Yes, I created a new Duo protected application for this using their admin panels. I assume this is what you mean by new service? I'm not sure how I would check if the problem is on the Duo side though?
On Mon, Jul 24, 2023 at 6:41 AM Ray Bon <r...@uvic.ca> wrote: > Baron, > > Try creating a new service in Duo to check if the problem is on their side. > > Ray > > On Fri, 2023-07-21 at 15:02 -1000, Baron Fujimoto wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > We're trying to upgrade from CAS 6.6 using the old Duo iFrame MFA to CAS 7 > using the new Duo Universal Prompt. > > In our CAS 6.6/iFrame version, we configured this with the following > properties: > > cas.authn.mfa.duo[0].duo-application-key=<private WebSDK integration key> > cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> > cas.authn.mfa.duo[0].duo-integration-key=<Duo integration key> > cas.authn.mfa.duo[0].duo-application-key=<Duo secret key> > > For our CAS 7/Universal Prompt version, we're using: > > cas.authn.mfa.duo[0].duo-api-host=<Duo API hostname> > cas.authn.mfa.duo[0].duo-integration-key=<Duo client ID> > cas.authn.mfa.duo[0].duo-application-key=<Duo client secret> > > Our duo-api-host does not differ for these two, and our Duo admin panel is > configured to "Show Universal Prompt" for our Duo application we reference > in our CAS 7 properties. > > However, after entering a username and password, we get the following > error: > === > MFA Provider Unavailable > > CAS was unable to reach your configured MFA provider at this time. Due to > failure policies configured for the service you are attempting to access, > authentication can not be granted at this time. > === > > Our CAS log reports: > WARN > [org.apereo.cas.adaptors.duo.authn.UniversalPromptDuoSecurityAuthenticationService] > - <invalid_client> > > Any ideas what we may have amiss or how we may further troubleshoot this? > > I've been using the following resources for reference: > Duo documentation – > - <https://duo.com/docs/universal-prompt-update-guide > <https://urldefense.com/v3/__https://duo.com/docs/universal-prompt-update-guide__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW4k9LuGc$> > > > - <https://duo.com/docs/cas#update-cas > <https://urldefense.com/v3/__https://duo.com/docs/cas*update-cas__;Iw!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW6-WyS_i$> > > > CAS documentation – > - < > https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html#universal-prompt > <https://urldefense.com/v3/__https://apereo.github.io/cas/development/mfa/DuoSecurity-Authentication.html*universal-prompt__;Iw!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW0G7Wbl8$> > > > Fawnoos documentation – > - < > https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/ > <https://urldefense.com/v3/__https://fawnoos.com/2023/01/29/cas70x-duo-security-mfa-universal-prompt/__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW1sm2ICa$> > > > > I note that the Duo documentation says to create the Duo application type > as "CAS (Central Authentication Service)" whereas Fawnoos says to use > WebSDK. Does this matter? > -- > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW5pjucQZ$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW1mTPZ7I$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW0Nuzh3a$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW8-Sx0_R$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel%40uvic.ca > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/2e9eb8d5db6882c1553ad81aceb51465d10c6646.camel*40uvic.ca?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!QTG6JSa0-4wePpngNr2LVrvV5are9o_U-9DlMHDVlN_PbaZ-B9xNd3IyYldETbWGaizJW83Bjqu4$> > . > -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3LbTMitmiBnuEtBqheyrA7S7_0dombq0aEruOa%3Dh9qnQ%40mail.gmail.com.
