Google Authenticator for CAS and Shibb IdPs

Greg Haverkamp gahaverkamp at
Tue Feb 18 18:09:42 EST 2020

On Tue, Feb 18, 2020 at 2:36 PM IAM David Bantz <dabantz at> wrote:
> From what I can tell, the Google Authenticator in Apereo CAS ( makes CAS an MFA provider maintaining device registrations, secret keys, etc. (but not supporting PUSH AFAICT), so fundamentally different from Shibb Duo plugin.
> I'm asking for sanity check of my understanding, any updates on possible Authenticator/Shibboleth integration and additional considerations to inform management/executive decisions re SSO and MFA for Banner.

Google Authenticator is just an OATH token.

Somewhere, you need some place to store the token secrets, regardless
of which type of OATH client you use.  It appears CAS will do that
with its own store.

Recently, another user on the list released his updates from a
somewhat long-lived TOTP module for Shibboleth:

Some small number of folks here use LinOTP or its privacyIDEA
derivative, with some examples of that and

(My implementation is a heavily modified, over-complicated fork of the
cyber-simon module.  I'd earlier written a simpler one, which I keep
intending to go back to.)

But I'll just note, as Scott did in the thread on Joe Fischetti's
contribution, the expense will come in maintaining your own system.
Duo had deficiencies at the time we were rolling ours out (and we
didn't qualify for the InCommon pricing), else we probably would have
gone that way and saved a lot of headaches over the years.  (I just
had to push out a patch to our token reset script today, after we
realize that, due to growth in our user base, it could no longer
reliably find the most recent failed attempt in a single search.)
Then there's managing a custom UI, dealing with Android device clock
skew, etc.


> David Bantz
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list