Multiple Instances of Duo MFA clarifications?

57 views
Skip to first unread message

Baron Fujimoto

unread,
Jun 12, 2025, 10:37:53 PMJun 12
to CAS Community
We have multiple instances of Duo defined with distinct IDs:

E.g.:

cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[1].id=mfa-duo-alt
cas.authn.mfa.duo[1].rank=1

Prior to enabling multiple instances, we just relied on this global property to provide the default ID.

cas.authn.mfa.global-provider-id=mfa-duo

I'm pretty sure we've empirically determined that setting instance duo[n].id properties as well as global-provider-id is incompatible and results in unreliable behaviour in terms of what actually gets invoked during authentication. Can someone confirm this? Unfortunately, I can't find CAS documentation for global-provider-id – search doesn't turn up anything useful, nor do I find it on the page documenting "Multifactor Authentication"[*]

We're currently configuring the Duo ID to use in each service registration with
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ],
or
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo-alt" ] ],

Does the duo.rank property do anything here if we're explicitly only specifying one or the other duo.id?


--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

richard.frovarp

unread,
Sep 30, 2025, 9:06:35 PMSep 30
to CAS Community
What are you trying to accomplish? I'm replying as I just worked through this and found your post. My scenario is to have one Duo instance that allows for remembered devices, and another that doesn't.

I'm on CAS 7.2.x.

This is just in testing, but my default provider is set with:

cas.authn.mfa.triggers.global.global-provider-id=mfa-duo

The rank for mfa-duo is less than mfa-no-remember

If mfa-no-remember is used first, then mfa-duo is triggered, it is fine. The other way around will trigger a new Duo.

I have a prototype Groovy script that will force the mfa-no-remember under certain scenarios. Plus it can be configured with the multifactorAuthenticationProviders setting.

Ray Bon

unread,
Oct 1, 2025, 6:08:35 PMOct 1
to cas-...@apereo.org
Baron,

To get a list of all properties run:
./gradlew exportConfigMetadata

Produces file config-metadata.properties

cas.authn.mfa.global-provider-id has been depricated.
Replaced with cas.authn.mfa.triggers.global.global-provider-id 

Ray

From: 'richard.frovarp' via CAS Community <cas-...@apereo.org>
Sent: September 30, 2025 14:21
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: Multiple Instances of Duo MFA clarifications?
 
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f6fea1c1-3368-4524-b9be-74bb7d272c0an%40apereo.org.

Jonathon Taylor

unread,
Oct 3, 2025, 11:14:11 AMOct 3
to cas-...@apereo.org
Hi Baron,

Not sure if this helps with your use-case, but we are able to override the global Duo provider on a per-service basis as follows.  I believe I ran into issues when I didn't have the .name property but don't remember what exactly.  This works on 7.2.x:

cas.properties
---------------

cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=mfa-duo
# all the other stuff for duo[0]

cas.authn.mfa.duo[1].id=mfa-duo-alt
cas.authn.mfa.duo[1].name=mfa-duo-alt
# all the other stuff for duo[1]


service definition
-------------------

"multifactorPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"failureMode": "CLOSED",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo-alt" ] ],
"bypassEnabled": false,
"forceExecution": true
},




--
Jonathon Taylor (he/him)
Information Security Office
Reply all
Reply to author
Forward
0 new messages