forceAuthn with DUO

Losen, Stephen C (scl) scl at
Thu May 30 06:10:12 EDT 2019


I think you need to read up on the IDP MFA authentication flow. Have MFA call the password flow and then optionally the Duo flow. In you would have 

idp.authn.flows = MFA

and I don't think that idp.authn.flows.initial is used anymore, probably deprecated in favor of using MFA where you define the initial flow.

Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at    434-924-0640

-----Original Message-----
From: users <users-bounces at> On Behalf Of Hall, Gerry
Sent: Thursday, May 30, 2019 3:12 AM
To: Shib Users <users at>
Subject: forceAuthn with DUO

Hello Everyone
I am seeing something unexpected (at least for me) when I use DUO and forceAuthn for a service provider.

For many of the SP's that use our IdP for authentication, I am forcing DUO at the IdP.
To do so, I define the following in the relying-party.xml file:
        <bean id="SAML2.SSO.requireDuo" parent="SAML2.SSO">
           <property name="defaultAuthenticationMethods">
                   <bean parent="shibboleth.SAML2AuthnContextClassRef"
                       c:classRef="" />

Again in the relying-party.xml, for an SP that I want to force DUO for, I then do the following:
    <bean id="ForceDuo2FAService" parent="RelyingPartyByName"
                <property name="profileConfigurations">
                        <bean parent="SAML2.SSO.requireDuo" />

In the file, I have the following:
idp.authn.flows= Password|Duo
idp.authn.flows.initial = Password

For a Shibboleth SP that wants to use forceAuthn, I have them add the following in the shibboleth2.xml file:
    <Sessions lifetime="28800" timeout="3600"  maxTimeSinceAuthn="5" relayState="ss:mem"
                      checkAddress="false" handlerSSL="false" cookieProps="http">

    <SSO entityID="" forceAuthn="true" >
    SAML2 SAML1 </SSO>

 Without forcing DUO at the IdP,  forceAuthn on the SP works as expected.  That is, a user logs into a service on an SP, then goes to a different SP that is using forceAuthn and the user is prompted to enter her/his netID and password thereby bypassing SSO as expected.

However, first logging into a service on an SP, then going to an SP that is using both forceAuthn and having DUO forced at the IDP, the user does not have to enter her/his netID and password.  Instead, the user gets just the DUO prompt bypassing the IdP login page.

This behavior has been verified on IdP version 3.4.3 and SP version 3.0.4.

Is this expected behavior?  If not, can someone provide guidance as to what I am doing wrong?

Is there a way to force DUO at the IdP for an SP, configure the SP to use forceAuthn and get both the IdP login page and the DUO prompt?


This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited.

If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments).
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list