Knowledge Base Articles - CAS and Duo
- Travis Schmidt (Unlicensed)
CAS Service Registry
The CAS Service Registry is a list of services that are allowed to use CAS for authentication. This has been implemented as an audit requirement tasked to IET, as well as a method to help secure the CAS server from possible misuse from non-university entities. The registry allows IET to improve CAS performance and stability by providing information to better understand the needs of CAS clients. The registry is also a requirement for our ability to provide Multifactor Authentication (MFA) technologies such as Duo(link to http://itcatalog.ucdavis.edu/service/duo-multi-factor-authentication). To register a new web application with CAS, fill out the following form in ServiceNow: (link to SERVICE_NOW_FORM). The form will ask for the following information:
Service URL - Required
This should be the exact URL used to login into the service and is passed to CAS as the ?service parameter
Service Name - Required
Readable name of the service. This field is used to create the file name storing the entry and needs to conform to unix file name conventions
Description - Required
Short description of what the service is and who uses it.
CAS Clients - Required
List of known CAS Client implementations used by the service (e.g. MOD_AUTH_CAS, php.cas, java cas client, .NET CAS Client).
Contacts - Required
At least one contact is required to be given. Name, E-Mail, Department, and Phone are required to be given. More than one contact can be entered.
Requires Duo - Optional
Check this box if the service should use MFA with Duo.
Logout URL - Optional
The full URL to the path of the service that handles the single logout callback, if implemented.
Logout Type - Optional
Required only if Logout URL is entered. Accepted values are "Back Channel" or "Front Channel"
Proxy - Optional
Indicate if the service is allowed to proxy and provide a list of service URL that allowed to Proxy through this service
Adding Duo to CAS -
CAS integration with Duo is accomplished by marking a service in the CAS Service Registry as requiring Duo for authentication. In order to enable Duo, first ensure that the service is registered with CAS. Service Registry enrollment instructions can be found here(link to CAS_SERVICE_REGISTRY_KB_ARTICLE). Duo can be enabled when the service is registered, but if the service's users are not already enrolled in Duo, they will not be able to authenticate. IET recommends submitting the registry request without requiring Duo and communicating the upcoming change to users by referring them to the Duo Token Setup Article(link to DUO_TOKEN_SETUP_ARTICLE). When ready to enable Duo, submit a ticket to ServiceNow indicating the date and time it should be enabled.
Duo Token Setup -
Duo is a Multifactor Authentication (MFA) service provider. You can find more info about MFA and Duo in this FAQ(link to https://ucdavisit.service-now.com/ess/knowledge_detail.do?sysparm_article=KB0000684). There are currently two options for using Duo:
- Smartphone Mobile App(Recommended)
- Hard Token
The smartphone app should be your first choice if it is an option. You can find the Duo Mobile app in both the Apple Store for iOS and Google Play for the Android platform. Hard tokens (item number 2046355) can be purchased at the UCD Stores - Tech Hub. Hard tokens are $20 each (plus tax); the price rises to $29.99 (plus tax) on Sept 1. The campus incurs phone charges, if the SMS or phone options are used and are not recommended.
If you decide to use a hard token, submit a request to IT Express after you purchase the token. You will need to provide the serial number of the token in order to enroll.
To enroll in Duo using the mobile app, you must first sign in to Computing Accounts and request access here(link to COMPUTING_ACCOUNTS). If it is determined that you are eligible for Duo access, you will be forwarded to a Duo enrollment portal. Follow the instructions in the portal to enroll your mobile phone. An enrollment guide explaining each step can be found here(https://guide.duo.com/enrollment). The screen shots in the guide should be identical to what you see in your browser, except you should see the UC Davis logo in the top left corner of the portal. Once enrollment is completed you should be able to immediately access any service that requires Duo for authentication.