IdP 3.2 and DuoSecurity options
Tom Scavo
trscavo at gmail.com
Thu Dec 31 16:45:16 EST 2015
On Thu, Dec 31, 2015 at 4:21 PM, Rich Graves <rgraves at carleton.edu> wrote:
>
> In the meantime, I got Duo's independently (?) developed shib v3 plugin "working" with IdP 3.2.1, with a hack to check my LDAP "Assurance" property from within their Java code (rather than idp.authn.resolveAttribute). From my naive standpoint this seems "simpler" than the more flexible Unicon+UChicago approach. It also appears to work better with a dumb Ellucian WebAdvisor SP that will only accept the exact authn context urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. With the duosecurity/duo_shibboleth plugin, I get to "lie" and tell Ellucian that I used passwords alone, but in fact used paswords+Duo.
>
> If anyone sees red flags in the github.com/duosecurity/duo_shibboleth approach, I'll take another crack at the Unicon+UChicago implementation, but I think I could be happy where I am.
Rich, can you add a note to the Shibboleth 3 Contributions and
Extensions topic? [1] You can rob content from the corresponding Shib2
topic [2] if you want.
Thanks,
Tom
[1] https://wiki.shibboleth.net/confluence/x/ngIUAQ
[2] https://wiki.shibboleth.net/confluence/x/W4Cf
More information about the users
mailing list