We're currently using CAS 6.5 with Duo for MFA. While the MFA itself works, we're trying to find some way of determining whether MFA was actually used during a user's authentication.
MFA is not mandatory for our users, and they must opt-in and enroll themselves with Duo. We can see that when a user authenticates, there is a set of promising CAS authentication attributes available. e.g.: - successfulAuthenticationHandlers: [DuoSecurityAuthenticationHandler] - credentialType: [DuoSecurityCredential] - authenticationMethod: [DuoSecurityAuthenticationHandler] - authnContextClass: [mfa-duo] However, these attributes appear to be assigned the same values whether the user is enrolled in Duo or not – and thus are presented with the MFA requirement during their login. Therefore, there doesn't appear to be anything in these attributes that allows us to distinguish whether MFA was actually invoked/required/used for the user's authentication. FWIW, this is how we're currently enabling MFA for CAS in cas.properties: cas.authn.mfa.triggers.global.global-provider-id=mfa-duo We've looked at the available multifactor authentication triggers, but none of the attribute-based triggers seem appropriate since I think they rely on local information about the principal, and not something authoritative from Duo or about the actual CAS authentication flow that was used. Perhaps there's a way using the REST method with the Duo Auth API /enroll_status or /preauth endpoints, but that sounds kind of fraught (even if possible). Is there something else we may be overlooking that would help us achieve our goal? -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0-uwSJhTVCLXBRSUPhfDWSHFUn1xT%3DjSJJw8vwWXdp9g%40mail.gmail.com.
