Logic for mfa-authn-config.xml

Paul B. Henson henson at cpp.edu
Wed Jan 10 16:40:12 EST 2018


We're currently working on a duo deployment and I'd appreciate some suggestions on how best to handle the logic to determine whether or not to continue to the mfa flow after password authentication succeeds.

Duo is only going to be available for a subset of users, and there will be an LDAP attribute available to indicate whether or not a given user has duo enabled.

Applications will fall into three groups; those that do not need MFA at all, those that will use MFA if available but still work with just a password otherwise, and those that strictly require MFA and will fail if it does not succeed. I'm not sure yet where this application delineation information will be stored.

Given these two pieces of information, the logic needs to either not instantiate MFA and succeed (applications that don't support MFA, or applications that optionally support MFA but user does not have it enabled), fail hard (application strictly requires MFA and user does not have it enabled), or instantiate MFA and return the result of that (application optionally or strictly requires MFA and user has MFA enabled).

Is there any way to store the ternary value for the application MFA support somewhere within the idp configuration or do I need to find a place to stick it in LDAP or elsewhere? I think once I can get the values into the mfa script I'll be able to sort out the commands to do the logic, but any suggestions on those won't be turned down :).

Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768




More information about the users mailing list