CAS gateway mode

Cantor, Scott cantor.2 at
Mon Jun 13 15:07:58 UTC 2022

On 6/13/22, 10:54 AM, "users on behalf of YF Lai" <users-bounces at on behalf of ccyflai at> wrote:

>    So apparently CAS gateway mode cannot work in this kind of authentication flow configuration.

Not unless you simply ignore the actual requirement. If the rule is "you can't interact with the user", then Duo doesn't give you that guarantee unless they were to support the equivalent option in OIDC and honor it by only responding with success if the user had Remember Me checked.  I don't believe they do, which is why we defaulted the flag to false.

The separate issue of course is that it is not universally viewed as a legitimate thing to allow Remember Me and still consider that MFA, but that's a different debate.

-- Scott

More information about the users mailing list