Failmode of Duo Authentication Flow

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Failmode of Duo Authentication Flow

Zunan Dong
Hi Team,

Our organization is trying to integrate Duo with Shibboleth IdP.

We're trying configuring the failmode of Duo authentication flow. It
seems like that Duo provides an optional parameter, "duo.failmode",
which should be configurable in duo.properties file. However, I don't
see any comments in duo.properties file for this parameter. And also,
there is no "failmode" field in the
"net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering
if there is a way to set the failmode of Duo authentication? The version
of our current IdP is V3.3. Any suggestion would be helpful.

Appreciated,

--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Failmode of Duo Authentication Flow

Lee Foltz
This is outlined here below and and example of what we use.  We are running IDP 3.4.6

Configured in duo.properties
idp.duo.failmode = safe 
idp.duo.failmode = secure

safe mode - In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure mode - In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

On Fri, Jan 31, 2020 at 2:05 PM Zunan Dong <[hidden email]> wrote:
Hi Team,

Our organization is trying to integrate Duo with Shibboleth IdP.

We're trying configuring the failmode of Duo authentication flow. It
seems like that Duo provides an optional parameter, "duo.failmode",
which should be configurable in duo.properties file. However, I don't
see any comments in duo.properties file for this parameter. And also,
there is no "failmode" field in the
"net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering
if there is a way to set the failmode of Duo authentication? The version
of our current IdP is V3.3. Any suggestion would be helpful.

Appreciated,

--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer
 
248-370-2675

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Failmode of Duo Authentication Flow

Zunan Dong

Hi Lee,

I have put idp.duo.failmode=safe along with a wrong secretKey in duo.properties file. When I login, I pass the primary authn(Username/Password), it shows me an error page afterwards. I also tried to put in a wrong apiHost, which gives me an error in the Duo iframe. I guess this doesn't work for me.

Zunan

On 2020-01-31 02:19 PM, Lee Foltz wrote:
This is outlined here below and and example of what we use.  We are running IDP 3.4.6

Configured in duo.properties
idp.duo.failmode = safe 
idp.duo.failmode = secure

safe mode - In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure mode - In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

On Fri, Jan 31, 2020 at 2:05 PM Zunan Dong <[hidden email]> wrote:
Hi Team,

Our organization is trying to integrate Duo with Shibboleth IdP.

We're trying configuring the failmode of Duo authentication flow. It
seems like that Duo provides an optional parameter, "duo.failmode",
which should be configurable in duo.properties file. However, I don't
see any comments in duo.properties file for this parameter. And also,
there is no "failmode" field in the
"net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering
if there is a way to set the failmode of Duo authentication? The version
of our current IdP is V3.3. Any suggestion would be helpful.

Appreciated,

--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer
 
248-370-2675



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Failmode of Duo Authentication Flow

IAM David Bantz
Presumably the idp.duo.failmode is triggered on inability to connect to Duo, not on Duo receiving a request referencing an invalid integration.

On Fri, Jan 31, 2020 at 11:13 AM Zunan Dong <[hidden email]> wrote:

Hi Lee,

I have put idp.duo.failmode=safe along with a wrong secretKey in duo.properties file. When I login, I pass the primary authn(Username/Password), it shows me an error page afterwards. I also tried to put in a wrong apiHost, which gives me an error in the Duo iframe. I guess this doesn't work for me.

Zunan

On 2020-01-31 02:19 PM, Lee Foltz wrote:
This is outlined here below and and example of what we use.  We are running IDP 3.4.6

Configured in duo.properties
idp.duo.failmode = safe 
idp.duo.failmode = secure

safe mode - In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure mode - In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

On Fri, Jan 31, 2020 at 2:05 PM Zunan Dong <[hidden email]> wrote:
Hi Team,

Our organization is trying to integrate Duo with Shibboleth IdP.

We're trying configuring the failmode of Duo authentication flow. It
seems like that Duo provides an optional parameter, "duo.failmode",
which should be configurable in duo.properties file. However, I don't
see any comments in duo.properties file for this parameter. And also,
there is no "failmode" field in the
"net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering
if there is a way to set the failmode of Duo authentication? The version
of our current IdP is V3.3. Any suggestion would be helpful.

Appreciated,

--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer
 
248-370-2675



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Failmode of Duo Authentication Flow

Zunan Dong

Thanks David, this explains it. Is there anyway that we can test it?

Zunan


On 2020-01-31 03:27 PM, IAM David Bantz wrote:
Presumably the idp.duo.failmode is triggered on inability to connect to Duo, not on Duo receiving a request referencing an invalid integration.

On Fri, Jan 31, 2020 at 11:13 AM Zunan Dong <[hidden email]> wrote:

Hi Lee,

I have put idp.duo.failmode=safe along with a wrong secretKey in duo.properties file. When I login, I pass the primary authn(Username/Password), it shows me an error page afterwards. I also tried to put in a wrong apiHost, which gives me an error in the Duo iframe. I guess this doesn't work for me.

Zunan

On 2020-01-31 02:19 PM, Lee Foltz wrote:
This is outlined here below and and example of what we use.  We are running IDP 3.4.6

Configured in duo.properties
idp.duo.failmode = safe 
idp.duo.failmode = secure

safe mode - In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure mode - In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

On Fri, Jan 31, 2020 at 2:05 PM Zunan Dong <[hidden email]> wrote:
Hi Team,

Our organization is trying to integrate Duo with Shibboleth IdP.

