Baron, To get a list of all properties run: ./gradlew exportConfigMetadata
Produces file config-metadata.properties cas.authn.mfa.global-provider-id has been depricated. Replaced with cas.authn.mfa.triggers.global.global-provider-id Ray ________________________________ From: 'richard.frovarp' via CAS Community <[email protected]> Sent: September 30, 2025 14:21 To: CAS Community <[email protected]> Subject: [cas-user] Re: Multiple Instances of Duo MFA clarifications? What are you trying to accomplish? I'm replying as I just worked through this and found your post. My scenario is to have one Duo instance that allows for remembered devices, and another that doesn't. I'm on CAS 7.2.x. This is just in testing, but my default provider is set with: cas.authn.mfa.triggers.global.global-provider-id=mfa-duo The rank for mfa-duo is less than mfa-no-remember If mfa-no-remember is used first, then mfa-duo is triggered, it is fine. The other way around will trigger a new Duo. I have a prototype Groovy script that will force the mfa-no-remember under certain scenarios. Plus it can be configured with the multifactorAuthenticationProviders setting. On Thursday, June 12, 2025 at 9:37:53 PM UTC-5 Baron Fujimoto wrote: We have multiple instances of Duo defined with distinct IDs: E.g.: cas.authn.mfa.duo[0].id=mfa-duo cas.authn.mfa.duo[0].rank=0 cas.authn.mfa.duo[1].id=mfa-duo-alt cas.authn.mfa.duo[1].rank=1 Prior to enabling multiple instances, we just relied on this global property to provide the default ID. cas.authn.mfa.global-provider-id=mfa-duo I'm pretty sure we've empirically determined that setting instance duo[n].id properties as well as global-provider-id is incompatible and results in unreliable behaviour in terms of what actually gets invoked during authentication. Can someone confirm this? Unfortunately, I can't find CAS documentation for global-provider-id – search doesn't turn up anything useful, nor do I find it on the page documenting "Multifactor Authentication"[*] We're currently configuring the Duo ID to use in each service registration with "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ], or "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo-alt" ] ], Does the duo.rank property do anything here if we're explicitly only specifying one or the other duo.id<http://duo.id/>? [*] <https://apereo.github.io/cas/7.0.x/mfa/Configuring-Multifactor-Authentication.html> -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f6fea1c1-3368-4524-b9be-74bb7d272c0an%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f6fea1c1-3368-4524-b9be-74bb7d272c0an%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081AF2F1C6BF3D01987E3F2CEE6A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
