Multiple Instances of Duo MFA clarifications?
47 views
Skip to first unread message
Baron Fujimoto
Jun 12, 2025, 10:37:53 PMJun 12
to CAS Community
We have multiple instances of Duo defined with distinct IDs:
E.g.:
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[1].id=mfa-duo-alt
cas.authn.mfa.duo[1].rank=1
Prior to enabling multiple instances, we just relied on this global property to provide the default ID.
cas.authn.mfa.global-provider-id=mfa-duo
I'm pretty sure we've empirically determined that setting instance duo[n].id properties as well as global-provider-id is incompatible and results in unreliable behaviour in terms of what actually gets invoked during authentication. Can someone confirm this? Unfortunately, I can't find CAS documentation for global-provider-id – search doesn't turn up anything useful, nor do I find it on the page documenting "Multifactor Authentication"[*]
We're currently configuring the Duo ID to use in each service registration with
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
or
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo-alt" ] ],
Does the duo.rank property do anything here if we're explicitly only specifying one or the other duo.id?
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
richard.frovarp
Sep 30, 2025, 9:06:35 PM (2 days ago) Sep 30
to CAS Community
What are you trying to accomplish? I'm replying as I just worked through this and found your post. My scenario is to have one Duo instance that allows for remembered devices, and another that doesn't.
I'm on CAS 7.2.x.
This is just in testing, but my default provider is set with:
cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
The rank for mfa-duo is less than mfa-no-remember
If mfa-no-remember is used first, then mfa-duo is triggered, it is fine. The other way around will trigger a new Duo.
I have a prototype Groovy script that will force the mfa-no-remember under certain scenarios. Plus it can be configured with the multifactorAuthenticationProviders setting.
Ray Bon
Oct 1, 2025, 6:08:35 PM (2 days ago) Oct 1
to cas-...@apereo.org
Baron,
To get a list of all properties run:
./gradlew exportConfigMetadata
Produces file config-metadata.properties
cas.authn.mfa.global-provider-id has been depricated.
Replaced with cas.authn.mfa.triggers.global.global-provider-id
Ray
From: 'richard.frovarp' via CAS Community <cas-...@apereo.org>
Sent: September 30, 2025 14:21
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: Multiple Instances of Duo MFA clarifications?
Sent: September 30, 2025 14:21
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: Multiple Instances of Duo MFA clarifications?
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f6fea1c1-3368-4524-b9be-74bb7d272c0an%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f6fea1c1-3368-4524-b9be-74bb7d272c0an%40apereo.org.
Reply all
Reply to author
Forward
0 new messages