CAS 5 RC4: MFA-Duo bypass rules?
59 views
Skip to first unread message
Baron Fujimoto
Oct 18, 2016, 4:03:44 PM10/18/16
to CAS Users
I have MFA-Duo enabled globally, but this is complicating our scripted
regression testing. Rather than try to make it work with this right now,
I think it would be easier to try to make an exception for the service
definition used by our regression test (assuming that results in no Duo
checks being included altogether for the service... else so much for this
idea). Bypass rules are discussed here
https://apereo.github.io/cas/development/installation/Configuring-Multifactor-Authentication.html#bypass-rules
But it's not clear to me how they are actually used, or if there is in
fact a way to bypass MFA on a per-service basis. I can't find any examples
or relevant-seeming properties in the documentation.
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
regression testing. Rather than try to make it work with this right now,
I think it would be easier to try to make an exception for the service
definition used by our regression test (assuming that results in no Duo
checks being included altogether for the service... else so much for this
idea). Bypass rules are discussed here
https://apereo.github.io/cas/development/installation/Configuring-Multifactor-Authentication.html#bypass-rules
But it's not clear to me how they are actually used, or if there is in
fact a way to bypass MFA on a per-service basis. I can't find any examples
or relevant-seeming properties in the documentation.
-baron
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
Misagh Moayyed
Oct 18, 2016, 4:14:21 PM10/18/16
to CAS Users
But it's not clear to me how they are actually used, or if there is in
fact a way to bypass MFA on a per-service basis.
Bypass rules cannot be done per service now. Certainly something that can be added in a follow-up minor release perhaps. Some examples in the docs describe typical use cases, but nothing that can be done per service, if you have enabled MFA globally.
I can't find any examples
or relevant-seeming properties in the documentation.
Ouch. Yeah this is missing from the docs. I’ll take care of it shortly.
Chris Bahrami
Oct 20, 2016, 4:11:52 PM10/20/16
to Misagh Moayyed, CAS Users
Hi Baron,
Chris Bahrami here from Duo...
One solution I would suggest to help for regression testing purposes would be to set the bypass rule for a single user within the Duo Admin Panel. This will allow your regression testing scripts to not require human interaction. Note, this will of course bypass any secondary authentication, but you will still see an entry within the Duo Authentication Logs indicating a "bypassed" authentication attempt.
Please let me know if there is anything Duo related I can assist with.
Regards,
 |  | | |
---------- The Most Loved Company in Security | |||
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.58068295.152020af.3323%40unicon.net.
Reply all
Reply to author
Forward
0 new messages