Forcing Duo by Service Provider

Brandon McKean mckeanbs at
Wed May 10 15:31:35 EDT 2017

Thank you for that Scott. I'll make a note of all that.

We're planning on doing a gradual rollout and then eventually having Duo 
for everything, so hopefully things won't get too complicated.

Brandon McKean
IT / Systems
Linux Administrator

On 05/10/2017 03:20 PM, Cantor, Scott wrote:
> On 5/10/17, 3:12 PM, "users on behalf of Brandon McKean" <users-bounces at on behalf of mckeanbs at> wrote:
>> This is what I put under the supported principals list for MFA and Duo
>> in general-authn.xml:
>>> <bean parent="shibboleth.SAML2AuthnContextClassRef"
>>> c:classRef="urn:jmu:mfa:SAML:2.0:ac:classes" />
> Well, the class URN isn't valid but that's just a string and isn't functionally relevant to the correctness of the approach, just a comment.
> Otherwise that's all fine so far as was shown.
>> Within the overrides bean:
> Overrides are fine of course but eventually they tend to run out of gas as you start having cross-cutting requirements and they start multiplying so sooner or later looking at more of the dynamic approaches to the settings becomes necessary or you'll end up with more overrides than you want. That's all the right settings, just saying that ultimately brute forcing them in the config may not be the permanent solution.
> I'm doing it that way myself for now but I did the work TIER asked for [1] because I see it running out of gas very quickly and we need a better way.
> -- Scott
> [1]

More information about the users mailing list