Baron, Try creating a new service in Duo to check if the problem is on their side.
Ray On Fri, 2023-07-21 at 15:02 -1000, Baron Fujimoto wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. We're trying to upgrade from CAS 6.6 using the old Duo iFrame MFA to CAS 7 using the new Duo Universal Prompt. In our CAS 6.6/iFrame version, we configured this with the following properties: cas.authn.mfa.duo[0].duo-application-key=<private WebSDK integration key> cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> cas.authn.mfa.duo[0].duo-integration-key=<Duo integration key> cas.authn.mfa.duo[0].duo-application-key=<Duo secret key> For our CAS 7/Universal Prompt version, we're using: cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> cas.authn.mfa.duo[0].duo-integration-key=<Duo client ID> cas.authn.mfa.duo[0].duo-application-key=<Duo client secret> Our duo-api-host does not differ for these two, and our Duo admin panel is configured to "Show Universal Prompt" for our Duo application we reference in our CAS 7 properties. However, after entering a username and password, we get the following error: === MFA Provider Unavailable CAS was unable to reach your configured MFA provider at this time. Due to failure policies configured for the service you are attempting to access, authentication can not be granted at this time. === Our CAS log reports: WARN [org.apereo.cas.adaptors.duo.authn.UniversalPromptDuoSecurityAuthenticationService] - <invalid_client> Any ideas what we may have amiss or how we may further troubleshoot this? I've been using the following resources for reference: Duo documentation – - <https://duo.com/docs/universal-prompt-update-guide> - <https://duo.com/docs/cas#update-cas> CAS documentation – - <https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html#universal-prompt> Fawnoos documentation – - <https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/> I note that the Duo documentation says to create the Duo application type as "CAS (Central Authentication Service)" whereas Fawnoos says to use WebSDK. Does this matter? -- Baron Fujimoto <ba...@hawaii.edu<mailto:ba...@hawaii.edu>> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel%40uvic.ca.
