Hi Baron,
Not sure if this helps with your use-case, but we are able to override the
global Duo provider on a per-service basis as follows. I believe I ran
into issues when I didn't have the .name property but don't remember what
exactly. This works on 7.2.x:
cas.properties
---------------
cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.duo[0].name=mfa-duo
# all the other stuff for duo[0]
cas.authn.mfa.duo[1].id=mfa-duo-alt
cas.authn.mfa.duo[1].name=mfa-duo-alt
# all the other stuff for duo[1]
service definition
-------------------
"multifactorPolicy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"failureMode": "CLOSED",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
"mfa-duo-alt" ] ],
"bypassEnabled": false,
"forceExecution": true
},
On Wed, Oct 1, 2025 at 3:08 PM Ray Bon <[email protected]> wrote:
> Baron,
>
> To get a list of all properties run:
> ./gradlew exportConfigMetadata
>
> Produces file config-metadata.properties
>
> cas.authn.mfa.global-provider-id has been depricated.
> Replaced with cas.authn.mfa.triggers.global.global-provider-id
>
> Ray
> ------------------------------
> *From:* 'richard.frovarp' via CAS Community <[email protected]>
> *Sent:* September 30, 2025 14:21
> *To:* CAS Community <[email protected]>
> *Subject:* [cas-user] Re: Multiple Instances of Duo MFA clarifications?
>
> What are you trying to accomplish? I'm replying as I just worked through
> this and found your post. My scenario is to have one Duo instance that
> allows for remembered devices, and another that doesn't.
>
> I'm on CAS 7.2.x.
>
> This is just in testing, but my default provider is set with:
>
> cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
>
> The rank for mfa-duo is less than mfa-no-remember
>
> If mfa-no-remember is used first, then mfa-duo is triggered, it is fine.
> The other way around will trigger a new Duo.
>
> I have a prototype Groovy script that will force the mfa-no-remember under
> certain scenarios. Plus it can be configured with
> the multifactorAuthenticationProviders setting.
>
> On Thursday, June 12, 2025 at 9:37:53 PM UTC-5 Baron Fujimoto wrote:
>
> We have multiple instances of Duo defined with distinct IDs:
>
> E.g.:
>
> cas.authn.mfa.duo[0].id=mfa-duo
> cas.authn.mfa.duo[0].rank=0
> cas.authn.mfa.duo[1].id=mfa-duo-alt
> cas.authn.mfa.duo[1].rank=1
>
> Prior to enabling multiple instances, we just relied on this global
> property to provide the default ID.
>
> cas.authn.mfa.global-provider-id=mfa-duo
>
> I'm pretty sure we've empirically determined that setting instance
> duo[n].id properties as well as global-provider-id is incompatible and
> results in unreliable behaviour in terms of what actually gets invoked
> during authentication. Can someone confirm this? Unfortunately, I can't
> find CAS documentation for global-provider-id – search doesn't turn up
> anything useful, nor do I find it on the page documenting "Multifactor
> Authentication"[*]
>
> We're currently configuring the Duo ID to use in each service registration
> with
> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
> "mfa-duo" ] ],
> or
> "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [
> "mfa-duo-alt" ] ],
>
> Does the duo.rank property do anything here if we're explicitly only
> specifying one or the other duo.id?
>
> [*] <
> https://apereo.github.io/cas/7.0.x/mfa/Configuring-Multifactor-Authentication.html
> >
>
> --
> Baron Fujimoto <[email protected]> ::: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>
> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f6fea1c1-3368-4524-b9be-74bb7d272c0an%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f6fea1c1-3368-4524-b9be-74bb7d272c0an%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081AF2F1C6BF3D01987E3F2CEE6A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081AF2F1C6BF3D01987E3F2CEE6A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>
> .
>
--
Jonathon Taylor (he/him)
Information Security Office
[email protected]
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo82MZHwQEZnna_D2S9PydEiSDDWOAnSK4zdop3nEiv2bw%40mail.gmail.com.
