MFA flow and "forced" Duo signup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

MFA flow and "forced" Duo signup

Losen, Stephen C. (scl)-2
Hi folks,

I have the MFA flow configured with a script that detects when the user is required to use Duo but is not yet signed up.  In this situation the MFA script result is null and as a side effect it sets the event "DuoSignup" in the MFA Context.  I have configured an error message for the "DuoSignup" event with a link to our Duo portal.  The Duo portal is a Shib SP and I have special cased it in the MFA script so that Duo is not required (otherwise the user is trapped, unable to access the portal).

With a fresh browser, everything works as expected.  I browse a SP, login with my password, the MFA script detects that I must use Duo but am not yet registered and displays the error message.  I click the link to the Duo portal, and the username/password page appears again (presumably because the previous login failed).  I enter my user/pass and am logged in to the Duo portal, as expected.  But now my browser apparently has a valid SSO session.  I can now access the original SP without authenticating.

Is there any way to allow access to the Duo portal without the side effect of creating a SSO session ?  Some magic setting in the MFA context?  Or an Auth Context Class config?
 

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MFA flow and "forced" Duo signup

Andrew Morgan
On Thu, 24 May 2018, Losen, Stephen C. (scl) wrote:

> Hi folks,
>
> I have the MFA flow configured with a script that detects when the user
> is required to use Duo but is not yet signed up.  In this situation the
> MFA script result is null and as a side effect it sets the event
> "DuoSignup" in the MFA Context.  I have configured an error message for
> the "DuoSignup" event with a link to our Duo portal.  The Duo portal is
> a Shib SP and I have special cased it in the MFA script so that Duo is
> not required (otherwise the user is trapped, unable to access the
> portal).
>
> With a fresh browser, everything works as expected.  I browse a SP,
> login with my password, the MFA script detects that I must use Duo but
> am not yet registered and displays the error message.  I click the link
> to the Duo portal, and the username/password page appears again
> (presumably because the previous login failed).  I enter my user/pass
> and am logged in to the Duo portal, as expected.  But now my browser
> apparently has a valid SSO session.  I can now access the original SP
> without authenticating.
>
> Is there any way to allow access to the Duo portal without the side
> effect of creating a SSO session ?  Some magic setting in the MFA
> context?  Or an Auth Context Class config?

I think you need to set "idp.authn.favorSSO = false" in idp.properties so
that the MFA flow will be run everytime.  Otherwise, the IDP will "prefer"
an existing SSO session.

Thanks,
  Andy
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: MFA flow and "forced" Duo signup

Cantor, Scott E.
> I think you need to set "idp.authn.favorSSO = false" in idp.properties so that the
> MFA flow will be run everytime.  Otherwise, the IDP will "prefer"
> an existing SSO session.

It's a workaround described in the documentation.

https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration#MultiFactorAuthnConfiguration-ReuseoftheEntireauthn/MFAFlowResult(WhenIsaMFANextFlowStrategyExecuted?)

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: MFA flow and "forced" Duo signup

Losen, Stephen C. (scl)-2
Hi folks,

Thanks for the suggestions.  I ended up creating a post auth intercept flow that determines if the user should go to our Duo management portal. This generates a "DuoSignup" event where the IDP displays an error message with a link to our Duo mgmt portal.

In the MFA transition map I conditionally invoke authn/Duo if the user has a "duo-enabled" attribute (without regard for the SP or the authn request).

In the intercept, if duo-enabled is set, then I assume that authn/Duo ran, and the intercept returns true (no error).  Otherwise if the Duo signup deadline has passed, the intercept returns false, causing the "DuoSignup" event.  However if the SP is the Duo mgmt portal, then the intercept returns true (so the user doesn't get trapped).

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: Friday, May 25, 2018 1:05 PM
To: Shib Users <[hidden email]>
Subject: RE: MFA flow and "forced" Duo signup

> I think you need to set "idp.authn.favorSSO = false" in idp.properties so that the
> MFA flow will be run everytime.  Otherwise, the IDP will "prefer"
> an existing SSO session.

It's a workaround described in the documentation.

https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration#MultiFactorAuthnConfiguration-ReuseoftheEntireauthn/MFAFlowResult(WhenIsaMFANextFlowStrategyExecuted?)

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]