Duo in IdP v3.4.x

[Kozlek, Vincent]

I recently configured Duo for the first time in shibboleth IdP v3.4.3.  It was surprisingly easy to configure on v3.4.x.  Thank you, Scott, for adding this native support.

After also coming across older 3.x documentation on configuring Duo, I wanted to verify a few things I saw do not apply to Duo in IdP v3.4.x (or do they?).

-The idp.duo.failmode property with value of either safe/secure does not seem to be documented for v3.4.x so I assume it's not supported.  Then how does the IdP handle it by default if the Duo cloud is not reachable and is that behavior configurable?

-The idp.authn.identitySwitchIsError property that defaults to false - does this need to be set to true to prevent Duo MFA from being defeated?  If that is true, this property should be mentioned on the v3.4.x Duo documentation page.  What is the recommendation/effect of this value?  I guess what I'm trying to ask is, when would you *not* want this set to true?  Since the default is false, there must be scenarios?

As always, thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190430/aa461717/attachment.html>