Apereo CAS - Duo Security MFA Universal Prompt

Posted by Misagh Moayyed on May 07, 2021 · 5 mins read ·

Duo Security’s Universal Prompt is a major technical and UX redesign of core Duo Security’s multifactor functionality. It provides a redesign of the web-based authentication prompt and upgrades the Duo Web SDK to provide a new mechanism for delivering the prompt to both Duo-developed and partner-built software integrations without the iFrame.

Apereo CAS can integrate with Duo Security to provide a smooth and seamless multifactor authentication scenario. Support for Duo Security can cover authentication scenarios for web-based applications as well as command-line interfaces and APIs. In this walkthrough, we’ll take a look at the Duo Security’s Universal Prompt using Duo’s OIDC Auth API and the integration strategy with Apereo CAS.

This tutorial specifically requires and focuses on:

Configuration

The Universal Prompt variant does not require you to generate and use an application key value. Instead, it requires a client id and client secret, which are known and taught to CAS using the integration key and secret key configuration settings. You will need to get your integration key, secret key, and API hostname from Duo Security when you register CAS as a protected application.

In the Duo Security’s admin console, start with the Protect an Application option and choose Web SDK:

Be sure to note down the integration settings and finally save the entry.

In your CAS settings, typically found in the cas.properties file, the absence of duo-application-key indicates that Universal Prompt should be the primary integration mode.

cas.authn.mfa.duo[0].duo-secret-key=...
cas.authn.mfa.duo[0].duo-integration-key=...
cas.authn.mfa.duo[0].duo-api-host=..

Furthermore, let’s make sure that all requests from all applications should be asked for multifactor authentication with Duo Security:

cas.authn.mfa.global-provider-id=mfa-duo

That’s it.

What’s the difference?

  • The current Duo Prompt is delivered via an inline frame (or “iFrame”) that is embedded in a thymeleaf template file hosted by CAS. This is no longer the case with Universal Prompt where CAS will instead redirect to a page hosted by Duo at duosecurity.com to show the Duo Prompt, and Duo Security will finally redirect back to CAS after the user completes two-factor authentication.

  • To achieve the frameless migration, the Duo Web SDK is updated to bring the Universal Prompt experience to applications. The new SDK is built on top of the OIDC standards-based API today to begin the process of updating developed Duo integrations to support the Universal Prompt.

  • In the Duo Security’s admin console, you may note that field labels no longer refer to Integration Key or Secret Key. With Universal Prompt, these fields are renamed to better align with the OAuth 2.0 specification and are now known as Client ID or client_id and the Client secret or client_secret.

Need Help?

If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed