Although it’s possible to enable MFA across the board for all services by setting properties in cas.properties (see CAS 5: Configuration Properties: Multi-factor Authentication), it’s usually preferable to configure it on a per-service basis in the service registry.
Create a second service definition for the CAS client
Make a copy of etc/cas/services/ApacheSecuredByCAS-1504122840.json in the cas-overlay-template directory on the master build server (casdev-master) and call it ApacheSecuredByCASandDuo-1504200420.json (replace 1504200420 with the current date +%s or YYYYMMDDhhmmss value):
casdev-master# cd /opt/workspace/cas-overlay-template
casdev-master# cp -p etc/cas/services/ApacheSecuredByCAS-1504122840.json etc/cas/services/ApacheSecuredByCASandDuo-201700831132700.json
Then edit etc/cas/services/ApacheSecuredByCASandDuo-1504200420.json and do the following:
- Change the
serviceIdproperty to reflect the path to the secure area created in the previous step. - Change the
idproperty to a unique value (make sure this value matches the one in the filename). - Change the
descriptionproperty to include the Duo MFA requirement. - Add the
multifactorPolicyproperty as shown below. - Change the
evaluationOrderproperty to a different value.
When done, the file should look something like this:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://casdev-casapp.newschool.edu/secured-by-cas-duo(\\z|/.*)",
"name" : "Apache Secured By CAS and Duo",
"id" : 1504200420,
"description" : "CAS development Apache mod_auth_cas server with username/password and Duo MFA protection",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ]
},
"evaluationOrder" : 1200
}
The multifactorPolicy added here defines a single MFA provider, mfa-duo. It does not allow the MFA requirement to be bypassed (meaning that users not registered with Duo will not be able to log in), and it will fail “closed,” meaning that if for some reason the Duo service is unavailable, users will not be able to log in.