Rory Larson rlarson1 at
Mon May 15 16:38:05 EDT 2017

>> What is the relationship between [idp-home]/flows/authn/ and [idp-home]/system/flows/authn/ ?
> Custom login flows can be put into the former to maintain the expected naming conventions, and the former also contains a set of fairly ugly hooks inside the password flow for handling certain custom conditions. While I don't think it's going to be deprecated, it isn't usually the best way to accomplish something. The latter is where all the login flows that come with the IdP are stored.

Thanks, that's good to understand.  Then in an upgrade situation in which Duo was the only custom login flow, anything in [idp-home]/flows that is not in that directory in the fresh install version can presumably be removed.

>> In the new out-of-the-box Duo for IdP 3.3.1, what places contain the Duo pieces that need to be edited? 
> I think I documented all that in detail.

As far as I can tell from the documentation and other sources, for an upgrade with pre-existing Duo we will need to edit:

	[idp-home]/conf/authn/mfa-authn-config.xml  (??)

If these are configured correctly, and the IdP is 3.3.1 freshly updated from 3.2.1 that was working with a custom Duo flow, and the custom Duo references have been removed from [idp-home]/flows/, will Duo work?

>> Is there anything else that needs to be modified to achieve minimal working functionality?
> No, but the MFA rules are going to depend on your site's requirements. The example is not usable by, well, really anybody.

That's where I'm left in the weeds.  My site requires basic username/password authentication, followed by a Duo challenge for appropriate people.  Given that [idp-home]/conf/authn/mfa-authn-config.xml containing the MFA rules seems to be new with 3.3.1, do we have any examples that are usable for sites with that sort of requirement?


More information about the users mailing list