IdP 3.2 and DuoSecurity options
trscavo at gmail.com
Thu Dec 31 16:45:16 EST 2015
On Thu, Dec 31, 2015 at 4:21 PM, Rich Graves <rgraves at carleton.edu> wrote:
> In the meantime, I got Duo's independently (?) developed shib v3 plugin "working" with IdP 3.2.1, with a hack to check my LDAP "Assurance" property from within their Java code (rather than idp.authn.resolveAttribute). From my naive standpoint this seems "simpler" than the more flexible Unicon+UChicago approach. It also appears to work better with a dumb Ellucian WebAdvisor SP that will only accept the exact authn context urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. With the duosecurity/duo_shibboleth plugin, I get to "lie" and tell Ellucian that I used passwords alone, but in fact used paswords+Duo.
> If anyone sees red flags in the github.com/duosecurity/duo_shibboleth approach, I'll take another crack at the Unicon+UChicago implementation, but I think I could be happy where I am.
Rich, can you add a note to the Shibboleth 3 Contributions and
Extensions topic?  You can rob content from the corresponding Shib2
topic  if you want.
More information about the users