Disable Duo for ECP

McKean, Brandon Scott - mckeanbs mckeanbs at jmu.edu
Mon Mar 19 15:08:32 EDT 2018

Thanks to both of you, that's just what I needed, works fine.

Brandon McKean
IT / Systems
Linux Administrator

From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Monday, March 19, 2018 12:17:57 PM
To: Shib Users
Subject: RE: Disable Duo for ECP

> If you're using the MFA flow, you can check for the ECP profile in your script
> and, if it's being used, force password:
> If (profileContext.getProfileId() ==
> https://urldefense.proofpoint.com/v2/url?u=http-3A__shibboleth.ent_ns_profiles_saml2_sso_ecp&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=iZ_ekq9_90q96juMacb0Sg&m=miZFzuw8QoM26x-mnu5oWEO-IB603QUvBexO4p8siXI&s=h-oU3DjVMNwzdJmFYFxFPdvaLt2GrOqPvq7l2-5Nw10&e=)

Or check !profileContext.isBrowserProfile() if you want to be generic.

I have Maryland's Duo Auth API code that works with ECP, I'm still digesting it and have just been too busy on the SP to deal with it.

Being that AWS CLI is a pretty common use case for this, I have to wonder whether anybody is pushing them to fix that "one hour maximum" limitation on the temp credentials they issue.

-- Scott

For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=iZ_ekq9_90q96juMacb0Sg&m=miZFzuw8QoM26x-mnu5oWEO-IB603QUvBexO4p8siXI&s=O7wvvHjYXqHc3VEtedZg2EldejYo8-yHavpatDj2_7Y&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180319/5d9175bf/attachment.html>

More information about the users mailing list