DuoOIDC and forcedAuthn

Cantor, Scott cantor.2 at osu.edu
Fri Jun 10 23:15:31 UTC 2022

On 6/9/22, 1:41 PM, "users on behalf of John C. Pfeifer via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

> Is there something in the configs that I am missing or are they living in a fantasy world?

If you're talking about Remember Me, etc., Duo does not provide any mechanism to disable it on request. The only way it can be done is with creative use of multiple Duo integrations and scripting logic. There is a way with the UP/OIDC mode to actually *detect* that a bypass occurred (which was not possible before), but there's nothing the IdP can actually do in response to that other than just "fail" in some fashion or not actually signal that MFA was done.

So in general you'd have to just "know" that for a given request you don't want Remember Me, and use that to make the integration it uses switch over to the one that disallows it.

-- Scott

More information about the users mailing list