Hello Community, We use Duo for 2FA and have successfully used it with CAS for a single application. Recently we decided to enable 2FA for all applications using cas.authn.mfa.globalProviderId=mfa-duo and are now finding that each application requires that the user authenticate to the CAS login page. Setting the Duo page to "Remember me for 7 days" doesn't seem to make a difference. Whether the service is using CAS or SAML doesn't seem to make a difference. Enabling 2FA at the service level, rather than globally, yields the same results. Any service which is 2FA enabled is requiring that users auth for each application, which is obviously counter to the idea of a single sign on. Has anyone else who uses 2FA run into this? I can't imagine this is the best outcome, but as I look through the available settings here <https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#duosecurity> I don't see what else I might need to configure.
To put it another way, Duo only prompts once, at the first authentication, but thereafter, each application is redirected to the login page for username password auth. The relevant portion of my cas.properties is: #Configure Duo authentication properties cas.authn.mfa.globalFailureMode: OPEN cas.authn.mfa.globalProviderId: mfa-duo #cas.sso.renewedAuthn=false #(This was only for experimentation purpose - made no difference) cas.authn.mfa.duo[0].duoApiHost: redacted cas.authn.mfa.duo[0].duoIntegrationKey: redacted cas.authn.mfa.duo[0].duoSecretKey: redacted cas.authn.mfa.duo[0].trustedDeviceEnabled: false #(Also tried setting this to true - made no difference) cas.authn.mfa.duo[0].duoApplicationKey: redacted cas.authn.mfa.duo[0].id: mfa-duo Any help would be greatly appreciated. Thanks, Matt Uribe -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/75f029cf-efec-41b2-bb9d-1a4540c004d9%40apereo.org.