Web Services

Application Services | Technology Services

User uploaded custom header image
AI Generated Image: Digital oil painting of a golden ram unlocking a safe.

Too long; didn’t read.

tl;dr – Duo Security is dropping support for traditional Duo Prompt, replacing it with Universal Prompt. CAS appliance needs upgrading by March 1st. Action needed: update application’s groupMembership attribute to 389’s memberOf (now) and change cas-validation type to CAS3 (March 1). Failure to do so will lead to authentication issues. Testing help appreciated. Questions? Visit Web Services’ Open Consulting hours.

In yet another devastating blow to iFrames everywhere, effective March 30, Duo Security will no longer support the much beloved “traditional” Duo Prompt. To replace the traditional prompt, they have conveniently released a VCU pre-approved product called the “UNiversal Prompt”. This was announced a while back, and the Information Security team did a nice job documenting the upcoming changes in their corner of the TS website. Shout out to Jesse Castellani, how does he have time to review all my SPPs and do a smooth voice over? 

To actually start using the UNiversal Prompt, we’ll be upgrading our CAS appliance this month with plans to go into production as early as March 1, 2024. We have some actionables that anybody using CAS to authenticate will have to adopt– some in the immediate (as in, I wrote a poem about this last year– please do this) and some in the near future.

In the immediate, if your application is using the old groupMembership, you need to change it to 389’s memberOf. Before you do so, let us know via webhelp@vcu.edu. If you don’t, CAS WILL NOT authenticate your application in March!

Before March 1st, you’ll need to change the cas-validation type from SAML to CAS3. Failure to do so will result in a 13-second gap between authenticating and your application. If that’s not an option for you, please email webhelp@vcu.edu.

We’d appreciate some help testing. If you have a testing environment that authenticates with CAS, please point it at logintest.vcu.edu after executing the two actionables above on it– and again, if you can do that, email webhelp@vcu.edu.

Lastly, if you have any questions at all about this and want to speak to somebody from Web Services, pop-by our Open Consulting hours: https://go.vcu.edu/wsconsult.

Categories CAS, Identity Management

Leave a Reply