ERROR [org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView] - <Error generating SAML response for service example.edu.>
java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
at org.apereo.cas.support.saml.web.view.Saml10SuccessResponseView.prepareResponse(Saml10SuccessResponseView.java:60) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
at org.apereo.cas.support.saml.web.view.AbstractSaml10ResponseView.renderMergedOutputModel(AbstractSaml10ResponseView.java:104) ~[cas-server-support-saml-5.0.0.RC4-SNAPSHOT.jar:5.0.0.RC4-SNAPSHOT]
...
Ultimately what we'd like to do though is invoke MFA-Duo globally, and
not via an application triggered policy. It looks like the CAS properties
listed here may be relevant, but it's not clear to me how they should
be used.
Global triggers, that are not tied to principal or services, are not possible explicitly. Please file a feature request.
We might be able to make something work if it's tied to a principal, but
again, I'm not sure how to do this. The docs say, "MFA can be triggered
for all users/subjects carrying a specific attribute that matches
configured attribute value. The attribute value is a regex pattern and
must match the provider id of an available MFA provider described above."
What this means is, you configure CAS to trigger based on an attribute “x”, that is resolved for the principal, whose value is for instance “mfa-duo”, or “mfa-.+”.
Also, I was wrong. Global triggers are supported; just weren’t documented then:
There is a setting for a global provider id. Set it to the provider id of choice, “mfa-duo”.