cantor.2 at osu.edu
Mon Jul 27 18:32:44 UTC 2020
The docs on Duo are not the story of configuring MFA, they're just the mechanical bits of the Duo integration, which amounts to "set the Duo integration properties in a file" for most people.
The MFA documentation is separate and is the part that combines factors.
It is extremely complex because it's just a scripting engine.
The default configuration file for it is already an example of how to combine two factors in a simple way, and deploying password + duo amounts to using that example, modulo s/IPAddress/Password and s/Password/Duo in the script. The example chains IPAddress followed by Password, so it just has to be updated to chain Password and Duo.
> I'm most interested in what needs to be configured to allow multi-factor authentication through DUO and if that can be
> limited to specific services through some sort of multi-factor policy the way that CAS allows.
Limiting by services is governed by understanding the custom Principal mechanism that the whole authentication system is built around, and how the IdP derives requirements on the request side and marries it to capability on the configuration side.
Services are associated with a set of required Principal objects that are configured, if you hardcode them, by setting the defaultAuthenticationMethods property in relying-party.xml with the requested types. In SAML terms, these are the AuthnContextClassRef strings that are fundamental to controlling authentication in the protocol.
The supportedPrincipals properties in general-authn.xml determine in turn what each method supports. It can also be more dynamic then that, but for simplicity, I'm assuming it's static (Password means X, Y, Z, Duo means A, B, C).
The IdP and, in the MFA example, the scripted calls to isAcceptable() produce a runtime evaluation that tells the system whether it has to do perform the second factor. If the first factor isAcceptable() then it knows not to.
More information about the users