forceAuthn with DUO

Hall, Gerry gerry.hall at emory.edu
Thu May 30 03:11:36 EDT 2019 

Hello Everyone
I am seeing something unexpected (at least for me) when I use DUO and forceAuthn for a service provider.

For many of the SP's that use our IdP for authentication, I am forcing DUO at the IdP.
To do so, I define the following in the relying-party.xml file:
        <bean id="SAML2.SSO.requireDuo" parent="SAML2.SSO">
           <property name="defaultAuthenticationMethods">
               <list>
                   <bean parent="shibboleth.SAML2AuthnContextClassRef"
                       c:classRef="https://login.emory.edu/duo" />
               </list>
           </property>
        </bean>

Again in the relying-party.xml, for an SP that I want to force DUO for, I then do the following:
    <bean id="ForceDuo2FAService" parent="RelyingPartyByName"
                        c:relyingPartyIds="#{{'xyz.net',
                                              'emory.foo.com',
                                              'https://abc.com/shibboleth',
                                              'https://xyz.emory.edu'
                                              }}">
                <property name="profileConfigurations">
                    <list>
                        <bean parent="SAML2.SSO.requireDuo" />
                    </list>
                </property>
        </bean>

In the idp.properties file, I have the following:
idp.authn.flows= Password|Duo
idp.authn.flows.initial = Password

For a Shibboleth SP that wants to use forceAuthn, I have them add the following in the shibboleth2.xml file:
    <Sessions lifetime="28800" timeout="3600"  maxTimeSinceAuthn="5" relayState="ss:mem"
                      handlerURL="/Shibboleth.sso"
                      checkAddress="false" handlerSSL="false" cookieProps="http">

    <SSO entityID="https://login.emory.edu/idp/shibboleth" forceAuthn="true" >
    SAML2 SAML1 </SSO>

 Without forcing DUO at the IdP,  forceAuthn on the SP works as expected.  That is, a user logs into a service on an SP, then goes to a different SP that is using forceAuthn and the user is prompted to enter her/his netID and password thereby bypassing SSO as expected.

However, first logging into a service on an SP, then going to an SP that is using both forceAuthn and having DUO forced at the IDP, the user does not have to enter her/his netID and password.  Instead, the user gets just the DUO prompt bypassing the IdP login page.

This behavior has been verified on IdP version 3.4.3 and SP version 3.0.4.

Is this expected behavior?  If not, can someone provide guidance as to what I am doing wrong?

Is there a way to force DUO at the IdP for an SP, configure the SP to use forceAuthn and get both the IdP login page and the DUO prompt?




________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).

More information about the users mailing list