IdP 3.2 and multiple Duo Applications
Michael A Grady
mgrady at unicon.net
Tue Dec 15 21:27:05 EST 2015
> On Dec 15, 2015, at 7:01 PM, Cantor, Scott <cantor.2 at OSU.EDU> wrote:
> On 12/15/15, 7:12 PM, "users on behalf of Yavor Yanakiev" <users-bounces at shibboleth.net on behalf of yavor at nyu.edu> wrote:
>> We use Duo integration based on Unicon/University of Chicago setup but it seems to have one crucial limitation: it doesn't support multiple Duo application. At the moment, the Duo arguments related to the application are provided by properties with fixed
>> names which are hard coded into DuoAuthenticationService.groovy
> I think that's largely impractical, based on my understanding, because you would need separate shared secrets and identification strings for every SP for that to work. One could build out some kind of table logic to handle it for a subset I guess, but it appears to just be largely impractical to me with their design. A flaw I think, but not sure it's really solvable.
> -- Scott
Depends on how many integrations you need. There likely will be an example of supporting two distinct integrations with Duo, courtesy of the University of Florida needing such (for standard commercial Duo and a Duo FISMA service). I suppose that could provide an example to extrapolate to a few more, but as Scott indicates, I don't think you could go much farther and have it be easily manageable without some new design. The version to support two started with the Duo plugin on the Unicon GitHub site, and will be available more generally once fully vetted and "generalized".
Michael A. Grady
IAM Architect, Unicon, Inc.
More information about the users