DuoOIDC and forcedAuthn

Michael Grady mgrady at unicon.net
Sat Jun 11 00:55:39 UTC 2022

> On Jun 10, 2022, at 6:15 PM, Cantor, Scott via users <users at shibboleth.net> wrote:
> The only way it can be done is with creative use of multiple Duo integrations and scripting logic. 

Yes, following the example here: 

  https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631604/DuoAuthnConfiguration#Multiple-Duo-Integrations <https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631604/DuoAuthnConfiguration#Multiple-Duo-Integrations>

with this example:
    Multiple Integrations with Distinct Principal Sets

(you'd need to adjust some of the names in that to the DuoOIDC one)

we've done it where someone wanted 3 or 4 different Duo policies, where you just make up different AuthnContexts to match each. You decide which actually is used for REFEDS MFA, and make up campus specific names for the other, Like using the allowed remember me period to end the context name (e.g. /everytime if no remember me allowed.) Then associate the appropriate Authn Context with the services you want covered under that policy.

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220610/25f2eb48/attachment.htm>

More information about the users mailing list