Duo in IdP v3.4.x

[Cantor, Scott]

On 4/30/19, 6:41 PM, "users on behalf of Kozlek, Vincent" <users-bounces at shibboleth.net on behalf of vkozlek at bloomu.edu> wrote:

> The idp.duo.failmode property with value of either safe/secure does not seem to be documented for v3.4.x so I assume
> it’s not supported.  Then how does the IdP handle it by default if the Duo cloud is not reachable and is that behavior
> configurable?

It's not. If you want to implement something else, the MFA flow has all the control required to check whatever you want to check before you dispatch to the Duo flow. I don't think it's a good thing to hardwire a particular behavior to control that decision, so the approach was to leave it to the deployer.
 
> -The idp.authn.identitySwitchIsError property that defaults to false - does this need to be set to true to prevent Duo
> MFA from being defeated?

No.

> What is the >recommendation/effect of this value?  I guess what I’m trying to ask is, when would you *not* want this
> set to true?  Since the default is false, there must be scenarios?

You probably never want it to be true, that's why it defaults to false. V2 effectively behaved as though it were true, which screwed things up constantly when people tried to change identities mid-session and got errors. It just throws away an existing session and replaces it with a new one if the identity changes and goes on from there. The property exists in case somebody was depending on the old behavior. I never saw any reason it should work that way and it doesn't anymore. If jdoe becomes jsmith, it just deletes all the jdoe state and starts over from that point on until it changes again.

 -- Scott