Duo Security and CAS

I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3.

Download the latest Java 7 JDK RPM, in my case 7u67, and install it.

rpm -i jdk-7u67-linux-x64.rpm

Next download and install Apache Tomcat and Apache Maven.

cd /opt
wget http://...../apache-tomcat-8.0.12.tar.gz
tar zxf apache-tomcat-8.0.12.tar.gz
mv apache-tomcat-8.0.12 tomcat
wget http://...../apache-maven-3.2.3-bin.tar.gz
tar zxf apache-maven-3.2.3-bin.tar.gz
mkdir /usr/local/apache-maven/
mv apache-maven-3.2.3 /usr/local/apache-maven/apache-maven-3.2.3

Then add the following to root’s .bashrc:

export M2_HOME=/usr/local/apache-maven/apache-maven-3.2.3
export M2=$M2_HOME/bin
export PATH=$M2:$PATH

After that clear out the pre-packaged webapps from Tomcat

cd /opt/tomcat/webapps/
rm -rf examples manager host-manager docs

And configure SSL for tomcat in /opt/tomcat/conf/server.xml

Now download the latest master from https://github.com/Unicon/cas-mfa and unpack in /opt then edit /opt/cas-mfa-master/cas-mfa-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml to enable LDAP authentication.

Change the authenticationHandlers Property to the following:

<property name="authenticationHandlers">
    <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
      p:httpClient-ref="httpClient" />
    <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
      <property name="filter" value="${ldap.filter}" />
      <property name="searchBase" value="${ldap.searchbase}" />
      <property name="contextSource" ref="contextSource" />

After the AuthenticationManager Bean add the following bean:

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
  <property name="anonymousReadOnly" value="false" />
  <property name="password" value="${ldap.passwd}" />
  <property name="pooled" value="true" />
  <property name="urls">
  <property name="userDn" value="${ldap.binddn}" />

Edit /opt/cas-mfa-master/pom.xml and add the following dependency for LDAP support:


Edit /opt/cas-mfa-master/cas-mfa-overlay/pom.xml and uncomment the two sections that are required for Duo support.

Make the directory /etc/cas and copy the included sample files into it.

cp /opt/cas-mfa-master/cas-mfa-overlay/etc/* /etc/cas/

Edit /etc/cas/cas.properties

  • Change server.name to the URL for your CAS server
  • Change host.name to the FQDN for the CAS server
  • Change mfa.default.authn.method to duo_two_factor

Add the following info to the bottom of the file:

  • duo.api.host= ## API Host from admin.duosecurity.com
  • duo.integration.key= ## Integration key from admin.duosecurity.com
  • duo.secret.key= ## Secret key from admin.duosecurity.com
  • duo.application.key= ## A made up long string not shared with Duo

Add the following to the end of the file:

# LDAP Configuration
ldap.url1 = ldap://ldap.example.com:389/
ldap.url2 = ldap://ldap2.example.com:389/
ldap.binddn = Bind DN
ldap.passwd = Bind DN Password
ldap.searchbase = Search Base for users
ldap.filter = Search filter for username e.g.: cn=%u

Edit /etc/cas/log4j.xml and change all log levels that are set to DEBUG to WARN

Edit /etc/cas/servicesRegistry.conf and change “authn_method”: “strong-two-factor” to “authn_method”: “duo-two-factor”

Change directory to /opt/cas-mfa-master and run “mvn clean package” to build the .war file.

Copy the new war file into the webapps directory and start Tomcat.

cp /opt/cas-mfa-master/cas-mfa-overlay/target/cas.war /opt/tomcat/webapps/

The test CAS by going to the following URL:


If everything is configured correctly you should be able to auth to LDAP and then use Duo Push.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: