MFA and client IP address question
Losen, Stephen C (scl)
scl at virginia.edu
Tue Oct 15 08:23:54 EDT 2019
Hi,
Our IDP is 3.4.6 and we are using MFA to first run Password auth and then Duo. We invoke Duo based on logic in a "checkSecondFactor" script. I already have some logic that skips Duo based on client IP address. If Duo succeeds then the principal "https://refeds.org/profile/mfa" is added to the MFA result. If we skip Duo, then it is not.
We have a High Security VPN that authenticates with MFA, including Duo. The HSVPN authentication does not use SAML and is separate from our IDP. I would like for a HSVPN client IP to be equivalent to Duo.
I can easily skip Duo if the client IP is on our HSVPN, but I want the MFA result to include "https://refeds.org/profile/mfa". Can I somehow inject this into the result in my "checkSecondFactor" script? Perhaps add it to the Password result in the MultiFactorAuthenticationContext? (How?). Or is there a better way to handle this?
Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at virginia.edu 434-924-0640
More information about the users
mailing list