Duo Username Lookup Strategy / Alternative Username

Cantor, Scott cantor.2 at osu.edu
Fri Feb 23 13:35:32 EST 2018

> Does anyone have an example of how use a “different source” for the
> username to supply to Duo (other than the ID used to authenticate)?

That isn't what the default function/strategy produces, it's not what you use to authenticate but the c14n result from the Password flow (assuming that's what the first factor is). The recommended approach is to normalize down there, in which case what you have to do is configure the c14n you want out of that flow, no custom code needed necessarily.

I use the attribute-based c14n feature and it does a lookup on an attribute through the resolver to get the result to pass on. That isn't what the user entered, it's normalized for the rest of the system, Duo included.

> We are using aliasing within Duo and I would like to provide a different attribute,
> presumably from the attribute resolver context, that would be used in the
> duoRequest object.

If you want that, then you will have to learn enough Spring and IdP internals to craft a custom Function<ProfileRequestString,String> to get the result you want. If you want to run the resolver as part of that, the MFA example logic demonstrates how to do that in a Javascript-based Function and it's much the same thing here.

> Could I get access to the other attributes in the duo-authn-flow.xml file and
> use that other attribute in place of canonicalUsername?

canonicalUsername *is* what is passed to Duo and it is the result of the function the system runs by default or from running the different function you supply. It does not need to be changed to anything else, it's already symbolic.

-- Scott

More information about the users mailing list