ECP MFA -- 'mfa-authn-config.xml'

Michael A Grady mgrady at
Wed Feb 12 10:42:01 EST 2020

And if this is O365, note that (O365) only sends the userid without the email domain in ECP request (at least in our experience). We've seen folks who had the user lookup (authn, resolver) be based on UPN alone where that prevents ECP from working. In that case, one had to amend lookup to go against both UPN and sAMAccountName (for example).

p.s. but then you also need to account for that in the Duo admin, if the username could come over to Duo in two forms.

> On Feb 12, 2020, at 9:32 AM, Cantor, Scott <cantor.2 at> wrote:
> It does bear noting that the script you're asking about only runs when Password succeeds. So the obvious explanation would be that it didn't and just failed ahead of it running, but that's again self-evident from a log.
> ECP of course uses basic-auth for Password support with no challenge, the client has to send the password up front.
> -- Scott

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list