Point CAS apps at different Duo protected applications (group policies)
126 views
Skip to first unread message
Brian Gibson
Sep 7, 2018, 2:42:50 PM9/7/18
to cas-...@apereo.org
Hi all,
We have Duo working in our test CAS 5.1.2 environment. Now we'd like to point different CAS-protected services at different Duo Protected Applications so we can set different group policies for each. I created 2 CAS applications inside Duo's admin portal, I called them
"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"
I then edited my cas.properties file and created a second set of Duo settings, here is what it looks like with the important data scrubbed out
cas.authn.mfa.duo[0].duoSecretKey=<Key-for CAS ID=mfa-duo>
cas.authn.mfa.duo[0].duoApplicationKey=<40 character random string>
cas.authn.mfa.duo[0].duoIntegrationKey=<Intregration-Key-for CAS ID=mfa-duo>
cas.authn.mfa.duo[0].duoApiHost=<api-server-name>
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=Duo_Profile1
cas.authn.mfa.duo[1].duoSecretKey=<Key-for CAS ID=mfa-duo2>
cas.authn.mfa.duo[1].duoApplicationKey=<different 40 character random string>
cas.authn.mfa.duo[1].duoIntegrationKey=<Intregration-Key-for CAS ID=mfa-duo2>
cas.authn.mfa.duo[1].duoApiHost=<api-server-name>
cas.authn.mfa.duo[1].id=mfa-duo2
cas.authn.mfa.duo[1].name=Duo_Profile2
I then edited the .json files for 2 services and added these sections for multifactor authentication, note the duo ID I am referencing differently in each...
=========== Service 1============================
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
mfa-duo
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: <our AD group>
bypassEnabled: false
}
===============================================
=========== Service 2============================
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
mfa-duo2
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: <our AD group>
bypassEnabled: false
}
===============================================
When I log into both services I do get prompted to do 2 factor auth but when I authenticate on my phone app they both list the protected app named
"CAS ID=mfa-duo"
How do you get different CAS-protected services to point to different CAS instances in Duo (and therefore different group policies)?
Thanks!
We have Duo working in our test CAS 5.1.2 environment. Now we'd like to point different CAS-protected services at different Duo Protected Applications so we can set different group policies for each. I created 2 CAS applications inside Duo's admin portal, I called them
"CAS ID=mfa-duo"
"CAS ID=mfa-duo2"
I then edited my cas.properties file and created a second set of Duo settings, here is what it looks like with the important data scrubbed out
cas.authn.mfa.duo[0].duoSecretKey=<Key-for CAS ID=mfa-duo>
cas.authn.mfa.duo[0].duoApplicationKey=<40 character random string>
cas.authn.mfa.duo[0].duoIntegrationKey=<Intregration-Key-for CAS ID=mfa-duo>
cas.authn.mfa.duo[0].duoApiHost=<api-server-name>
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=Duo_Profile1
cas.authn.mfa.duo[1].duoSecretKey=<Key-for CAS ID=mfa-duo2>
cas.authn.mfa.duo[1].duoApplicationKey=<different 40 character random string>
cas.authn.mfa.duo[1].duoIntegrationKey=<Intregration-Key-for CAS ID=mfa-duo2>
cas.authn.mfa.duo[1].duoApiHost=<api-server-name>
cas.authn.mfa.duo[1].id=mfa-duo2
cas.authn.mfa.duo[1].name=Duo_Profile2
I then edited the .json files for 2 services and added these sections for multifactor authentication, note the duo ID I am referencing differently in each...
=========== Service 1============================
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
mfa-duo
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: <our AD group>
bypassEnabled: false
}
===============================================
=========== Service 2============================
multifactorPolicy:
{
@class: org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy
multifactorAuthenticationProviders:
[
java.util.HashSet
[
mfa-duo2
]
]
failureMode: CLOSED
principalAttributeNameTrigger: memberOf
principalAttributeValueToMatch: <our AD group>
bypassEnabled: false
}
===============================================
When I log into both services I do get prompted to do 2 factor auth but when I authenticate on my phone app they both list the protected app named
"CAS ID=mfa-duo"
How do you get different CAS-protected services to point to different CAS instances in Duo (and therefore different group policies)?
