Duo Username Lookup Strategy / Alternative Username

Jim Fox fox at washington.edu
Fri Feb 23 13:52:35 EST 2018

>> We are using aliasing within Duo and I would like to provide a different attribute,
>> presumably from the attribute resolver context, that would be used in the
>> duoRequest object.
> If you want that, then you will have to learn enough Spring and IdP internals to craft a custom Function<ProfileRequestString,String> to get the result you want. If you want to run the resolver as part of that, the MFA example logic demonstrates how to do that in a Javascript-based Function and it's much the same thing here.

Another way to do this, which is what we do, is a little complicated but handles everything in the mfa flow:

1) In the mfa flow, set a view variable to the username you want to use.

2) Use a modified duo view that sends your username variable instead of the logged in username.

3) Write a Duo.UsernameLookupStrategy that uses your username variable instead of the logged in user.

4) Use a custom duo flow that injects your custom lookup strategy into the ValidateDuoWebResponse bean.

    <bean id="ValidateDuoWebResponse" scope="prototype"

You still need to know more than a little about SWF and java.


More information about the users mailing list