sharable web-based user opt in for 2FA?

IAM David Bantz dabantz at alaska.edu
Tue Apr 12 21:05:12 EDT 2016 

We're not offering an option on the login page; rather, those who opt in to
2FA have only the Duo 2FA method available to them for any login via our
IdP.

It's precisely the step of adding the group membership in the directory
that we want to have be self-service rather than requiring an action by
IT.  Once the directory attribute is in place, enrollment is triggered
automatically via the Duo plugin, brokered by MCB (we're still on v2) on
next login via the IdP.

David

On Tue, Apr 12, 2016 at 4:20 PM, Rob Gorrell <rwgorrel at uncg.edu> wrote:

> Our self opt-in process simply adds the user to an AD group (via grouper
> web services) that is sync'd using Duo's DirSync and simultaneously creates
> the user via the Admin API to deal with propagation delay of DirSync. Then
> we send the user to a protected service (their Google email) and use Duo's
> in line self enrollment for the user to add devices. Later when DirSync
> runs, it pairs up to the user that was forced in via API and they are
> managed via DirSync going forward. Not overly complex so I'm not sure its
> worth sharing, but we could.
>
> In a different vein, i'd be curious if you'd be willing to share how you
> selectively trigger 2FA via Duo on the shibb logon page?
>
> Rob
> On Apr 12, 2016 7:49 PM, "IAM David Bantz" <dabantz at alaska.edu> wrote:
>
>> Users who opt in to use of 2FA here receive a directory attribute
>> indicating allowed authN context, in turn consumed by our IdP to trigger
>> 2FA via Duo.  For initial use, I've just been pasting in a value in the
>> directory, but it's time to deploy a self-service opt-in web form.  I know
>> many of you must have deployed something of the sort. If you have and are
>> willing to share, please do.
>>
>> Thank you,
>> David Bantz
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160412/3d00d524/attachment-0001.html>

More information about the users mailing list