How to handle a deny event from Duo

James Oulman oulman at
Thu Apr 25 11:46:22 EDT 2019

Are you using the device management portal and have disabled 
self-enrollment? If so, we solved this by querying the Duo API for their 
enrollment status before handing them off to the Duo flow (and iframe).

Relevant snippet from our mfa-authn-config.xml

// Duo API query for account/enrollment status
var Http = Java.type("com.duosecurity.client.Http");
var request = new Http("POST", "%{idp.duo.apiHost:none}", 
"/auth/v2/preauth", 10);

request.addParam("username", resCtx.getPrincipal());

preAuthResponse = request.executeHttpRequest();

var JSONObject = Java.type("org.json.JSONObject");
var json = new JSONObject(preAuthResponse.body().string());

var duoApiResult = json.getJSONObject("response").getString("result");

logger.debug("DuoApi json: " + json.getJSONObject("response").toString());
logger.debug("DuoApi result: " + duoApiResult);

and later in the MFA flow we determine if they need to be redirected to 
our enrollment portal.

// they require MFA but haven't been provisioned or enrolled a device yet
if (duoApiResult == 'deny') {
     logger.debug("User is not provisioned or enrolled in the Duo API")
     logger.debug("Redirecting to the sign-up flow")
     nextFlow = null;

You will have to bring in the Duo Client Java library as a dependency.


On 4/19/19 12:39 PM, Fuhr, Evan wrote:
> Hi everyone,
> We’re currently following the example found here: 
> <>. 
> When testing the deny event, the user just sits on the Duo iframe, able 
> to resend Duo pushes and whatnot. Does anyone have any ideas for 
> catching Duo deny events and acting on them in the IdP?
> Thanks,
> Evan Fuhr
> Integration Engineer
> Campus Solutions – Identity and Access Management
> The University of Texas at Austin
> efuhr at <mailto:efuhr at>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3980 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list