issue with research.gov ?
David Langenberg
davel at uchicago.edu
Tue Aug 18 20:01:14 EDT 2015
On Tue, Aug 18, 2015 at 6:30 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
>
> On Tue, Aug 18, 2015 at 2:34 PM, David Langenberg <davel at uchicago.edu>
> wrote:
>
>> You must force it to PPT or they will reject it. We wound up tweaking our
>> config to make sure we send PPT rather than Password.
>
>
> Uncle! RelyingParty config with defaultAuthenticationMethod does not force
> the AuthnContextRefClass to PPT and in any case doesn't address Duo 2FA
> users. Please give me a hint on how to "force [AuthnContextRefClass in
> outgoing SAML] to PPT" for a relying party. Perhaps a clever config in
> multi-context-broker.xml ?
>
I wish I could show you something cool & clever. Unfortunately, I had to
in the end eliminate Password from anywhere in my configs (only using PPT)
and then gave my users a choice. The distasteful choice was could use
research.gov or they could be defaulted to 2FA. Those who were negatively
affected chose to opt-out of electing to force Duo. Now, that said, things
seem to work properly under IdPv3 (research.gov seems to at least see me).
I'll see if I can track down somebody who uses the site & get them to try
Duo.
Dave
--
David Langenberg
Identity & Access Management Architect
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150818/8bf9ff50/attachment.html>
More information about the users
mailing list