IdP 3.2 and DuoSecurity options

Tom Scavo trscavo at
Thu Dec 31 16:45:16 EST 2015

On Thu, Dec 31, 2015 at 4:21 PM, Rich Graves <rgraves at> wrote:
> In the meantime, I got Duo's independently (?) developed shib v3 plugin "working" with IdP 3.2.1, with a hack to check my LDAP "Assurance" property from within their Java code (rather than idp.authn.resolveAttribute). From my naive standpoint this seems "simpler" than the more flexible Unicon+UChicago approach. It also appears to work better with a dumb Ellucian WebAdvisor SP that will only accept the exact authn context urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. With the duosecurity/duo_shibboleth plugin, I get to "lie" and tell Ellucian that I used passwords alone, but in fact used paswords+Duo.
> If anyone sees red flags in the approach, I'll take another crack at the Unicon+UChicago implementation, but I think I could be happy where I am.

Rich, can you add a note to the Shibboleth 3 Contributions and
Extensions topic? [1] You can rob content from the corresponding Shib2
topic [2] if you want.




More information about the users mailing list