Duo Security Authentication
Duo Security is a two-step verification service the provides additional security for access to institutional and personal data.
Duo offers several options for authenticating users:
- a mobile push notification and one-button verification of identity to a smartphone (requires the free Duo Mobile app)
- a one-time code generated on a smartphone
- a one-time code generated by Duo and sent to a handset via SMS text messaging
- a telephone call from that will prompt you to validate the login request
See here for additional information.
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-duo</artifactId>
<version>${cas.version}</version>
</dependency>
You may need to add the following repositories to the WAR overlay:
1
2
3
4
5
6
7
8
<repository>
<id>duo</id>
<url>https://dl.bintray.com/uniconiam/maven</url>
</repository>
<repository>
<id>dupclient</id>
<url>https://jitpack.io</url>
</repository>
Configuration
To see the relevant list of CAS properties, please review this guide.
Non-Browser MFA
The Duo Security module of CAS is able to also support non-browser based multifactor authentication requests.
In order to trigger this behavior, applications (i.e. curl, REST APIs, etc) need to specify a special
Content-Type to signal to CAS that the request is submitted from a non-web based environment.
In order to successfully complete the authentication flow, CAS must also be configured with a method of primary authentication that is able to support non-web based environments.
Here is an example using curl that attempts to authenticate into a service by first exercising
basic authentication while identifying the request content type as application/cas. It is assumed that the
service below is configured in CAS with a special multifactor policy that forces the flow
to pass through Duo Security as well.
1
curl --location --header "Content-Type: application/cas" https://apps.example.org/myapp -L -u casuser:Mellon