Shibboleth 3.3.3 and Duo MFA Issue

Cantor, Scott cantor.2 at
Thu Jul 19 16:37:40 EDT 2018

> I am running Shibboleth Idp version 3.3.3. I am trying configure Shibboleth
> with Duo MFA. I followed the instructions from both sources:
> shibboleth-idp.html

Which is not our documentation and not anything I'm going to read or comment on.

> and

That's only half the picture. You have to use the MFA flow as a driver for the logic to apply for when to trigger both factors, which is documented in its own right in its own topic, and it comes with examples that are directly adaptable to use Duo as the second factor, you just transplant IPAddress + Password in the shipped example to Password + Duo instead, at least as a starting point.

> The idp-process.log shows that I am having problems as follows:

That's entirely non-specific, but it suggests you aren't using the MFA flow or at least not using it correctly, so I would have to suggest you start with that documentation. If the setting in to control which login flow to run doesn't have only the MFA flow active, you're probably not doing things as documented. If you do, then you probably have something misconfigured in the supportedPrincipals collections for the various flows in general-authn.xml that aren't fitting together.

-- Scott

More information about the users mailing list