Duo Username Lookup Strategy / Alternative Username
Jim Fox
fox at washington.edu
Fri Feb 23 13:52:35 EST 2018
>> We are using aliasing within Duo and I would like to provide a different attribute,
>> presumably from the attribute resolver context, that would be used in the
>> duoRequest object.
>
> If you want that, then you will have to learn enough Spring and IdP internals to craft a custom Function<ProfileRequestString,String> to get the result you want. If you want to run the resolver as part of that, the MFA example logic demonstrates how to do that in a Javascript-based Function and it's much the same thing here.
>
Another way to do this, which is what we do, is a little complicated but handles everything in the mfa flow:
1) In the mfa flow, set a view variable to the username you want to use.
2) Use a modified duo view that sends your username variable instead of the logged in username.
3) Write a Duo.UsernameLookupStrategy that uses your username variable instead of the logged in user.
4) Use a custom duo flow that injects your custom lookup strategy into the ValidateDuoWebResponse bean.
<bean id="ValidateDuoWebResponse" scope="prototype"
...
p:usernameLookupStrategy-ref="uw.authn.Duo.UsernameLookupStrategy"
...
You still need to know more than a little about SWF and java.
Jim
More information about the users
mailing list