Using Duo for per-SP-opt-in

Michael A Grady mgrady at unicon.net
Fri Jan 29 10:53:07 EST 2016


> On Jan 29, 2016, at 9:21 AM, Jorj Bauer <jorj at temple.edu> wrote:
> 
>>> NB: also thanks to UChicago for sponsoring that work with Unicon. It's a
>>> much cleaner solution (IMO) than the Duo LoginHandler hook.
>> 
>> Any particular examples? Just curious, I haven't evaluated them yet for comparison.
> 
> The way the LoginHandler hook is used, it wasn't at all clear to me how I might approach invoking Duo's implementation via an SP's request.
> 
> The Unicon code has a clearly defined bean. Once I got there it was simple to understand what it's doing and how to invoke the appropriate flows.
> 
> This could be a matter of what the learning curve is for each approach, and it may be possible to get Duo's implementation to do what I wanted. I just couldn't see it.
> 
> I'll be interested to hear what your take is as you look at this stuff.
> 
> -- Jorj
> 

I've not looked closely at the Duo-supplied implementation, but there is a very basic difference in the design goal between Duo's and Unicon's implementations. Duo's implementation assumes you want to send all users to Duo, and do all "gating" of who does and does not need to perform Duo based on your settings for that user in the Duo user registry. Unicon's implementation assumes you want to control who gets sent to Duo on the IdP side, based on factors like the SP's requested authn context, the default authn context for that SP, and the "attribute" that indicates which authentication flows a given user is allowed to use.

One feature that Duo's implementation supports but Unicon's does not yet (but there are plans to add it) is the option to "fail open" if the Duo service is not reachable by the server (by doing a "ping" call to the Duo service before sending the user there).


--
Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://shibboleth.net/pipermail/users/attachments/20160129/0e98fb8d/attachment.sig>


More information about the users mailing list