Duo Username Lookup Strategy / Alternative Username
Ryan Rumbaugh
rrumbaugh at nebraska.edu
Fri Feb 23 12:35:24 EST 2018
Hello,
In the conf/authn/duo-authn-config.xml file there is a comment that mentions flexibility in how to provide a username when calling the Duo flow.
“The Duo flow is designed to operate in conjunction with some other login flow,
usually orchestrated by the MFA login flow. It obtains the username to send to
Duo based on the output of the other login flow or a previous session with the
user. You can override that approach using a function bean called
"shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a
different source.”
Does anyone have an example of how use a “different source” for the username to supply to Duo (other than the ID used to authenticate)? We are using aliasing within Duo and I would like to provide a different attribute, presumably from the attribute resolver context, that would be used in the duoRequest object.
Could I get access to the other attributes in the duo-authn-flow.xml file and use that other attribute in place of canonicalUsername?
<set name="viewScope.duoRequest" value="T(net.shibboleth.idp.authn.duo.impl.DuoSupport).generateSignedRequestToken(DuoIntegration, canonicalUsername)" />
If someone could point me in the right direction or provide an example that would be great. Thank you.
Ryan Rumbaugh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180223/baccff5f/attachment.html>
More information about the users
mailing list