How are you triggering MFA / Duo? You likely only want to trigger Duo on
a local attribute and setup the integration to force Duo always. If you
are leaving it up to Duo to decide if the user is enrolled and bypass if
not, the old Duo Web integration couldn't tell you what happen, just
that they got past Duo. 6.5 should be using the new OIDC method, and it
was supposed to return back more detail so you could make security
decisions. So something there isn't working?? Here's my writeup about
the Duo Web integration problems:
https://www.frovarp.dev/2019/03/24/ambiguous-response-in-duo-web/
But in any event, I'd stick them in a group if they have to MFA and
trigger Duo off of membership in that group, always enforcing MFA to
happen on that integration.
On 7/29/22 14:44, Baron Fujimoto wrote:
We're currently using CAS 6.5 with Duo for MFA. While the MFA itself
works, we're trying to find some way of determining whether MFA was
actually used during a user's authentication.
MFA is not mandatory for our users, and they must opt-in and enroll
themselves with Duo. We can see that when a user authenticates, there
is a set of promising CAS authentication attributes available. e.g.:
- successfulAuthenticationHandlers: [DuoSecurityAuthenticationHandler]
- credentialType: [DuoSecurityCredential]
- authenticationMethod: [DuoSecurityAuthenticationHandler]
- authnContextClass: [mfa-duo]
However, these attributes appear to be assigned the same values
whether the user is enrolled in Duo or not – and thus are presented
with the MFA requirement during their login. Therefore, there doesn't
appear to be anything in these attributes that allows us to
distinguish whether MFA was actually invoked/required/used for the
user's authentication.
FWIW, this is how we're currently enabling MFA for CAS in cas.properties:
cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
We've looked at the available multifactor authentication triggers, but
none of the attribute-based triggers seem appropriate since I think
they rely on local information about the principal, and not something
authoritative from Duo or about the actual CAS authentication flow
that was used. Perhaps there's a way using the REST method with the
Duo Auth API /enroll_status or /preauth endpoints, but that sounds
kind of fraught (even if possible).
Is there something else we may be overlooking that would help us
achieve our goal?
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0-uwSJhTVCLXBRSUPhfDWSHFUn1xT%3DjSJJw8vwWXdp9g%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0-uwSJhTVCLXBRSUPhfDWSHFUn1xT%3DjSJJw8vwWXdp9g%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/de4b2e35-06a5-20a2-e3dd-58960bfb7159%40ndsu.edu.
