CAS gateway mode

YF Lai ccyflai at
Sat Jun 11 00:35:07 UTC 2022

Thanks.  We used SAML and DuoOIDC in MFA flow.  The passiveAuthenticationSupported flag in DuoOIDC is not enabled by default.  Will try it out.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott via users
Sent: Saturday, 11 June 2022 8:11 am
To: Shib Users <users at>
Cc: Cantor, Scott <cantor.2 at>
Subject: Re: CAS gateway mode

On 6/10/22, 8:06 PM, "users on behalf of YF Lai" <users-bounces at on behalf of ccyflai at> wrote:

>  Oops I am not aware this is an option to explicitly enable.   We used authn/MFA and
> idp.authn.MFA.passiveAuthenticationSupported is true by default.   Am I missing anything to support CAS
> gateway mode?

The MFA flow will default to making sure when it tries to run a login flow that that flow also supports that feature via that flag, so if one of them doesn't it will fail that attempt and log it. It's also possible to get it to not honor those settings and just run the flow regardless, but there's no real reason to most of the time, it's just a matter of getting those flows' passiveAuthenticationSupported flag set properly.

The only flows that can't really do passive support are things like X.509 or SPNEGO where the client is really in control of it.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list