We're trying configuring the failmode of Duo authentication flow. It
seems like that Duo provides an optional parameter, "duo.failmode",
which should be configurable in duo.properties file. However, I don't
see any comments in duo.properties file for this parameter. And also,
there is no "failmode" field in the
"net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering
if there is a way to set the failmode of Duo authentication? The version
of our current IdP is V3.3. Any suggestion would be helpful.

Appreciated,

--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer
 
248-370-2675



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Failmode of Duo Authentication Flow

Christopher Bongaarts

One way is to use a host or network firewall to temporarily block traffic to your Duo API host's IP.

On 1/31/2020 3:00 PM, Zunan Dong wrote:

Thanks David, this explains it. Is there anyway that we can test it?

Zunan


On 2020-01-31 03:27 PM, IAM David Bantz wrote:
Presumably the idp.duo.failmode is triggered on inability to connect to Duo, not on Duo receiving a request referencing an invalid integration.

On Fri, Jan 31, 2020 at 11:13 AM Zunan Dong <[hidden email]> wrote:

Hi Lee,

I have put idp.duo.failmode=safe along with a wrong secretKey in duo.properties file. When I login, I pass the primary authn(Username/Password), it shows me an error page afterwards. I also tried to put in a wrong apiHost, which gives me an error in the Duo iframe. I guess this doesn't work for me.

Zunan

On 2020-01-31 02:19 PM, Lee Foltz wrote:
This is outlined here below and and example of what we use.  We are running IDP 3.4.6

Configured in duo.properties
idp.duo.failmode = safe 
idp.duo.failmode = secure

safe mode - In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure mode - In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

On Fri, Jan 31, 2020 at 2:05 PM Zunan Dong <[hidden email]> wrote:
Hi Team,

Our organization is trying to integrate Duo with Shibboleth IdP.

We're trying configuring the failmode of Duo authentication flow. It
seems like that Duo provides an optional parameter, "duo.failmode",
which should be configurable in duo.properties file. However, I don't
see any comments in duo.properties file for this parameter. And also,
there is no "failmode" field in the
"net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering
if there is a way to set the failmode of Duo authentication? The version
of our current IdP is V3.3. Any suggestion would be helpful.

Appreciated,

--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer
 
248-370-2675



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]


-- 
%%  Christopher A. Bongaarts   %%  [hidden email]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Failmode of Duo Authentication Flow

Zunan Dong

Thank you, I'll give it a try.

Zunan


On 2020-01-31 04:12 PM, Christopher Bongaarts wrote:

One way is to use a host or network firewall to temporarily block traffic to your Duo API host's IP.

On 1/31/2020 3:00 PM, Zunan Dong wrote:

Thanks David, this explains it. Is there anyway that we can test it?

Zunan


On 2020-01-31 03:27 PM, IAM David Bantz wrote:
Presumably the idp.duo.failmode is triggered on inability to connect to Duo, not on Duo receiving a request referencing an invalid integration.

On Fri, Jan 31, 2020 at 11:13 AM Zunan Dong <[hidden email]> wrote:

Hi Lee,

I have put idp.duo.failmode=safe along with a wrong secretKey in duo.properties file. When I login, I pass the primary authn(Username/Password), it shows me an error page afterwards. I also tried to put in a wrong apiHost, which gives me an error in the Duo iframe. I guess this doesn't work for me.

Zunan

On 2020-01-31 02:19 PM, Lee Foltz wrote:
This is outlined here below and and example of what we use.  We are running IDP 3.4.6

Configured in duo.properties
idp.duo.failmode = safe 
idp.duo.failmode = secure

safe mode - In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
secure mode - In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

On Fri, Jan 31, 2020 at 2:05 PM Zunan Dong <[hidden email]> wrote:
Hi Team,

Our organization is trying to integrate Duo with Shibboleth IdP.

We're trying configuring the failmode of Duo authentication flow. It
seems like that Duo provides an optional parameter, "duo.failmode",
which should be configurable in duo.properties file. However, I don't
see any comments in duo.properties file for this parameter. And also,
there is no "failmode" field in the
"net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering
if there is a way to set the failmode of Duo authentication? The version
of our current IdP is V3.3. Any suggestion would be helpful.

Appreciated,

--
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Lee Foltz
Oakland University - UTS
Senior Identity and Access Management Engineer
 
248-370-2675



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]



-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]


-- 
%%  Christopher A. Bongaarts   %%  [hidden email]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-- 
Zunan Dong
Authentication Systems Specialist
Information Security
Information Technology Services
University of Toronto
Email: [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Failmode of Duo Authentication Flow

Cantor, Scott E.
In reply to this post by Zunan Dong
> We're trying configuring the failmode of Duo authentication flow. It seems like
> that Duo provides an optional parameter, "duo.failmode", which should be
> configurable in duo.properties file. However, I don't see any comments in
> duo.properties file for this parameter. And also, there is no "failmode" field in
> the "net.shibboleth.idp.authn.duo.BasicDuoIntegration" class. I'm wondering if
> there is a way to set the failmode of Duo authentication? The version of our
> current IdP is V3.3. Any suggestion would be helpful.

Whatever documentation you are looking at has nothing to do with Shibboleth and is not correct. There is no such property in the supported flow.

However, since the primary use of the flow is via the MFA feature, the intention is that you are free to implement whatever pre-flight checking and failure handling you want via that configuration with your own code. It doesn't need to be part of the Duo flow, or specific to Duo, since the issue would apply to any third party authentication system.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]