forceAuthn with DUO
Losen, Stephen C (scl)
scl at virginia.edu
Thu May 30 06:10:12 EDT 2019
I think you need to read up on the IDP MFA authentication flow. Have MFA call the password flow and then optionally the Duo flow. In idp.properties you would have
idp.authn.flows = MFA
and I don't think that idp.authn.flows.initial is used anymore, probably deprecated in favor of using MFA where you define the initial flow.
ITS - Enterprise Infrastructure
University of Virginia
scl at virginia.edu 434-924-0640
From: users <users-bounces at shibboleth.net> On Behalf Of Hall, Gerry
Sent: Thursday, May 30, 2019 3:12 AM
To: Shib Users <users at shibboleth.net>
Subject: forceAuthn with DUO
I am seeing something unexpected (at least for me) when I use DUO and forceAuthn for a service provider.
For many of the SP's that use our IdP for authentication, I am forcing DUO at the IdP.
To do so, I define the following in the relying-party.xml file:
<bean id="SAML2.SSO.requireDuo" parent="SAML2.SSO">
Again in the relying-party.xml, for an SP that I want to force DUO for, I then do the following:
<bean id="ForceDuo2FAService" parent="RelyingPartyByName"
<bean parent="SAML2.SSO.requireDuo" />
In the idp.properties file, I have the following:
idp.authn.flows.initial = Password
For a Shibboleth SP that wants to use forceAuthn, I have them add the following in the shibboleth2.xml file:
<Sessions lifetime="28800" timeout="3600" maxTimeSinceAuthn="5" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<SSO entityID="https://login.emory.edu/idp/shibboleth" forceAuthn="true" >
SAML2 SAML1 </SSO>
Without forcing DUO at the IdP, forceAuthn on the SP works as expected. That is, a user logs into a service on an SP, then goes to a different SP that is using forceAuthn and the user is prompted to enter her/his netID and password thereby bypassing SSO as expected.
However, first logging into a service on an SP, then going to an SP that is using both forceAuthn and having DUO forced at the IDP, the user does not have to enter her/his netID and password. Instead, the user gets just the DUO prompt bypassing the IdP login page.
This behavior has been verified on IdP version 3.4.3 and SP version 3.0.4.
Is this expected behavior? If not, can someone provide guidance as to what I am doing wrong?
Is there a way to force DUO at the IdP for an SP, configure the SP to use forceAuthn and get both the IdP login page and the DUO prompt?
This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited.
If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments).
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users