Content differences:
--- /etc/cas/config/cas.properties.orig
+++ /etc/cas/config/cas.properties
@@ -160,3 +160,27 @@
# of any offered scope, clients will need to use groups.
cas.authn.oidc.discovery.claims=sub,name,groups,email,family_name,preferred_username,profile,memberOf
+cas.authn.mfa.web-authn.core.enabled=true
+cas.authn.mfa.web-authn.core.display-name-attribute=Wikimedia Foundation
+
+cas.authn.mfa.web-authn.core.relying-party-id=idp-test.wikimedia.org
+cas.authn.mfa.web-authn.core.allowed-origins=https://idp-test.wikimedia.org
+
+# Database configuration.
+cas.authn.mfa.web-authn.jpa.driver-class=org.mariadb.jdbc.Driver
+cas.authn.mfa.web-authn.jpa.dialect=org.hibernate.dialect.MariaDBDialect
+cas.authn.mfa.web-authn.jpa.url=jdbc:mariadb://m1-master.eqiad.wmnet/cas_staging?useSSL=true&disableSslHostnameVerification=true
+cas.authn.mfa.web-authn.jpa.password=cas
+cas.authn.mfa.web-authn.jpa.user=changeme
+
+# We encourage users to have backup devices, but this requires them to be able to register multiple
+# hardware tokens.
+cas.authn.mfa.web-authn.core.multiple-device-registration-enabled=true
+
+# You're not allowed to sign in using only your FIDO2 key.
+cas.authn.mfa.web-authn.core.allow-primary-authentication=false
+
+# Allows us to support more device types. YubiKeys provide trusted attestation, but cheaper devices
+# such as IDTrust keys do not.
+cas.authn.mfa.web-authn.core.allow-untrusted-attestation=True
+