sharable web-based user opt in for 2FA?

Rob Gorrell rwgorrel at
Tue Apr 12 20:20:30 EDT 2016

Our self opt-in process simply adds the user to an AD group (via grouper
web services) that is sync'd using Duo's DirSync and simultaneously creates
the user via the Admin API to deal with propagation delay of DirSync. Then
we send the user to a protected service (their Google email) and use Duo's
in line self enrollment for the user to add devices. Later when DirSync
runs, it pairs up to the user that was forced in via API and they are
managed via DirSync going forward. Not overly complex so I'm not sure its
worth sharing, but we could.

In a different vein, i'd be curious if you'd be willing to share how you
selectively trigger 2FA via Duo on the shibb logon page?

On Apr 12, 2016 7:49 PM, "IAM David Bantz" <dabantz at> wrote:

> Users who opt in to use of 2FA here receive a directory attribute
> indicating allowed authN context, in turn consumed by our IdP to trigger
> 2FA via Duo.  For initial use, I've just been pasting in a value in the
> directory, but it's time to deploy a self-service opt-in web form.  I know
> many of you must have deployed something of the sort. If you have and are
> willing to share, please do.
> Thank you,
> David Bantz
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list