authentication flows per profile?

Marvin Addison marvin.addison at
Fri Aug 28 09:23:16 EDT 2015

> Unfortunately, it seems that the way we've wired up Duo into our setup
> means that users who have elected to force Duo (which doesn't support
> non-browser at the moment) can't login using ECP.

I believe that use case is the same as ours in the sense that we had one
auth mech (X509) that should not trigger the Password mechanism. We
determined that we could not accommodate our use case using the strategy
discussed a while back where Password is run as the initial authn flow
since it fires for _all_ authentication requests. You can turn "regular"
auth mechs on/off for various relying parties/profiles, but the initial
auth is either on or off, and for that reason it didn't suit our needs.

Our solution was to create a custom Duo flow that was a one-off of the
Password flow and specified which relying parties/profiles should invoke
it. We added custom states within the flow to determine whether the
authenticated (via password) user should receive 2FA. This strategy allowed
us to get both interactive and non-interactive auth mechs working.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list