ECP Non-Browser MFA Duo

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ECP Non-Browser MFA Duo

Joshua Brodie
I'm a bit at sea...apologies in advance for anything ambiguous.

Completed:
conf/authn/duo.properties -- added the non-duo integration (per the sample in v3.4.6)

conf/authn/duo-authn-config.xml  -- added the following:

<bean id="NonBrowserDuo" class="net.shibboleth.idp.authn.duo.BasicDuoIntegration"
  p:APIHost="%{idp.duo.nonbrowser.apiHost:none}"
  p:applicationKey="%{idp.duo.nonbrowser.applicationKey:none}"
  p:integrationKey="%{idp.duo.nonbrowser.integrationKey:none}"
  p:secretKey="%{idp.duo.nonbrowser.secretKey:none}" />

authn/general-auth.xml - removed p:nonBrowserSupported property setter on the "auth/Duo"

However MFA is not triggered for a service when via ECP (triggered when access via regular browser -- no change from previous) -- aim is to trigger for both ECP and browser. Ant directional tips would be very appreciated. Thank you/

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ECP Non-Browser MFA Duo

Cantor, Scott E.
On 12/4/19, 6:57 PM, "users on behalf of Joshua Brodie" <[hidden email] on behalf of [hidden email]> wrote:

> MFA is not triggered for a service when via ECP (triggered when access via regular browser -- no change from previous) -> - aim is to trigger for both ECP and browser. Ant directional tips would be very appreciated.

I assume you mean it's the same SP. Assuming whatever would trigger it to require Duo to run is running, in which case the only requirement is that auto-push is on for that profile/account/whatever, or the HTTP header(s) are in the request to avoid the requirement for auto-push to be on.

Either way it will log plenty if it's running.

-- Scott





--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]