Duo Username Lookup Strategy / Alternative Username

Ryan Rumbaugh rrumbaugh at nebraska.edu
Fri Feb 23 12:35:24 EST 2018


In the conf/authn/duo-authn-config.xml file there is a comment that mentions flexibility in how to provide a username when calling the Duo flow.

“The Duo flow is designed to operate in conjunction with some other login flow,
    usually orchestrated by the MFA login flow. It obtains the username to send to
    Duo based on the output of the other login flow or a previous session with the
    user. You can override that approach using a function bean called
    "shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a
    different source.”

Does anyone have an example of how use a “different source” for the username to supply to Duo (other than the ID used to authenticate)? We are using aliasing within Duo and I would like to provide a different attribute, presumably from the attribute resolver context, that would be used in the duoRequest object.

Could I get access to the other attributes in the duo-authn-flow.xml file and use that other attribute in place of canonicalUsername?

<set name="viewScope.duoRequest" value="T(net.shibboleth.idp.authn.duo.impl.DuoSupport).generateSignedRequestToken(DuoIntegration, canonicalUsername)" />

If someone could point me in the right direction or provide an example that would be great. Thank you.

Ryan Rumbaugh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180223/baccff5f/attachment.html>

More information about the users mailing list