ECP on an idp configured for MFA
Cantor, Scott
cantor.2 at osu.edu
Wed Feb 20 20:47:03 EST 2019
On 2/20/19, 8:40 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:
> Hmm, it turns out that using the Auth API application for both also has a limitation; specifically, you can't enable the
> device portal for the web UI when using the Auth API. So there's no way to get the "Add a new device" or "My Settings
> & Devices" options to show up. If you don't have the device portal enabled, I guess it doesn't make a difference; but if
> you do (like us), it seems you still need two separate integrations to achieve that.
Confirmed. I'll update the docs back to the original.
The issue with this was that somebody had argued (but never filed an actual RFE) that the current behavior is too unsafe because it allows people to configure the Duo "treat unenrolled users as authenticated" setting without realizing they're breaking their IdP. I consider that foot/bullet, but YMMV. The suggestion was that we had to start making extra AuthAPI calls to detect and block the situation, but my argument is that that's not a clean addition if we need two API keys and I was led to understand it didn't take two. Looks like it does.
-- Scott
More information about the users
mailing list