Questions about configuring multiple Duo integrations on our IdP

David A. Kovacic dak at case.edu
Thu May 7 12:43:43 UTC 2020 

At CWRU our Information Security office is trying to deploy Duo
integration as widely as possible, and is hoping to switch the Duo
setting to require enrollment rather than giving a free pass to those
users not enrolled in Duo as it is currently configured.  Given that our
alums retain access to G Suite services indefinitely after graduation,
we are forced to either purchase many more Duo licenses, or to deploy
multiple Duo integrations through our IdP. 

In researching the issue, we've come across
https://wiki.shibboleth.net/confluence/display/IDP[3-4]/DuoAuthnConfiguration#DuoAuthnConfiguration-MultipleDuoIntegrations
which provides a script example that seems to be able to pretty much be
dropped into place with only the customization of the duo.properties
file and the URLs in the table that map to the "special Duo".  The
example seems to do exactly what e need it to do.

My questions:

 1. Is this implementation really as straightforward as it appears with
    just the customization of the URLs in the map and the properties
    file, then a rebuild of the .war file, or is there actually more
    involved in setting this up?  None of our team is that much of a
    Java programmer and we'd like to avoid writing custom Java code if
    it can be avoided.
 2. Has anyone implemented multiple Duo integrations using something
    similar to the script example provided?  If so did you face any
    challenges, and what were they?

We are currently running IdP 3, but are in the process of upgrading to
IdP 4 but the integration seems to be exactly the same across both versions.


Thanks,

Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200507/3b3ac1bb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4156 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20200507/3b3ac1bb/attachment.p7s>

More information about the users mailing list