cantor.2 at osu.edu
Mon May 15 17:09:03 EDT 2017
> As far as I can tell from the documentation and other sources, for an upgrade
> with pre-existing Duo we will need to edit:
There is no documentation about pre-existing approaches because none of that was supported by us, and it does not map directly to the use of the MFA feature and the way this project implemented the support. You're starting over, essentially, though the actual configuration of Duo itself is trivial in most cases.
The problem is that the gluing together of two factors is *not* trivial and is often quite complex. That's what the MFA feature is addressing, and most sites aren't just doing Duo, they're combining Duo and Password in specific ways that are unique to their needs. Yours appear to be, for example, much more complex than my own university's. That's an example of what I'm trying to say. I could tell you how I did it, but it's simpler than what you have to do.
> If these are configured correctly, and the IdP is 3.3.1 freshly updated from
> 3.2.1 that was working with a custom Duo flow, and the custom Duo
> references have been removed from [idp-home]/flows/, will Duo work?
No. The Duo support in this project is designed to combine with the other factor(s) by means of the MFA login flow and that has to be adjusted to fit the site's needs/goals to control when the factors are applied. As long as the requirement is to do that based on services and their requirements, it's relatively simple, but it often is more complex than that.
> That's where I'm left in the weeds. My site requires basic
> username/password authentication, followed by a Duo challenge for
> appropriate people.
That is a harder use case that doesn't really work fully in this version, though there are some workarounds identified and documented for getting it to mostly work (see "Reuse of the Entire authn/MFA Flow Result (When Is a MFA Next Flow Strategy Executed?)")
> Given that [idp-home]/conf/authn/mfa-authn-
> config.xml containing the MFA rules seems to be new with 3.3.1, do we have
> any examples that are usable for sites with that sort of requirement?
Yes, that's roughly what it comes with, though the example in the wiki is more up to date (see the example under Programmatically Selecting Flows). What's there demonstrates the use of an attribute-based check against the user to check for an attribute and do something based on it. The specifics are necessarily local. It shows how to mechanically do it.
More information about the users