Thanks!
Travis Schmidt
Sep 7, 2018, 2:48:42 PM9/7/18
to cas-...@apereo.org
This PR https://github.com/apereo/cas/pull/3498, against 5.3.x addresses this issue.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a4c87cd-8bda-58b7-d38f-04ef16532366%40wheatoncollege.edu.
Brian Gibson
Sep 7, 2018, 3:41:42 PM9/7/18
to cas-...@apereo.org
Thanks Travis,
Moving to a newer version of CAS 5 is not an option for us now. Our Duo rep said that he has customers doing what I asked but before I bug him for help I was hoping someone on this list had this scenario working in a 5.1 environment?
Moving to a newer version of CAS 5 is not an option for us now. Our Duo rep said that he has customers doing what I asked but before I bug him for help I was hoping someone on this list had this scenario working in a 5.1 environment?
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNx7pi7_6uUQXHgE4F5_P8sdTirwjTUvZinyapNBnSFg%40mail.gmail.com.
Travis Schmidt
Sep 7, 2018, 4:00:44 PM9/7/18
to cas-...@apereo.org
The first entry is what is used as the name for the auth context. You most likely Iikely authed against the second Duo, but it will just return the first one. I also think that the two are treated equally in an sso situation. So one fills MFA requirement for the other and vice versa.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a953d903-552c-5bce-387c-138d23786905%40wheatoncollege.edu.
Message has been deleted
Mukunthini Jeyakumar
Nov 14, 2018, 2:37:12 PM11/14/18
to CAS Community
Hi Travis,
I'm in the same situation trying to configure multiple duo instances to apply different duo group policies. I've configured cas.properties with 2 duo instances and those are not showing up on management webapp to select as Multifactor Provider. I'm using cas 5.2.8 and JPA service registry.
Thanks
Thini
Travis Schmidt
Nov 14, 2018, 2:55:35 PM11/14/18
to cas-...@apereo.org
They would only show in the mgmt webapp if you have configured the cas/status/discovery endpoint on your cas-server and the mgmt webapp server is able to reach it on startup. Otherwise only default values are shown.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc8e6c4e-c953-4811-8470-ca49985b0a4c%40apereo.org.
Message has been deleted
Mukunthini Jeyakumar
Nov 28, 2018, 2:49:23 PM11/28/18
to CAS Community
Hi Travis,
When I add the dependency in pom.xml for discovery profile (https://apereo.github.io/cas/5.2.x/installation/Configuration-Discovery.html), got issues on maven build.
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-discovery-profile</artifactId>
<version>${cas.version}</version>
</dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-discovery-profile</artifactId>
<version>${cas.version}</version>
</dependency>
here is the error/warning I'm getting
[WARNING] The POM for gnu-getopt:getopt:jar:1.0.13 is invalid, transitive dependencies (if any) will not be available: 1 problem was encountered while building the effective model
[FATAL] Non-parseable POM /root/.m2/repository/gnu-getopt/getopt/1.0.13/getopt-1.0.13.pom: end tag name </body> must match start tag name <hr> from line 888 (position: START_TAG seen ... 08-Nov-2014 19:04 207\r\n</pre><hr></body>... @888:18) @ line 888, column 18
[FATAL] Non-parseable POM /root/.m2/repository/gnu-getopt/getopt/1.0.13/getopt-1.0.13.pom: end tag name </body> must match start tag name <hr> from line 888 (position: START_TAG seen ... 08-Nov-2014 19:04 207\r\n</pre><hr></body>... @888:18) @ line 888, column 18
Thanks
Ray Bon
Nov 28, 2018, 3:00:52 PM11/28/18
to cas-...@apereo.org
Mukunthini,
That error means that your install of getopt is corrupt (there should be no body tag in pom). You can delete the getopt folder and next build it will be downloaded again.
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Message has been deleted
Mukunthini Jeyakumar
Nov 28, 2018, 3:48:31 PM11/28/18
to CAS Community
Hi,
I've tried deleting getopt folder and even tried delete the whole repository : /root/.m2/repository, didn't help
This error only appear if I add the discovery profile dependency, If I remove I don't see it.
