Audit log, MFA and Duo

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Audit log, MFA and Duo

Michael A Grady
So if using the MFA flow to trigger both password and Duo, the added audit log field (3.3) AF records authn/MFA regardless of whether the user did just password or also was required to do Duo. And if the weighting map is preferring PasswordProtectedTransport, the authn context doesn't capture that Duo happened. Given that,  in order to get Duo recorded in the audit log if it was done, what is the best approach to provide that to the audit log?

--
Michael A. Grady
IAM Architect, Unicon, Inc.




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Audit log, MFA and Duo

Cantor, Scott E.
> So if using the MFA flow to trigger both password and Duo, the added audit
> log field (3.3) AF records authn/MFA regardless of whether the user did just
> password or also was required to do Duo. And if the weighting map is
> preferring PasswordProtectedTransport, the authn context doesn't capture
> that Duo happened. Given that,  in order to get Duo recorded in the audit log
> if it was done, what is the best approach to provide that to the audit log?

I log the context class (or I should say I log a symbolic that replaces the context classes I use with "password" and "password+duo"). I don't weight the map that way I guess so it's not really a big problem for me.

If you want something else, have your MFA logic populate custom audit fields (it's pretty self-evident how it works from the javadoc for the AuditContext but I can document it more formally if needed).

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]