Duo MFA behavior on CAS 7

[Jeremiah Garmatter]

Hello,

I am trying out CAS 7 with the embedded Tomcat instance. I noticed a change in behavior that will impact my authentication flow and wanted to see if anyone else has come across it and found a work around.

I run my CAS server over port 8443 but, for user convenience, I forward traffic from port 443 to 8443. This way my users can access SSO without specifying a port number. In the past I have had no issues visiting https://my.cas.server/cas/login, authenticating via LDAP, then MFA via Duo.

On CAS 7, it seems like CAS is more aware of the URL used during authentication though. When I visit the URL without port 8443 specified, I can LDAP auth and MFA through Duo, but upon return from Duo to CAS I receive the "MFA provider unavailable" message. If I specify the port, https://my.cas.server:8443/cas/login, I have no trouble returning to CAS after Duo MFA.

If I can't get this to work, I'll have to reach out to all my CAS services and notify my organization to update any links.

[Ray Bon]

Jeremiah,

It is simpler to change cas to run on 443 instead, i.e. no port specified. (One bit of work for you instead of many bits of work for all service providers).

Cas does not need to know the port if you are forwarding.

We front our tomcat (running 8443) with apache (default ports) which forwards to tomcat.

Ray

On Fri, 2024-01-05 at 08:28 -0800, Jeremiah Garmatter wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello,

I am trying out CAS 7 with the embedded Tomcat instance. I noticed a change in behavior that will impact my authentication flow and wanted to see if anyone else has come across it and found a work around.

I run my CAS server over port 8443 but, for user convenience, I forward traffic from port 443 to 8443. This way my users can access SSO without specifying a port number. In the past I have had no issues visiting https://my.cas.server/cas/login, authenticating via LDAP, then MFA via Duo.

On CAS 7, it seems like CAS is more aware of the URL used during authentication though. When I visit the URL without port 8443 specified, I can LDAP auth and MFA through Duo, but uponreturn from Duo to CAS I receive the "MFA provider unavailable" message. If I specify the port, https://my.cas.server:8443/cas/login, I have no trouble returning to CAS after Duo MFA.

[Jeremiah Garmatter]

Thanks for the reply Baron,

Unfortunately, it seems that changing the cas.server.name only shifts the problem instead of getting around it.

I can choose whether to require the port in the URL or not, but I can not allow both situations by changing that configuration.

Ideally, I would be able to login in both situations, port specified or not, as I could with the older versions of CAS.

This behavior is important to me because I use CAS to authenticate CAS apps and SAML2 apps.

Unfortunately, we were not consistent in registering apps so many of the CAS apps were configured without the port specified and the opposite goes for our SAML2 apps.

It looks like I may have to make them all consistent now.

On Fri, Jan 5, 2024 at 2:25 PM Baron Fujimoto <ba...@hawaii.edu> wrote:

Hi Jeremiah,

We don't use the embedded Tomcat and have a load balancer forwarding port 443 to 8443 on Tomcat, but I ran into the "MFA provider unavailable" issue when testing with an individual backend cluster node's hostname rather than the cluster's public CNAME. I was able to work around it for our testing purposes by setting cas.server.name in cas.properties to match what CAS is apparently expecting. Perhaps a similar approach may work for you?

#cas.server.name=publicname.example.edu

cas.server.name=nodename.example.edu:8443

Aloha,

-baron

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219-773ab3011248n%40apereo.org.

--

Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

[Ray Bon]

Jeremiah,

Could a URL rewrite (that strips :8443) work?

After updating metadata ...

Ray

On Fri, 2024-01-05 at 12:40 -0800, Jeremiah Garmatter wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Thanks for the reply Baron,

Unfortunately, it seems that changing the cas.server.name only shifts the problem instead of getting around it.

I can choose whether to require the port in the URL or not, but I can not allow both situations by changing that configuration.

Ideally, I would be able to login in both situations, port specified or not, as I could with the older versions of CAS.

This behavior is important to me because I use CAS to authenticate CAS apps and SAML2 apps.

Unfortunately, we were not consistent in registering apps so many of the CAS apps were configured without the port specified and the opposite goes for our SAML2 apps.

It looks like I may have to make them all consistent now.

On Fri, Jan 5, 2024 at 2:25 PM Baron Fujimoto <ba...@hawaii.edu> wrote:

Hi Jeremiah,

We don't use the embedded Tomcat and have a load balancer forwarding port 443 to 8443 on Tomcat, but I ran into the "MFA provider unavailable" issue when testing with an individual backend cluster node's hostname rather than the cluster's public CNAME. I was able to work around it for our testing purposes by setting cas.server.name in cas.properties to match what CAS is apparently expecting. Perhaps a similar approach may work for you?

#cas.server.name=publicname.example.edu

cas.server.name=nodename.example.edu:8443

Aloha,

-baron

On Fri, Jan 5, 2024 at 6:59 AM Jeremiah Garmatter <j-gar...@onu.edu> wrote:

Hello,

I am trying out CAS 7 with the embedded Tomcat instance. I noticed a change in behavior that will impact my authentication flow and wanted to see if anyone else has come across it and found a work around.

I run my CAS server over port 8443 but, for user convenience, I forward traffic from port 443 to 8443. This way my users can access SSO without specifying a port number. In the past I have had no issues visitinghttps://my.cas.server/cas/login, authenticating via LDAP, then MFA via Duo.

On CAS 7, it seems like CAS is more aware of the URL used during authentication though. When I visit the URL without port 8443 specified, I can LDAP auth and MFA through Duo, but uponreturn from Duo to CAS I receive the "MFA provider unavailable" message. If I specify the port,https://my.cas.server:8443/cas/login, I have no trouble returning to CAS after Duo MFA.

If I can't get this to work, I'll have to reach out to all my CAS services and notify my organization to update any links.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5be8a8f9-9921-498d-8219-773ab3011248n%40apereo.org.

[Jeremiah Garmatter]

I was out of commission with Covid for a while there...

Thanks for the suggestions.

A URL rewrite sounds promising. I'll have to test this idea out.

[Gabriel Antonio Batista Nascimento]

Hi Jeremiah,

I'm running CAS 6.6.x with an embedded Tomcat and trying to do exactly what you said: 

  access it without specifing the port, so I can reach it with https://my.domain.com.br/cas/login

Now I'm unable to do it. Even if I set the server name without the port I'm unable to reach the application for logging in.

Which properties you set to do so? Did you configured anything else outside the application or tomcat to reach it?

[Jeremiah Garmatter]

Gabriel,

I ended up setting cas.server.name and cas.server.prefix, neither config has a port specified.

For SAML, I left the port specified in cas.authn.saml-idp.core.entity-id, that way I can keep my old metadata.

Turns out CAS is the touchy one, SAML doesn't care where you hit as long the entity id and session state info is there.

The error I experienced is actually more with the interaction between the CAS and Duo modules. CAS passes the URL you accessed it by (including port info) to the Duo prompt when you're redirected. Then Duo passes that URL back to CAS and if it doesn't match the cas.server.name and cas.server.prefix then you'll see an "MFA provider unavailable" error.

Most of our CAS applications were set up without the port specified. I tested all the apps I had access to and concluded that only a small portion of our apps would have login issues. We bit the bullet and decided to push the update to CAS 7 and correct the few services that had issues. Turns out we got pretty lucky and only one app had the port specified.

Jeremiah Garmatter Linux Systems Administrator Office of Information Technology IT Building 107 419-772-1074 j-gar...@onu.edu