Google Authenticator for CAS and Shibb IdPs

IAM David Bantz dabantz at
Tue Feb 18 17:36:16 EST 2020

Been asked by Management essentially
"CAS appears able to use Authenticator for MFA SSO; why not Shibboleth?"

raised in the context of merging our SSO operation (to reduce complexity to
maintain and enhance user experience); most of our apps and federation
access rely on Shibb, but Banner ERP and closely related apps use CAS.
Independently, CISO hopes to require MFA for administrative access to
Banner ERP, and hopes to do it without licensing Duo (purely cost

>From what I can tell, the Google Authenticator in Apereo CAS (
makes CAS an MFA *provider* maintaining device registrations, secret keys,
etc. (but not supporting PUSH AFAICT), so fundamentally different from
Shibb Duo plugin.

I'm asking for sanity check of my understanding, any updates on possible
Authenticator/Shibboleth integration and additional considerations to
inform management/executive decisions re SSO and MFA for Banner.

David Bantz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list