Forcing Duo by Service Provider
Cantor, Scott
cantor.2 at osu.edu
Wed May 10 15:20:35 EDT 2017
On 5/10/17, 3:12 PM, "users on behalf of Brandon McKean" <users-bounces at shibboleth.net on behalf of mckeanbs at jmu.edu> wrote:
> This is what I put under the supported principals list for MFA and Duo
> in general-authn.xml:
>
>> <bean parent="shibboleth.SAML2AuthnContextClassRef"
>> c:classRef="urn:jmu:mfa:SAML:2.0:ac:classes" />
Well, the class URN isn't valid but that's just a string and isn't functionally relevant to the correctness of the approach, just a comment.
Otherwise that's all fine so far as was shown.
> Within the overrides bean:
Overrides are fine of course but eventually they tend to run out of gas as you start having cross-cutting requirements and they start multiplying so sooner or later looking at more of the dynamic approaches to the settings becomes necessary or you'll end up with more overrides than you want. That's all the right settings, just saying that ultimately brute forcing them in the config may not be the permanent solution.
I'm doing it that way myself for now but I did the work TIER asked for [1] because I see it running out of gas very quickly and we need a better way.
-- Scott
[1] https://wiki.shibboleth.net/confluence/display/IDP30/MetadataDrivenRelyingPartyConfiguration
More information about the users
mailing list