Configuring MFA triggers in 3.3

Mulchek, Paul mulchekp at wustl.edu
Thu Jan 5 16:10:24 EST 2017


We are wondering if anyone else has implemented Duo/MFA to be triggered only on un-trusted networks. We realize we can use Duo's built in Trusted Networks but that still leaves a dependence on Duo services being available even on trusted networks. Ultimately we would want Duo to be triggered off campus and completely bypassed when on-campus.


We upgraded to Shib 3.3 in our dev environment and are using the built in Duo integration. There seems to be flexible options on when to trigger MFA, especially editing the mfa-authn-config.xml but we are running into issues. Specifically if the SP is requesting an MFA authentication by specifying an authnContextClassRef, should we allow the IDP to lie to the SP that the context was satisfied?


Alternatively, we could leave SPs requesting nothing additional in their authnContextClassRef and have the IDP determine when an MFA auth is required; is that safe and scalable?


We keep testing configurations but seem to run into roadblocks and want to make sure that we are not misappropriating what the new MFA strategy flow was designed to do and also not just misunderstanding the configuration options.


Paul Mulchek | Systems Engineer IV | Enterprise Engineering | Washington University in St. Louis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170105/1bf8a73b/attachment.html>


More information about the users mailing list