How to handle a deny event from Duo

James Oulman oulman at ufl.edu
Thu Apr 25 11:46:22 EDT 2019 

Are you using the device management portal and have disabled 
self-enrollment? If so, we solved this by querying the Duo API for their 
enrollment status before handing them off to the Duo flow (and iframe).

Relevant snippet from our mfa-authn-config.xml

// Duo API query for account/enrollment status
var Http = Java.type("com.duosecurity.client.Http");
var request = new Http("POST", "%{idp.duo.apiHost:none}", 
"/auth/v2/preauth", 10);

request.addParam("username", resCtx.getPrincipal());
request.signRequest("%{idp.duo.integrationKey:none}", 
"%{idp.duo.secretKey:none}");

preAuthResponse = request.executeHttpRequest();

var JSONObject = Java.type("org.json.JSONObject");
var json = new JSONObject(preAuthResponse.body().string());

var duoApiResult = json.getJSONObject("response").getString("result");

logger.debug("DuoApi json: " + json.getJSONObject("response").toString());
logger.debug("DuoApi result: " + duoApiResult);

and later in the MFA flow we determine if they need to be redirected to 
our enrollment portal.

// they require MFA but haven't been provisioned or enrolled a device yet
if (duoApiResult == 'deny') {
     logger.debug("User is not provisioned or enrolled in the Duo API")
     logger.debug("Redirecting to the sign-up flow")
     mfaCtx.setEvent('DuoRequired');
     nextFlow = null;
}

You will have to bring in the Duo Client Java library as a dependency.

1. https://github.com/duosecurity/duo_client_java

On 4/19/19 12:39 PM, Fuhr, Evan wrote:
> Hi everyone,
> 
> We’re currently following the example found here: 
> https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration#MultiFactorAuthnConfiguration-ProgrammaticallySelectingFlows 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_display_IDP30_MultiFactorAuthnConfiguration-23MultiFactorAuthnConfiguration-2DProgrammaticallySelectingFlows&d=DwMGaQ&c=sJ6xIWYx-zLMB3EPkvcnVg&r=_L7sACgIQaR0AZonCJxTrg&m=NxbATGR-EIX0ip767HBz-TTHJWISWnttg4U70Y4rf8Y&s=qVxaNJ-keM3v2galU3Y9FLYbEuvUhcaVCxy_SGtJZow&e=>. 
> When testing the deny event, the user just sits on the Duo iframe, able 
> to resend Duo pushes and whatnot. Does anyone have any ideas for 
> catching Duo deny events and acting on them in the IdP?
> 
> Thanks,
> 
> Evan Fuhr
> 
> Integration Engineer
> 
> Campus Solutions – Identity and Access Management
> 
> The University of Texas at Austin
> 
> efuhr at austin.utexas.edu <mailto:efuhr at austin.utexas.edu>
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3980 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20190425/41fe3108/attachment.p7s>

More information about the users mailing list