CAS 7, Duo Universal Prompt Warning - Wrong integration type for this API

[Baron Fujimoto]

We're working on a CAS 7.0.0-RC7 with Duo Universal prompt for MFA.

We have the following in our configs for Duo:

build.gradle:

implementation "org.apereo.cas:cas-server-support-duo"

cas.properties:

cas.authn.mfa.duo[0].duo-integration-key=<our duo integration key>

cas.authn.mfa.duo[0].duo-secret-key=<our duo integration key>

cas.authn.mfa.duo[0].duo-api-host=<our duo api host>

Specifically not set in cas.properties is "cas.authn.mfa.duo[0].duo-application-key=", which if I understand correctly is the way to activate the Duo Universal Prompt [*].

I believe we also have the Duo side of things properly configured for their Universal Prompt with the Duo Application being used by this CAS set to use type "CAS (Central Authentication Service)".

Although it appears to work as expected, the following warning is logged:

WARN [org.apereo.cas.adaptors.duo.authn.BaseDuoSecurityAuthenticationService] - <Duo returned an Invalid response with message [Access forbidden] and detail [Wrong integration type for this API.] when determining user account. This maybe a configuration error in the admin request and Duo will still be considered available.>

Does anyone know what this warning is for and how to resolve it?

[*] References

- <https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html#universal-prompt>

- <https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/>

--

Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

[CAS Community]

I believe we also have the Duo side of things properly configured for their Universal Prompt with the Duo Application being used by this CAS set to use type "CAS (Central Authentication Service)".

 

That is not strictly correct.  You either need to switch the type to WebSDK, IIRC, or you need to turn off "account status checking" in the CAS configuration.

[Baron Fujimoto]

Interesting. The Duo Universal Prompt Update Guide <https://duo.com/docs/universal-prompt-update-guide> identifies "CAS (Central Authentication Service)" as a traditional Duo prompt application with type "cas", and their Duo for Central Authentication Server (CAS) <https://duo.com/docs/cas> directs you to select Applications > Protect an Application > CAS (Central Authentication Service), which gives your that application type (as opposed to Web SDK). So it seems there is an inconsistency between what CAS wants and what Duo recommends. AFAICT, the CAS Duo Security Authentication documentation <https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html> does not explicitly advise the WebSDK should be used, only that support for MFA "based on the Duo's Web SDK and the embedded iFrame is deprecated" and you are encouraged to switch to the Universal Prompt. The only thing I find there for triggering the Universal prompt is the non-use of cas.authn.mfa.duo[0].duo-application-key.

I also see a discussion about Duo account status on that page, but nothing about enabling or disabling it. It also suggests that the state of user account status via the Duo API is ambiguous. ¯\_(ツ)_/¯

On Thu, Sep 7, 2023 at 3:49 AM CAS Community <cas-...@apereo.org> wrote:

I believe we also have the Duo side of things properly configured for their Universal Prompt with the Duo Application being used by this CAS set to use type "CAS (Central Authentication Service)".

 

That is not strictly correct.  You either need to switch the type to WebSDK, IIRC, or you need to turn off "account status checking" in the CAS configuration.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/de297d27-5a6e-4f0b-afde-e3f656e43f94n%40apereo.org.

[Baron Fujimoto]

Re Duo account status, I found the following under the Optional tab for Duo configuration:

• cas.authn.mfa.duo[0].account-status-enabled=true

When set to true, CAS will contact Duo Security to check for user's account status and to evaluate whether user qualifies for multifactor authentication from Duo's perspective. When disabled, user account status is set to authenticate with Duo and the API call will never be made.