5.1 uses a broken method for bypassing Duo. Or at least broken in some respects. That's why you get the flash on the screen. 5.1 actually triggers the widget, and the widget is doing the bypass. CAS doesn't know, so all of your users under 5.1 are asserting via attribute release that they have performed MFA, when in fact they may not have.
5.2+ added a method that makes an API call to see if the user can bypass. If the user can bypass, they don't get the MFA iframe appearing. It also then doesn't assert that MFA has happened when it hasn't. What we're doing is that everyone that has to MFA is in an AD group. We use that to trigger MFA. The Duo integration is configured to always require MFA, because anyone sent to it will have been asserted by AD to require Duo. If you need to bypass Duo, you just change the CAS config to point to an AD group that doesn't exist, touch the file, and away it goes. Handy for when Duo is down, or your own network is down. On 2/21/19 11:38 AM, Travis Schmidt wrote: Ok, That might explain it. Does the Duo iframe screen then flash by now for these users when in the past it did not? One way to get around possibly. If you have an attribute available that marks a user has being enrolled in Duo, You can set a trigger to enforce Duo on only those users, with name attribute values or groovy script. Trade off being is that all services will require Duo for anyone enrolled in Duo, but you should be able to set bypass flags in services or a bypass script. Depending on how you are set up to use Duo now, this could be a big or small change. Travis On Thu, Feb 21, 2019 at 9:30 AM Greg Booth <g...@mtu.edu<mailto:g...@mtu.edu>> wrote: We are seeing this issue as well, CAS 5.3.4 using MFA with Duo. We believe it is an issue Duo has introduced with their new API. See the yellow box under “User Account Status”: https://apereo.github.io/cas/5.3.x/installation/DuoSecurity-Authentication.html#user-account-status Rather than wait for Duo to fix this, we are looking into ways to bypass this issue without disabling Duo entirely on our services, using Multifactor Authentication Bypass: https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#multifactor-authentication-bypass Have not gotten anywhere with this yet, if anyone has experience with those config settings, we could use your help. Greg On Thu, Feb 21, 2019 at 9:39 AM atilling <atill...@conncoll.edu<mailto:atill...@conncoll.edu>> wrote: CAS version 5.1.9 using MFA with DUO. We had this working fine for about two years at this point. Tuesday it started causing problems for our unenrolled users. We have the DUO setting "allow unenrolled users to pass through without two-factor authentication" but sometime around 5 pm Tuesday all unenrolled users started getting the error "The validation request for ['ST-...'] cannot be satisfied. The request is either unrecognized or unfulfilled." whenever logging into a Duo protected service. Has anyone else experienced this? Did something change with Duo in the last 72 hours? We had to turn off Duo for these services and we don't want to keep it off. Any help would be appreciated. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org?utm_medium=email&utm_source=footer>. -- Gregory Booth Senior Systems Administrator & Technical Team Lead IT Operations Information Technology Michigan Technological University (906) 487-1797<tel:9064871797> www.mtu.edu<http://www.mtu.edu/> www.it.mtu.edu<http://www.it.mtu.edu/> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH%2BQwmhzWZgfTVapQ--LXEcNnOLF-dwC%2B%3D6zSLAtnF0hSnN2Vw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH%2BQwmhzWZgfTVapQ--LXEcNnOLF-dwC%2B%3D6zSLAtnF0hSnN2Vw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNSJGZZkr-knNrb5kDUcRda6BBDY_KRqDEsXnSz6nMrw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNSJGZZkr-knNrb5kDUcRda6BBDY_KRqDEsXnSz6nMrw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/985ac6a9-1263-c9d1-6257-bdc22f948bfd%40ndsu.edu.
