MFA and DUO

[Cantor, Scott]

On 3/22/17, 8:46 PM, "users on behalf of Hong Ye" <users-bounces at shibboleth.net on behalf of hy93 at cornell.edu> wrote:

> Duo login flows from Duo security support fail mode configuration. That’s why I asked.

Yes, I'm aware, I'm saying that it's unrelated to the specific method. You could just as well ask it about any login method (certainly any second factor method). If your deployment wants to implement a setting it can use to bypass a particular method, you can do that in your rules and it's not specific to Duo or limited to that scenario.

That's why I didn't implement it. Rather than hardcode a specific thing inside one login method, I left it to the deployer to configure any way you like. It's just something to add to your script that sits between the two steps and decides whether to run the second one.

The one hitch, though, is that it won't lie for you. If an SP requests a context that matches a particular custom Principal type, it's up to you to manipulate the results such that not performing an appropriate method still results in a Subject at the end that meets the SP's request. Which, frankly, is an inaccurate assertion, so I won't provide code that does that, I just made it flexible enough to do.

In my view, SPs should request what they require, and if Duo's down, it's up to those SPs to decide for themselves to change their requirements to permit skipping it. One application's risk profile is not the same as another's. By doing that, your IdP is entirely unaffected, they just choose for themselves.

I realize many non-Shibboleth SPs can't/won't do this, but having taken on their job for them, you still can selectively choose whether to adjust the IdP-side rules for those SPs, on a case by case basis, or automate it in whatever way you see fit.

-- Scott