Wessel, Keith
2014-08-20 21:20:12 UTC
Hi, all,
We're getting our plans together to put the MCB and Duo in place, and I'm preparing a demo for our security folks to help us make some decisions.
I'd like to set up a service provider to require Duo if available and, if not, to settle for username/password. This would allow users from two different assurance levels in that the application could handle accordingly.
But I'm hitting a snag. With my authnContextClassRef set to the duo context followed by the password context, and my initial context in the MCB set only to password, I get prompted to password authenticate. But then I never get sent to Duo authenticate, presumably because I've already settled the password context.
Only solution I can think of is to add a 3rd context which uses the password method that an SP will never ask for and configure it as my only initial context. If a user is eligible for Duo, the MCB will then try to satisfy the Duo context as it already knows the user's principal. If the user is only eligible for password, and since that method has already been satisfied, the password context will be returned to the service provider.
It feels like a hack to have a 3rd dummy context, though. I was hoping, after doing password authn, the MCB would then see that Duo was preferred and do that. No such luck.
Is there a cleaner way to do what I'm trying to do?
Thanks,
Keith
We're getting our plans together to put the MCB and Duo in place, and I'm preparing a demo for our security folks to help us make some decisions.
I'd like to set up a service provider to require Duo if available and, if not, to settle for username/password. This would allow users from two different assurance levels in that the application could handle accordingly.
But I'm hitting a snag. With my authnContextClassRef set to the duo context followed by the password context, and my initial context in the MCB set only to password, I get prompted to password authenticate. But then I never get sent to Duo authenticate, presumably because I've already settled the password context.
Only solution I can think of is to add a 3rd context which uses the password method that an SP will never ask for and configure it as my only initial context. If a user is eligible for Duo, the MCB will then try to satisfy the Duo context as it already knows the user's principal. If the user is only eligible for password, and since that method has already been satisfied, the password context will be returned to the service provider.
It feels like a hack to have a 3rd dummy context, though. I was hoping, after doing password authn, the MCB would then see that Duo was preferred and do that. No such luck.
Is there a cleaner way to do what I'm trying to do?
Thanks,
Keith
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org