Forcing Duo by Service Provider

[Brandon McKean]

Thank you for that Scott. I'll make a note of all that.

We're planning on doing a gradual rollout and then eventually having Duo 
for everything, so hopefully things won't get too complicated.

-- 
Brandon McKean
IT / Systems
Linux Administrator
(540)568-4235

On 05/10/2017 03:20 PM, Cantor, Scott wrote:
> On 5/10/17, 3:12 PM, "users on behalf of Brandon McKean" <users-bounces at shibboleth.net on behalf of mckeanbs at jmu.edu> wrote:
>
>> This is what I put under the supported principals list for MFA and Duo
>> in general-authn.xml:
>>
>>> <bean parent="shibboleth.SAML2AuthnContextClassRef"
>>> c:classRef="urn:jmu:mfa:SAML:2.0:ac:classes" />
> Well, the class URN isn't valid but that's just a string and isn't functionally relevant to the correctness of the approach, just a comment.
>
> Otherwise that's all fine so far as was shown.
>
>> Within the overrides bean:
> Overrides are fine of course but eventually they tend to run out of gas as you start having cross-cutting requirements and they start multiplying so sooner or later looking at more of the dynamic approaches to the settings becomes necessary or you'll end up with more overrides than you want. That's all the right settings, just saying that ultimately brute forcing them in the config may not be the permanent solution.
>
> I'm doing it that way myself for now but I did the work TIER asked for [1] because I see it running out of gas very quickly and we need a better way.
>
> -- Scott
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_IDP30_MetadataDrivenRelyingPartyConfiguration&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=iZ_ekq9_90q96juMacb0Sg&m=SX5drleP7dlfOvHvXMgO5-AoNlPE86yxx5slnisNXR0&s=4WcXn9Df_q5XQfDDLCfKbF5fCdTo1yYvpVoiTSANcJQ&e=
>
>