Duo Universal Prompt configuration?
39 views
Skip to first unread message
Baron Fujimoto
Jul 22, 2023, 12:34:26 AM7/22/23
to CAS Community
We're trying to upgrade from CAS 6.6 using the old Duo iFrame MFA to CAS 7 using the new Duo Universal Prompt.
In our CAS 6.6/iFrame version, we configured this with the following properties:
cas.authn.mfa.duo[0].duo-application-key=<private WebSDK integration key>
cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname>
cas.authn.mfa.duo[0].duo-integration-key=<Duo integration key>
cas.authn.mfa.duo[0].duo-application-key=<Duo secret key>
For our CAS 7/Universal Prompt version, we're using:
cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname>
cas.authn.mfa.duo[0].duo-integration-key=<Duo client ID>
cas.authn.mfa.duo[0].duo-application-key=<Duo client secret>
cas.authn.mfa.duo[0].duo-integration-key=<Duo client ID>
cas.authn.mfa.duo[0].duo-application-key=<Duo client secret>
Our duo-api-host does not differ for these two, and our Duo admin panel is configured to "Show Universal Prompt" for our Duo application we reference in our CAS 7 properties.
However, after entering a username and password, we get the following error:
===
MFA Provider Unavailable
CAS was unable to reach your configured MFA provider at this time. Due to failure policies configured for the service you are attempting to access, authentication can not be granted at this time.
CAS was unable to reach your configured MFA provider at this time. Due to failure policies configured for the service you are attempting to access, authentication can not be granted at this time.
===
Our CAS log reports:
WARN [org.apereo.cas.adaptors.duo.authn.UniversalPromptDuoSecurityAuthenticationService] - <invalid_client>
Any ideas what we may have amiss or how we may further troubleshoot this?
I've been using the following resources for reference:
Duo documentation –
CAS documentation –
Fawnoos documentation –
I note that the Duo documentation says to create the Duo application type as "CAS (Central Authentication Service)" whereas Fawnoos says to use WebSDK. Does this matter?
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
Ray Bon
Jul 24, 2023, 12:41:39 PM7/24/23
to cas-...@apereo.org
Baron,
Try creating a new service in Duo to check if the problem is on their side.
Ray
On Fri, 2023-07-21 at 15:02 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Baron Fujimoto
Jul 25, 2023, 12:00:07 AM7/25/23
to cas-...@apereo.org
Ok, error was apparently a typo in the copied client secret from Duo; I think I probably inadvertently introduced an extra char or something when pasting the string from my clipboard – it wasn't obvious since Duo only displays the last four characters in their UI. But when I copied and pasted the obscured string again into the CAS config, voila. Mea culpa... *sigh* ¯\_(ツ)_/¯
On Mon, Jul 24, 2023 at 8:54 AM Baron Fujimoto <ba...@hawaii.edu> wrote:
Yes, I created a new Duo protected application for this using their admin panels. I assume this is what you mean by new service? I'm not sure how I would check if the problem is on the Duo side though?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel%40uvic.ca.
--Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
Baron Fujimoto
Jul 25, 2023, 12:00:07 AM7/25/23
to cas-...@apereo.org
Yes, I created a new Duo protected application for this using their admin panels. I assume this is what you mean by new service? I'm not sure how I would check if the problem is on the Duo side though?
On Mon, Jul 24, 2023 at 6:41 AM Ray Bon <rb...@uvic.ca> wrote:
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel%40uvic.ca.
Reply all
Reply to author
Forward
0 new messages