Avoiding 2nd MFA factor for ECP

Christopher Bongaarts cab at umn.edu
Mon Sep 17 13:24:39 EDT 2018

On 9/11/2018 6:22 PM, Cantor, Scott wrote:
>> Is there something in the profile configuration we could set/change to only do
>> the password auth half?
> It really depends how you're handling it to start with. I don't have MFA imposed for all apps, and our mobile app doesn't request or require MFA, so it doesn't think it should run Duo, and all is well.

The MFA logic we're using boils down to (simplified slightly):
Run password first, then:
If SP requests Duo, run Duo.
If user's LDAP entry indicates they are required to use Duo, run Duo.
If user's LDAP entry indicates they have opted in to use Duo, run Duo.
Else be done.

My thought was we'd add a check up top to skip Duo if profile is ECP.

>> Should our MFA "next-step" script check for what profile is in use and signal
>> "done" when the profile is ECP?  (e.g. using
>> profileRequestContext.getProfileId(), and matching it against...
>> whatever the ECP ID is?)
> You could if you have to for some reason, or more easily just test the isBrowserProfile method on ProfileRequestContext.

That sounds like the best way to catch this requirement, since the PRC 
is already avaiable to the MFA script.

> (Also, the non-browser Duo support is coming in 3.4, which I imagine you know.)

I don't think I can squeeze that in our Duo project deadlines, but I'll 
look forward to being able to drop this check in the future.

%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180917/7edc01b1/attachment.html>

More information about the users mailing list