Thank you for all the replies. I think we're still using the Duo integration method to integrate with CAS that was prevalent circa CAS 5.x (Duo SDK?). I think at the time we finally upgraded to CAS 6.x, the Duo universal prompt stuff was still documented as not quite fully baked and "coming soon", so we deferred implementing that and stuck with what appeared to be successfully backwards compatible. It seems like with the newer methods we'd have more information available.
Because our MFA is opt-in, we've enabled it globally and not on a per-service basis. We've also currently leave the MFA requirements to the business logic in the applications themselves, but are trying to find ways to make that information for them more authoritative. These replies give us options to investigate and consider for future deployments. Mahalo! On Fri, Jul 29, 2022 at 12:31 PM Ray Bon <r...@uvic.ca> wrote: > Baron, > > We have been setting mfa in the service definition; some services are > mandatory, others optional. Users can opt to enrol in duo in another > internal application (where they can update other personal data, etc). > > I have experimented with (but not used in prod): > > # Specify the regular expression pattern to trigger multifactor when > working with a single provider. > # Comment out the setting when working with multiple multifactor providers > # cas.authn.mfa.global-principal-attribute-value-regex=urn:mace:uvic.ca: > university:duo_user > > # Activate MFA globally based on authentication metadata attributes > # > cas.authn.mfa.global-authentication-attribute-name-triggers=eduPersonEntitlement > # > cas.authn.mfa.global-authentication-attribute-value-regex=urn:mace:uvic.ca: > university:duo_user > > Using the older style duo mfa [from within cas],the attributes are as you > listed. When our user does not go through mfa, these attributes are set as: > > successfulAuthenticationHandlers: [LdapAuthenticationHandler] > credentialType: [UsernamePasswordCredential] > authenticationMethod: [LdapAuthenticationHandler] > no authContextClass > > With the newer universal prompt, these attributes exist: > > duoAuthCtxTxId 176187f6-63c6-453f-9e1a-43b1b50dd961 > duoAuthResultStatus allow > duoAuthCtxApplicationName Web SDK Universal prompt > duoAuthCtxReason remembered_device (user_approved on first login) > authnContextClass mfa-duo > duoAuthCtxAccessDeviceIp xxx.xxx.xxx.xxx > duoAuthCtxResult success > duoAud DI... > duoAuthCtxAccessDeviceLocationCity Victoria > duoAuthCtxFactor remembered_device (duo_push on first login) > duoAuthCtxTimestamp 1659132374 > duoAuthCtxAccessDeviceLocationState British Columbia > duoIss https://api-....duosecurity.com/oauth/v1/token > bypassMultifactorAuthentication false > successfulAuthenticationHandlers DuoSecurityAuthenticationHandler > duoSub rbon > duoAuthCtxAccessDeviceLocationCountry Canada > duoAuthCtxUserKey DU... > credentialType DuoSecurityUniversalPromptCredential > authenticationMethod DuoSecurityAuthenticationHandler > duoIat 1.659132375E9 > domain uvic.ca > duoPreferredUsername rbon > duoExp 1659135974 > duoAuthTime 1659132374 > duoAuthCtxEventType authentication > duoAuthResult allow > > So lots to choose from. > > Ray > > On Fri, 2022-07-29 at 09:44 -1000, Baron Fujimoto wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > We're currently using CAS 6.5 with Duo for MFA. While the MFA itself > works, we're trying to find some way of determining whether MFA was > actually used during a user's authentication. > > MFA is not mandatory for our users, and they must opt-in and enroll > themselves with Duo. We can see that when a user authenticates, there is a > set of promising CAS authentication attributes available. e.g.: > - successfulAuthenticationHandlers: [DuoSecurityAuthenticationHandler] > - credentialType: [DuoSecurityCredential] > - authenticationMethod: [DuoSecurityAuthenticationHandler] > - authnContextClass: [mfa-duo] > > However, these attributes appear to be assigned the same values > whether the user is enrolled in Duo or not – and thus are presented > with the MFA requirement during their login. Therefore, there doesn't > appear to be anything in these attributes that allows us to distinguish > whether MFA was actually invoked/required/used for the user's > authentication. > > FWIW, this is how we're currently enabling MFA for CAS in cas.properties: > cas.authn.mfa.triggers.global.global-provider-id=mfa-duo > > We've looked at the available multifactor authentication triggers, but > none of the attribute-based triggers seem appropriate since I think they > rely on local information about the principal, and not something > authoritative from Duo or about the actual CAS authentication flow that was > used. Perhaps there's a way using the REST method with the Duo Auth API > /enroll_status or /preauth endpoints, but that sounds kind of fraught (even > if possible). > > Is there something else we may be overlooking that would help us achieve > our goal? > -- > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | r...@uvic.ca > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/fa61398525e085242274d1fb4a45c8e9ceb6c8fa.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/fa61398525e085242274d1fb4a45c8e9ceb6c8fa.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL086R25ifL1jJr1E%2B3XDf_Zzz4Y0iqMowRKDAMEUNmCZA%40mail.gmail.com.
