sharable web-based user opt in for 2FA?
Rob Gorrell
rwgorrel at uncg.edu
Tue Apr 12 20:20:30 EDT 2016
Our self opt-in process simply adds the user to an AD group (via grouper
web services) that is sync'd using Duo's DirSync and simultaneously creates
the user via the Admin API to deal with propagation delay of DirSync. Then
we send the user to a protected service (their Google email) and use Duo's
in line self enrollment for the user to add devices. Later when DirSync
runs, it pairs up to the user that was forced in via API and they are
managed via DirSync going forward. Not overly complex so I'm not sure its
worth sharing, but we could.
In a different vein, i'd be curious if you'd be willing to share how you
selectively trigger 2FA via Duo on the shibb logon page?
Rob
On Apr 12, 2016 7:49 PM, "IAM David Bantz" <dabantz at alaska.edu> wrote:
> Users who opt in to use of 2FA here receive a directory attribute
> indicating allowed authN context, in turn consumed by our IdP to trigger
> 2FA via Duo. For initial use, I've just been pasting in a value in the
> directory, but it's time to deploy a self-service opt-in web form. I know
> many of you must have deployed something of the sort. If you have and are
> willing to share, please do.
>
> Thank you,
> David Bantz
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160412/43450dda/attachment.html>
More information about the users
mailing list