Questions about configuring multiple Duo integrations on our IdP
Michael A Grady
mgrady at unicon.net
Thu May 7 13:41:16 UTC 2020
> On May 7, 2020, at 7:43 AM, David A. Kovacic <dak at case.edu> wrote:
> At CWRU our Information Security office is trying to deploy Duo integration as widely as possible, and is hoping to switch the Duo setting to require enrollment rather than giving a free pass to those users not enrolled in Duo as it is currently configured. Given that our alums retain access to G Suite services indefinitely after graduation, we are forced to either purchase many more Duo licenses, or to deploy multiple Duo integrations through our IdP.
> In researching the issue, we've come across https://wiki.shibboleth.net/confluence/display/IDP <https://wiki.shibboleth.net/confluence/display/IDP>[3-4]/DuoAuthnConfiguration#DuoAuthnConfiguration-MultipleDuoIntegrations which provides a script example that seems to be able to pretty much be dropped into place with only the customization of the duo.properties file and the URLs in the table that map to the "special Duo". The example seems to do exactly what e need it to do.
> My questions:
> Is this implementation really as straightforward as it appears with just the customization of the URLs in the map and the properties file, then a rebuild of the .war file, or is there actually more involved in setting this up? None of our team is that much of a Java programmer and we'd like to avoid writing custom Java code if it can be avoided.
> Has anyone implemented multiple Duo integrations using something similar to the script example provided? If so did you face any challenges, and what were they?
> We are currently running IdP 3, but are in the process of upgrading to IdP 4 but the integration seems to be exactly the same across both versions
It does "just work". Don't need it often, but we know an organization using that exact approach to map to 3 different Duo integrations. And there is no need to rebuild the WAR file, you aren't touching anything that has to do with WAR file; you just need to restart the IdP.
Another way to handle your use case is to stick with a single Duo integration, but have logic in mfa-authn-config based on user affiliation attribute(s), and simply don't require Duo (don't send the user to Duo) if the user is alumni. We've seen that also.
Michael A. Grady
IAM Architect, Unicon, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users