrubbed out
>>
>> cas.authn.mfa.duo[0].duoSecretKey=**
>> cas.authn.mfa.duo[0].duoApplicationKey=*<40 character random string>*
>> cas.authn.mfa.duo[0].duoIntegrationKey=*> ID=mfa-duo>*
>> cas.authn.mfa.duo[0].duoApiHost=**
>> cas.authn.mfa.duo[0].id=*mfa-duo*
>> cas.authn.mfa.duo[0].name=Duo_Profile1
>>
>> cas.authn.mfa.duo[1].duoSecretKey=**
>> cas.authn.mfa.duo[1].duoApplicationKey=*> string>*
>> cas.authn.mfa.duo[1].duoIntegrationKey=*> ID=mfa-duo2>*
>> cas.authn.mfa.duo[1].duoApiHost=**
>> cas.authn.mfa.duo[1].id=*mfa-duo2*
>> cas.authn.mfa.duo[1].name=Duo_Profile2
>>
>>
>> I then edited the .json files for 2 services and added these sections for
>> multifactor authentication, note the duo ID I am referencing differently in
>> each...
>>
>> === Service 1
>>   multifactorPolicy:
>>   {
>> @class:
>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>> multifactorAuthenticationProviders:
>> [
>>   java.util.HashSet
>>   [
>> *mfa-duo*
>>   ]
>> ]
>> failureMode: CLOSED
>> principalAttributeNameTrigger: memberOf
>> principalAttributeValueToMatch: **
>> bypassEnabled: false
>>   }
>> ===
>> === Service 2
>>   multifactorPolicy:
>>   {
>> @class:
>> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
>> multifactorAuthenticationProviders:
>> [
>>   java.util.HashSet
>>   [
>> *mfa-duo2*
>>   ]
>> ]
>> failureMode: CLOSED
>> principalAttributeNameTrigger: memberOf
>> principalAttributeValueToMatch: **
>> bypassEnabled: false
>>   }
>> ===
>>
>> When I log into both services I do get prompted to do 2 factor auth but
>> when I authenticate on my phone app they both list the protected app named
>>
>> *"CAS ID=mfa-duo"*
>>
>> How do you get different CAS-protected services to point to different CAS
>> instances in Duo (and therefore different group policies)?
>>
>> Thanks!
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
>
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com
> 
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter 

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Brian Gibson]

Thanks Travis,

Moving to a newer version of CAS 5 is not an option for us now. Our Duo 
rep said that he has customers doing what I asked but before I bug him 
for help I was hoping someone on this list had this scenario working in 
a 5.1 environment?





On 9/7/2018 2:48 PM, Travis Schmidt wrote:
This PR https://github.com/apereo/cas/pull/3498, against 5.3.x 
addresses this issue.



On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson 
> wrote:


Hi all,

We have Duo working in our test CAS 5.1.2 environment. Now we'd
like to point different CAS-protected services at different Duo
Protected Applications so we can set different group policies for
each. I created 2 CAS applications inside Duo's admin portal, I
called them

"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"

I then edited my cas.properties file and created a second set of
Duo settings, here is what it looks like with the important data
scrubbed out

cas.authn.mfa.duo[0].duoSecretKey=//
cas.authn.mfa.duo[0].duoApplicationKey=/<40 character random string>/
cas.authn.mfa.duo[0].duoIntegrationKey=//
cas.authn.mfa.duo[0].duoApiHost=//
cas.authn.mfa.duo[0].id=*mfa-duo*
cas.authn.mfa.duo[0].name=Duo_Profile1

cas.authn.mfa.duo[1].duoSecretKey=//
cas.authn.mfa.duo[1].duoApplicationKey=//
cas.authn.mfa.duo[1].duoIntegrationKey=//
cas.authn.mfa.duo[1].duoApiHost=//
cas.authn.mfa.duo[1].id=*mfa-duo2*
cas.authn.mfa.duo[1].name=Duo_Profile2


I then edited the .json files for 2 services and added these
sections for multifactor authentication, note the duo ID I am
referencing differently in each...

=== Service 1
  multifactorPolicy:
  {
    @class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    multifactorAuthenticationProviders:
    [
  java.util.HashSet
  [
*mfa-duo*
  ]
    ]
    failureMode: CLOSED
    principalAttributeNameTrigger: memberOf
    principalAttributeValueToMatch: //
    bypassEnabled: false
  }
===
=== Service 2
  multifactorPolicy:
  {
    @class:
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
    multifactorAuthenticationProviders:
    [
  java.util.HashSet
  [
*mfa-duo2*
  ]
    ]
    failureMode: CLOSED
    principalAttributeNameTrigger: memberOf
    principalAttributeValueToMatch: //
    bypassEnabled: false
  }
===

When I log into both services I do get prompted to do 2 factor
auth but when I authenticate on my phone app they both list the
protected app named

/*"CAS ID=mfa-duo"*/

How do you get different CAS-protected services to point to
different CAS instances in Duo (and therefore different group
policies)?

Thanks!
-- 
- Website: https://apereo.github.io/cas

- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu

.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to 

Re: [cas-user] Point CAS apps at different Duo protected applications (group policies)

[Travis Schmidt]

This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses
this issue.


