Shibboleth 3.3.3 and Duo MFA Issue
Cantor, Scott
cantor.2 at osu.edu
Thu Jul 19 16:37:40 EDT 2018
> I am running Shibboleth Idp version 3.3.3. I am trying configure Shibboleth
> with Duo MFA. I followed the instructions from both sources:
> https://mimoto.co.uk/shibboleth-idp/duo/mfa/2017/06/01/duo-mfa-in-
> shibboleth-idp.html
Which is not our documentation and not anything I'm going to read or comment on.
> and https://wiki.shibboleth.net/confluence/display/IDP30/DuoAuthnConfiguration
That's only half the picture. You have to use the MFA flow as a driver for the logic to apply for when to trigger both factors, which is documented in its own right in its own topic, and it comes with examples that are directly adaptable to use Duo as the second factor, you just transplant IPAddress + Password in the shipped example to Password + Duo instead, at least as a starting point.
> The idp-process.log shows that I am having problems as follows:
That's entirely non-specific, but it suggests you aren't using the MFA flow or at least not using it correctly, so I would have to suggest you start with that documentation. If the setting in idp.properties to control which login flow to run doesn't have only the MFA flow active, you're probably not doing things as documented. If you do, then you probably have something misconfigured in the supportedPrincipals collections for the various flows in general-authn.xml that aren't fitting together.
-- Scott
More information about the users
mailing list