Duo Security’s Universal Prompt is a major technical and UX redesign of core Duo Security’s multifactor functionality. It provides a redesign of the web-based authentication prompt and upgrades the Duo Web SDK to provide a new mechanism for delivering the prompt to both Duo-developed and partner-built software integrations without the iFrame.
Apereo CAS can integrate with Duo Security to provide a smooth and seamless multifactor authentication scenario. Support for Duo Security can cover authentication scenarios for web-based applications as well as command-line interfaces and APIs. In this walkthrough, we’ll take a look at Duo Security’s Universal Prompt using Duo’s OIDC Auth API and the integration strategy with Apereo CAS.
This tutorial specifically requires and focuses on:
7.0.x
21
The Universal Prompt variant does not require you to generate and use an application key value. Instead, it requires a client id and client secret, which are known and taught to CAS using the integration key and secret key configuration settings. You will need to get your integration key, secret key, and API hostname from Duo Security when you register CAS as a protected application.
In the Duo Security’s admin console, start with the Protect an Application option and choose Web SDK:
Be sure to note down the integration settings and finally save the entry.
In your CAS settings, typically found in the cas.properties
file, the absence of duo-application-key
indicates that Universal Prompt should be the primary integration mode.
cas.authn.mfa.duo[0].duo-secret-key=...
cas.authn.mfa.duo[0].duo-integration-key=...
cas.authn.mfa.duo[0].duo-api-host=..
Furthermore, let’s make sure that all requests from all applications should be asked for multifactor authentication with Duo Security:
cas.authn.mfa.triggers.global.global-provider-id=mfa-duo
Alternatively, you could also build a special condition that activates multifactor authentication if any of the values assigned to the attribute memberOf
contain the value mfa-eligible
:
cas.authn.mfa.triggers.principal.global-principal-attribute-name-triggers=memberOf
cas.authn.mfa.triggers.principal.global-principal-attribute-value-regex=mfa-eligible
That’s it.
duosecurity.com
to show the Duo Prompt, and Duo Security will finally redirect back to CAS after the user completes two-factor authentication.To achieve the frameless migration, the Duo Web SDK is updated to bring the Universal Prompt experience to applications. The new SDK is built on top of the OIDC standards-based API today to begin the process of updating developed Duo integrations to support the Universal Prompt.
In the Duo Security’s admin console, you may note that field labels no longer refer to Integration Key or Secret Key. With Universal Prompt, these fields are renamed to better align with the OAuth 2.0 specification and are now known as Client ID or client_id
and the Client secret or client_secret
.
In recent CAS versions, multifactor authentication with Duo Security’s Universal Prompt is adjusted to use the browser’s local storage for tracking the state of the CAS server and authentication contexts before redirecting to Duo Security. In this approach, CAS will no longer create a session-tracking ticket to store the existing authentication context and will only rely on the browser to store and/or restore the necessary authentication context for the entire flow. You might see additional screens before and after the multifactor authentication flow that attempt to process the request from the browser’s local storage with sufficient messaging to indicate request processing is in progress.
If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.
I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.
Happy Coding,
Monday-Friday
9am-6pm, Central European Time
7am-1pm, U.S. Eastern Time
Monday-Friday
9am-6pm, Central European Time