How to Integrate Duo Security with Jasig CAS for Multi-Factor Authentication

September 16, 2014 - Duo Security , Multi-Factor Authentication , CAS Authentication

How to Integrate Duo Security with Jasig CAS for Multi-Factor Authentication

Securing access to your authentication system is more critical than ever. By integrating Duo Security with Jasig CAS, you can add an extra layer of protection through two-factor authentication (2FA).

This guide provides a detailed, step-by-step walkthrough to setting up Duo Security MFA with Jasig CAS on a clean install of SUSE Linux Enterprise Server 11.3. We’ll cover installation, configuration, and troubleshooting tips to ensure a smooth setup.

This post contains affiliate links, which means I may receive a small commission, at no extra cost to you, if you make a purchase using these links.

Why Use Duo Security with CAS?

Organizations using Central Authentication Service (CAS) need robust multi-factor authentication (MFA) to protect against unauthorized access. Duo Security provides:

  • Strong 2FA protection via push notifications, SMS, or phone calls.
  • Easy integration with existing authentication workflows.
  • Support for multiple user authentication methods (e.g., mobile apps, hardware tokens, and passcodes).

Prerequisites

Before starting, ensure that you have:

  • A server running SUSE Linux Enterprise Server 11.3
  • Administrative access to the server
  • An active Duo Security account
  • Basic familiarity with Java, Apache Tomcat, and CAS

Step 1: Install Java, Tomcat, and Maven

Install Java Development Kit (JDK)

Duo requires Java to run CAS. Download and install Java 7 JDK:

rpm -i jdk-7u67-linux-x64.rpm

Install Apache Tomcat and Maven

Apache Tomcat is required to serve CAS, and Maven is needed to build it.

cd /opt
wget http://apache-mirror-url/apache-tomcat-8.0.12.tar.gz
tar zxf apache-tomcat-8.0.12.tar.gz
mv apache-tomcat-8.0.12 tomcat
wget http://apache-mirror-url/apache-maven-3.2.3-bin.tar.gz
tar zxf apache-maven-3.2.3-bin.tar.gz
mkdir /usr/local/apache-maven/
mv apache-maven-3.2.3 /usr/local/apache-maven/apache-maven-3.2.3

Configure Maven in .bashrc

Add the following lines to your .bashrc:

export M2_HOME=/usr/local/apache-maven/apache-maven-3.2.3
export M2=$M2_HOME/bin
export PATH=$M2:$PATH

Apply changes:

source ~/.bashrc

Secure Tomcat with SSL

For security, enable SSL in Tomcat. Follow the Tomcat SSL configuration guide and update /opt/tomcat/conf/server.xml.

Step 2: Install CAS with Duo Security Support

Download and Build CAS Multi-Factor Authentication (MFA)

Get the latest CAS MFA package from Unicon:

git clone https://github.com/Unicon/cas-mfa.git
cd cas-mfa
mvn clean install

Deploy CAS to Tomcat

After a successful build, copy the generated CAS WAR file to Tomcat:

cp target/cas.war /opt/tomcat/webapps/cas.war

Restart Tomcat:

/opt/tomcat/bin/shutdown.sh
/opt/tomcat/bin/startup.sh

Step 3: Configure Duo Security for CAS

Register Your Application with Duo Security

  1. Log into the Duo Admin Panel.
  2. Navigate to Applications > Protect an Application.
  3. Select CAS and generate:
    • Integration Key
    • Secret Key
    • API Hostname

Configure CAS to Use Duo Security

Edit /etc/cas/config/cas.properties and add:

cas.authn.mfa.duo[0].duo-secret-key=YOUR_SECRET_KEY
cas.authn.mfa.duo[0].duo-integration-key=YOUR_INTEGRATION_KEY
cas.authn.mfa.duo[0].duo-api-host=YOUR_API_HOSTNAME

Save the changes.

Step 4: Test and Debug the Integration

Restart Tomcat

Apply the configuration changes by restarting Tomcat:

/opt/tomcat/bin/shutdown.sh
/opt/tomcat/bin/startup.sh

Check Logs for Issues

If Duo authentication does not work, check the Tomcat logs for errors:

tail -f /opt/tomcat/logs/catalina.out

Common errors include:

Error Cause Solution
401 Unauthorized Incorrect API keys Verify the Integration Key, Secret Key, and API Hostname in cas.properties.
Connection Timeout Firewall blocking API calls Ensure the server can reach api-XXXXXXXX.duosecurity.com over HTTPS.
CAS Authentication Loop Misconfigured CAS settings Check the CAS logs and ensure multi-factor authentication is properly enabled.

Frequently Asked Questions (FAQs)

Can I Use a Different Version of CAS?

Yes, but ensure that the CAS version you use supports Duo’s multi-factor authentication module.

What Authentication Methods Does Duo Support?

Duo supports:

  • Push notifications via the Duo Mobile app
  • Passcodes generated by the mobile app or hardware token
  • Phone calls for authentication

What Happens If Duo’s Service is Unavailable?

Duo provides offline authentication methods, such as backup codes. You can also configure CAS to allow fallback authentication in case of an outage.

Can I Integrate Duo with Other Identity Providers?

Yes, Duo can be integrated with LDAP, Active Directory, and SAML for broader authentication compatibility.

Conclusion

By integrating Duo Security with Jasig CAS, you significantly improve your authentication security, reducing the risk of unauthorized access. This guide covered:

✔ Installing Java, Tomcat, and Maven
✔ Deploying CAS with Duo Security
✔ Configuring Duo authentication
✔ Troubleshooting common issues

For more details, refer to the official CAS documentation and Duo Security’s support resources.

Related

Hot Topics: 5 Simple Steps to Online Safety

Hot Topics: 5 Simple Steps to Online Safety

Shop