sharable web-based user opt in for 2FA?

Rob Gorrell rwgorrel at
Tue Apr 12 21:13:33 EDT 2016

More what I was wondering was if you had a way not to load then Duo iframe
and let it perform the enrollment check at Duo during logon time for users
you already know not to be enrolled via your attribute?
On Apr 12, 2016 9:05 PM, "IAM David Bantz" <dabantz at> wrote:

We're not offering an option on the login page; rather, those who opt in to
2FA have only the Duo 2FA method available to them for any login via our

It's precisely the step of adding the group membership in the directory
that we want to have be self-service rather than requiring an action by
IT.  Once the directory attribute is in place, enrollment is triggered
automatically via the Duo plugin, brokered by MCB (we're still on v2) on
next login via the IdP.


On Tue, Apr 12, 2016 at 4:20 PM, Rob Gorrell <rwgorrel at> wrote:

> Our self opt-in process simply adds the user to an AD group (via grouper
> web services) that is sync'd using Duo's DirSync and simultaneously creates
> the user via the Admin API to deal with propagation delay of DirSync. Then
> we send the user to a protected service (their Google email) and use Duo's
> in line self enrollment for the user to add devices. Later when DirSync
> runs, it pairs up to the user that was forced in via API and they are
> managed via DirSync going forward. Not overly complex so I'm not sure its
> worth sharing, but we could.
> In a different vein, i'd be curious if you'd be willing to share how you
> selectively trigger 2FA via Duo on the shibb logon page?
> Rob
> On Apr 12, 2016 7:49 PM, "IAM David Bantz" <dabantz at> wrote:
>> Users who opt in to use of 2FA here receive a directory attribute
>> indicating allowed authN context, in turn consumed by our IdP to trigger
>> 2FA via Duo.  For initial use, I've just been pasting in a value in the
>> directory, but it's time to deploy a self-service opt-in web form.  I know
>> many of you must have deployed something of the sort. If you have and are
>> willing to share, please do.
>> Thank you,
>> David Bantz
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at

To unsubscribe from this list send an email to
users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list