Re Duo account status, I found the following under the Optional tab for Duo configuration:
• cas.authn.mfa.duo[0].account-status-enabled=true When set to true, CAS will contact Duo Security to check for user's account status and to evaluate whether user qualifies for multifactor authentication from Duo's perspective. When disabled, user account status is set to authenticate with Duo and the API call will never be made. On Thu, Sep 7, 2023 at 9:00 AM Baron Fujimoto <ba...@hawaii.edu> wrote: > Interesting. The Duo Universal Prompt Update Guide < > https://duo.com/docs/universal-prompt-update-guide> identifies "CAS > (Central Authentication Service)" as a traditional Duo prompt application > with type "cas", and their Duo for Central Authentication Server (CAS) < > https://duo.com/docs/cas> directs you to select Applications > Protect an > Application > CAS (Central Authentication Service), which gives your > that application type (as opposed to Web SDK). So it seems there is an > inconsistency between what CAS wants and what Duo recommends. AFAICT, the > CAS Duo Security Authentication documentation < > https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html> > does not explicitly advise the WebSDK should be used, only that support for > MFA "based on the Duo's Web SDK and the embedded iFrame is deprecated" and > you are encouraged to switch to the Universal Prompt. The only thing I find > there for triggering the Universal prompt is the non-use > of cas.authn.mfa.duo[0].duo-application-key. > > I also see a discussion about Duo account status on that page, but nothing > about enabling or disabling it. It also suggests that the state of user > account status via the Duo API is ambiguous. ¯\_(ツ)_/¯ > > On Thu, Sep 7, 2023 at 3:49 AM CAS Community <cas-user@apereo.org> wrote: > >> >> I believe we also have the Duo side of things properly configured for >> their Universal Prompt with the Duo Application being used by this CAS set >> to use type "CAS (Central Authentication Service)". >> >> >> >> That is not strictly correct. You either need to switch the type to >> WebSDK, IIRC, or you need to turn off "account status checking" in the CAS >> configuration. >> >> -- >> - Website: https://apereo.github.io/cas >> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!X0l0yGK2AFWWIt4QG7GLCI_PMp3NjvU_VgVbXlm-EeZq46yTEz04tcz_CnaEjDrMqyC-VdyerJWiA2PD$> >> - Gitter Chatroom: https://gitter.im/apereo/cas >> <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!X0l0yGK2AFWWIt4QG7GLCI_PMp3NjvU_VgVbXlm-EeZq46yTEz04tcz_CnaEjDrMqyC-VdyerOc118OH$> >> - List Guidelines: https://goo.gl/1VRrw7 >> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!X0l0yGK2AFWWIt4QG7GLCI_PMp3NjvU_VgVbXlm-EeZq46yTEz04tcz_CnaEjDrMqyC-VdyerJwQA7qh$> >> - Contributions: https://goo.gl/mh7qDG >> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!X0l0yGK2AFWWIt4QG7GLCI_PMp3NjvU_VgVbXlm-EeZq46yTEz04tcz_CnaEjDrMqyC-VdyerHKg9D5J$> >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/de297d27-5a6e-4f0b-afde-e3f656e43f94n%40apereo.org >> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/de297d27-5a6e-4f0b-afde-e3f656e43f94n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!X0l0yGK2AFWWIt4QG7GLCI_PMp3NjvU_VgVbXlm-EeZq46yTEz04tcz_CnaEjDrMqyC-VdyerBlZwx0Z$> >> . >> > > > -- > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2%3D7wfBcLSF3EGWUA3ejjc%3DrGTT2iNaVvryZAd_8pBMcw%40mail.gmail.com.
