Complicating my MFA implementation

Wessel, Keith kwessel at
Mon Apr 25 13:03:00 EDT 2016


We've got our IDP set up using the V3 MCB recipe right now; a certain context will trigger Duo authentication if the user logging in is Duo eligible. The eligibility (and eduPersonAssurance attribute value) is based on membership in a particular group.

We'd like to complicate things a bit and add a second group; users in that group would be required to Duo auth regardless of the rquested context. This would allow for certain users with significant admin access or even users who just want to opt in to MFA for everything to get the Duo screen for the creation of any IDP session.

I'm wondering the easiest way to implement this. I've been looking at the intercept config this morning, and it seems I could modify the conditions that trigger the Duo flow in conf/intercept/context-check-intercept-config.xml: if in group A and requested context is Duo or if in group B. This involves figuring out how to add the or'd comparison to that configuration, though. Can anyone provide guidance there?

The other option would be to add the check for membership in group B to the password flow and, if true, call the Duo flow from the password flow. This seems like a less ideal candidate to me, but I could be wrong.

Any advice appreciated.


More information about the users mailing list