CAS gateway mode
Cantor, Scott
cantor.2 at osu.edu
Mon Jun 13 15:07:58 UTC 2022
On 6/13/22, 10:54 AM, "users on behalf of YF Lai" <users-bounces at shibboleth.net on behalf of ccyflai at ust.hk> wrote:
> So apparently CAS gateway mode cannot work in this kind of authentication flow configuration.
Not unless you simply ignore the actual requirement. If the rule is "you can't interact with the user", then Duo doesn't give you that guarantee unless they were to support the equivalent option in OIDC and honor it by only responding with success if the user had Remember Me checked. I don't believe they do, which is why we defaulted the flag to false.
The separate issue of course is that it is not universally viewed as a legitimate thing to allow Remember Me and still consider that MFA, but that's a different debate.
-- Scott
More information about the users
mailing list