MFA and client IP address question

Losen, Stephen C (scl) scl at
Tue Oct 15 08:23:54 EDT 2019


Our IDP is 3.4.6 and we are using MFA to first run Password auth and then Duo. We invoke Duo based on logic in a "checkSecondFactor" script. I already have some logic that skips Duo based on client IP address. If Duo succeeds then the principal "" is added to the MFA result. If we skip Duo, then it is not.

We have a High Security VPN that authenticates with MFA, including Duo. The HSVPN authentication does not use SAML and is separate from our IDP. I would like for a HSVPN client IP to be equivalent to Duo.

I can easily skip Duo if the client IP is on our HSVPN, but I want the MFA result to include "".  Can I somehow inject this into the result in my "checkSecondFactor" script? Perhaps add it to the Password result in the MultiFactorAuthenticationContext? (How?). Or is there a better way to handle this?

Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at    434-924-0640

More information about the users mailing list