Repeated Authentication Required when Duo Enabled

38 views
Skip to first unread message

Matthew Uribe

unread,
Jul 9, 2019, 10:17:29 AM7/9/19
to CAS Community
Hello Community,

We use Duo for 2FA and have successfully used it with CAS for a single application. Recently we decided to enable 2FA for all applications using cas.authn.mfa.globalProviderId=mfa-duo and are now finding that each application requires that the user authenticate to the CAS login page. Setting the Duo page to "Remember me for 7 days" doesn't seem to make a difference. Whether the service is using CAS or SAML doesn't seem to make a difference. Enabling 2FA at the service level, rather than globally, yields the same results. Any service which is 2FA enabled is requiring that users auth for each application, which is obviously counter to the idea of a single sign on. Has anyone else who uses 2FA run into this? I can't imagine this is the best outcome, but as I look through the available settings here I don't see what else I might need to configure.

To put it another way, Duo only prompts once, at the first authentication, but thereafter, each application is redirected to the login page for username password auth.

The relevant portion of my cas.properties is:

#Configure Duo authentication properties
cas.authn.mfa.globalFailureMode:           OPEN
cas.authn.mfa.globalProviderId:            mfa-duo
#cas.sso.renewedAuthn=false  #(This was only for experimentation purpose - made no difference)
cas.authn.mfa.duo[0].duoApiHost:           redacted
cas.authn.mfa.duo[0].duoIntegrationKey:    redacted
cas.authn.mfa.duo[0].duoSecretKey:         redacted
cas.authn.mfa.duo[0].trustedDeviceEnabled: false   #(Also tried setting this to true - made no difference)
cas.authn.mfa.duo[0].duoApplicationKey:    redacted
cas.authn.mfa.duo[0].id:                   mfa-duo

Any help would be greatly appreciated.

Thanks,
Matt Uribe

Matthew Uribe

unread,
Jul 15, 2019, 1:14:49 PM7/15/19
to CAS Community
Hi all,

I did get this resolved after coming across a blog post here:  https://apereo.github.io/2018/01/08/cas-mfa-duosecurity/

I stripped my Duo configuration to only what was included in the blog post, and all is working as expected now.

-Matt
Reply all
Reply to author
Forward
0 new messages