Avoiding 2nd MFA factor for ECP

Christopher Bongaarts cab at umn.edu
Tue Sep 11 16:55:55 EDT 2018

Currently, ECP doesn't work with our MFA setup (the old pre-3.3 Duo 
module with initial password auth).  While we're in the process of 
migrating to the shipped 3.3 Duo support, I was wondering what the 
"best" way would be to avoid triggering the Duo step once we start 
requiring it for more users for the usual browser profiles.

Is there something in the profile configuration we could set/change to 
only do the password auth half?

Should our MFA "next-step" script check for what profile is in use and 
signal "done" when the profile is ECP?  (e.g. using 
profileRequestContext.getProfileId(), and matching it against... 
whatever the ECP ID is?)

Something else I'm not considering?


%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list