On Fri, Sep 7, 2018 at 11:42 AM Brian Gibson <
gibson_br...@wheatoncollege.edu> wrote:

> Hi all,
>
> We have Duo working in our test CAS 5.1.2 environment. Now we'd like to
> point different CAS-protected services at different Duo Protected
> Applications so we can set different group policies for each. I created 2
> CAS applications inside Duo's admin portal, I called them
>
> "CAS ID=mfa-duo"
> "CAS ID=mfa-duo2"
>
> I then edited my cas.properties file and created a second set of Duo
> settings, here is what it looks like with the important data scrubbed out
>
> cas.authn.mfa.duo[0].duoSecretKey=**
> cas.authn.mfa.duo[0].duoApplicationKey=*<40 character random string>*
> cas.authn.mfa.duo[0].duoIntegrationKey=* ID=mfa-duo>*
> cas.authn.mfa.duo[0].duoApiHost=**
> cas.authn.mfa.duo[0].id=*mfa-duo*
> cas.authn.mfa.duo[0].name=Duo_Profile1
>
> cas.authn.mfa.duo[1].duoSecretKey=**
> cas.authn.mfa.duo[1].duoApplicationKey=* string>*
> cas.authn.mfa.duo[1].duoIntegrationKey=* ID=mfa-duo2>*
> cas.authn.mfa.duo[1].duoApiHost=**
> cas.authn.mfa.duo[1].id=*mfa-duo2*
> cas.authn.mfa.duo[1].name=Duo_Profile2
>
>
> I then edited the .json files for 2 services and added these sections for
> multifactor authentication, note the duo ID I am referencing differently in
> each...
>
> === Service 1
>   multifactorPolicy:
>   {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
> multifactorAuthenticationProviders:
> [
>   java.util.HashSet
>   [
> *mfa-duo*
>   ]
> ]
> failureMode: CLOSED
> principalAttributeNameTrigger: memberOf
> principalAttributeValueToMatch: **
> bypassEnabled: false
>   }
> ===
> === Service 2
>   multifactorPolicy:
>   {
> @class:
> org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
> multifactorAuthenticationProviders:
> [
>   java.util.HashSet
>   [
> *mfa-duo2*
>   ]
> ]
> failureMode: CLOSED
> principalAttributeNameTrigger: memberOf
> principalAttributeValueToMatch: **
> bypassEnabled: false
>   }
> ===
>
> When I log into both services I do get prompted to do 2 factor auth but
> when I authenticate on my phone app they both list the protected app named
>
> *"CAS ID=mfa-duo"*
>
> How do you get different CAS-protected services to point to different CAS
> instances in Duo (and therefore different group policies)?
>
> Thanks!
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com.

[cas-user] Point CAS apps at different Duo protected applications (group policies)

[Brian Gibson]

Hi all,

We have Duo working in our test CAS 5.1.2 environment. Now we'd like to 
point different CAS-protected services at different Duo Protected 
Applications so we can set different group policies for each. I created 
2 CAS applications inside Duo's admin portal, I called them


"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"

I then edited my cas.properties file and created a second set of Duo 
settings, here is what it looks like with the important data scrubbed out


cas.authn.mfa.duo[0].duoSecretKey=//
cas.authn.mfa.duo[0].duoApplicationKey=/<40 character random string>/
cas.authn.mfa.duo[0].duoIntegrationKey=/ID=mfa-duo>/

cas.authn.mfa.duo[0].duoApiHost=//
cas.authn.mfa.duo[0].id=*mfa-duo*
cas.authn.mfa.duo[0].name=Duo_Profile1

cas.authn.mfa.duo[1].duoSecretKey=//
cas.authn.mfa.duo[1].duoApplicationKey=/string>/
cas.authn.mfa.duo[1].duoIntegrationKey=/ID=mfa-duo2>/

cas.authn.mfa.duo[1].duoApiHost=//
cas.authn.mfa.duo[1].id=*mfa-duo2*
cas.authn.mfa.duo[1].name=Duo_Profile2


I then edited the .json files for 2 services and added these sections 
for multifactor authentication, note the duo ID I am referencing 
differently in each...


=== Service 1
  multifactorPolicy:
  {
    @class: 
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy

    multifactorAuthenticationProviders:
    [
  java.util.HashSet
  [
*mfa-duo*
  ]
    ]
    failureMode: CLOSED
    principalAttributeNameTrigger: memberOf
    principalAttributeValueToMatch: //
    bypassEnabled: false
  }
===
=== Service 2
  multifactorPolicy:
  {
    @class: 
org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy

    multifactorAuthenticationProviders:
    [
  java.util.HashSet
  [
*mfa-duo2*
  ]
    ]
    failureMode: CLOSED
    principalAttributeNameTrigger: memberOf
    principalAttributeValueToMatch: //
    bypassEnabled: false
  }
===

When I log into both services I do get prompted to do 2 factor auth but 
when I authenticate on my phone app they both list the protected app named


/*"CAS ID=mfa-duo"*/

How do you get different CAS-protected services to point to different 
CAS instances in Duo (and therefore different group policies)?


Thanks!

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu.