CAS gateway mode

[YF Lai]

Thanks.  We used SAML and DuoOIDC in MFA flow.  The passiveAuthenticationSupported flag in DuoOIDC is not enabled by default.  Will try it out.

-YF

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott via users
Sent: Saturday, 11 June 2022 8:11 am
To: Shib Users <users at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Re: CAS gateway mode

On 6/10/22, 8:06 PM, "users on behalf of YF Lai" <users-bounces at shibboleth.net on behalf of ccyflai at ust.hk> wrote:

>  Oops I am not aware this is an option to explicitly enable.   We used authn/MFA and
> idp.authn.MFA.passiveAuthenticationSupported is true by default.   Am I missing anything to support CAS
> gateway mode?

The MFA flow will default to making sure when it tries to run a login flow that that flow also supports that feature via that flag, so if one of them doesn't it will fail that attempt and log it. It's also possible to get it to not honor those settings and just run the flow regardless, but there's no real reason to most of the time, it's just a matter of getting those flows' passiveAuthenticationSupported flag set properly.

The only flows that can't really do passive support are things like X.509 or SPNEGO where the client is really in control of it.

-- Scott


-- 
For Consortium Member technical support, see https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Cccyflai%40ust.hk%7C5286af7156b14a4f977d08da4b3ee9f0%7Cc917f3e2932249269bb3daca730413ca%7C1%7C0%7C637905030832771694%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PP7oxMvpZIh%2FZdCRcYHtGjGYV7%2F2iMT8BBzhOfUi6No%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net