Thanks
Ray Bon
Nov 28, 2018, 4:04:56 PM11/28/18
to cas-...@apereo.org
It could be a problem with the remote repo or a corrupt cache somewhere between you and the source.
You can install manually. Get files from http://central.maven.org/maven2/gnu/getopt/java-getopt/1.0.13/
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Mukunthini Jeyakumar
Nov 29, 2018, 11:10:28 AM11/29/18
to CAS Community
There are 2 getopt jars, java-getopt looks good, the other one was corrupted.
Download getopt-1.0.13.jar from https://mvnreposit ory.com/artifact/gnu-getopt/getopt/1.0.13, it worked
Thanks Ray.
Hi Travis,
Now I've the Discovery endpoint configured, I can see 2 mfa service provider types but both mapped to "Duo security" in mgmt. webapp
mfa-duo2|mfa-duo":"Duo Security|Duo Security
https://cas-sever.com/cas/status/discovery
{"profile":{"registeredServiceTypes":{"SAML2 Service Provider":"org.apereo.cas.support.saml.services.SamlRegisteredService","CAS Client":"org.apereo.cas.services.RegexRegisteredService"},"multifactorAuthenticationProviderTypes":{"mfa-duo2|mfa-duo":"Duo Security|Duo Security"},"registeredServiceTypesSupported":{"SAML2 Service Provider":"org.apereo.cas.support.saml.services.SamlRegisteredService","WS Federation Relying Party":"org.apereo.cas.ws.idp.services.WSFederationRegisteredService","OpenID Connect Relying Party":"org.apereo.cas.services.OidcRegisteredService","OAuth2 Client":"org.apereo.cas.support.oauth.services.OAuthRegisteredService","CAS Client":"org.apereo.cas.services.RegexRegisteredService"},"multifactorAuthenticationProviderTypesSupported":{"mfa-gauth":"Google Authenticator","mfa-swivel":"Swivel Secure","mfa-yubikey":"YubiKey","mfa-authy":"Authy","mfa-radius":"RADIUS (RSA,WiKID)","mfa-u2f":"FIDO U2F","mfa-duo":"Duo Security","mfa-azure":"Microsoft Azure"}}}Here is the mfa provider config
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=Duo_Allow
cas.authn.mfa.duo[0].duoApiHost=api-dcc11a82.duosecurity.com
cas.authn.mfa.duo[0].duoIntegrationKey=xxx
cas.authn.mfa.duo[0].duoSecretKey=xxxxx
cas.authn.mfa.duo[0].duoApplicationKey=xxx
cas.authn.mfa.duo[1].id=mfa-duo2
cas.authn.mfa.duo[1].name=Duo_Deny
cas.authn.mfa.duo[1].duoApiHost=api-dcc11a82.duosecurity.com
cas.authn.mfa.duo[1].duoIntegrationKey=xx
cas.authn.mfa.duo[1].duoSecretKey=xxxff
cas.authn.mfa.duo[1].duoApplicationKey=xxxxx
Any config required on management properties to map those profiles?
Thanks
Mukunthini Jeyakumar
Dec 6, 2018, 1:56:10 PM12/6/18
to CAS Community
Hi Travis,
Does management webapp work with discovery endpoint only in cas 5.3? I'm using CAS 5,2,8
Travis Schmidt
Dec 6, 2018, 2:06:10 PM12/6/18
to CAS Community
Yes that would indeed be the case. Also if you need to use multiple Duo instances, I think you would have better luck with the latest 5.3.6 release for both CAS and CAS Management which was moved to it's own repository starting with 5.3: https://github.com/apereo/cas-management
Travis
On Thu, Dec 6, 2018 at 10:56 AM Mukunthini Jeyakumar <mukun...@gmail.com> wrote:
Hi Travis,Does management webapp work with discovery endpoint only in cas 5.3? I'm using CAS 5,2,8
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f9a0185b-dd99-4ce1-ab52-efbb649df489%40apereo.org.
Mukunthini Jeyakumar
Dec 7, 2018, 10:17:51 AM12/7/18
to CAS Community
Thanks Travis
Reply all
Reply to author
Forward
0 new messages