Although it’s possible to enable MFA across the board for all services by setting properties in cas.properties
(see CAS 5: Configuration Properties: Multi-factor Authentication), it’s usually preferable to configure it on a per-service basis in the service registry.
Create a second service definition for the CAS client
Make a copy of etc/cas/services/ApacheSecuredByCAS-1504122840.json
in the cas-overlay-template
directory on the master build server (casdev-master) and call it ApacheSecuredByCASandDuo-1504200420.json
(replace 1504200420
with the current date +%s
or YYYYMMDDhhmmss
value):
casdev-master# cd /opt/workspace/cas-overlay-template
casdev-master# cp -p etc/cas/services/ApacheSecuredByCAS-1504122840.json etc/cas/services/ApacheSecuredByCASandDuo-201700831132700.json
Then edit etc/cas/services/ApacheSecuredByCASandDuo-1504200420.json
and do the following:
- Change the
serviceId
property to reflect the path to the secure area created in the previous step. - Change the
id
property to a unique value (make sure this value matches the one in the filename). - Change the
description
property to include the Duo MFA requirement. - Add the
multifactorPolicy
property as shown below. - Change the
evaluationOrder
property to a different value.
When done, the file should look something like this:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://casdev-casapp.newschool.edu/secured-by-cas-duo(\\z|/.*)",
"name" : "Apache Secured By CAS and Duo",
"id" : 1504200420,
"description" : "CAS development Apache mod_auth_cas server with username/password and Duo MFA protection",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet", [ "mfa-duo" ] ]
},
"evaluationOrder" : 1200
}
The multifactorPolicy
added here defines a single MFA provider, mfa-duo
. It does not allow the MFA requirement to be bypassed (meaning that users not registered with Duo will not be able to log in), and it will fail “closed,” meaning that if for some reason the Duo service is unavailable, users will not be able to log in.