Disable Duo for ECP

Wessel, Keith kwessel at illinois.edu
Mon Mar 19 11:40:24 EDT 2018

If you're using the MFA flow, you can check for the ECP profile in your script and, if it's being used, force password:

If (profileContext.getProfileId() == http://shibboleth.ent/ns/profiles/saml2/sso/ecp)


From: users <users-bounces at shibboleth.net> On Behalf Of McKean, Brandon Scott - mckeanbs
Sent: Monday, March 19, 2018 8:51 AM
To: users at shibboleth.net
Subject: Disable Duo for ECP

Hello Everyone,

We're planning on rolling out Duo usage for everything and everyone soon. However we're also working on something that will need to use ECP, Office365. When I've made nextFlow="authn/Duo" all the time in checkSecondFactor section of mfa-authn-config.xml, it also tries to trigger Duo when ECP is used, which breaks because the Duo functionality doesn't handle that currently.

Is there anything I can put in this section to make everything except ECP use Duo? Is this the right place to be at to make such a change?


Brandon McKean
IT / Systems
Linux Administrator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180319/c173457c/attachment.html>

More information about the users mailing list