Discussion:
MCB with DUO
Hong Ye
2014-09-09 20:27:52 UTC
Permalink
Hi,

I'm implementing MCB with DUO in our IDP. But I'm hitting a snag. I installed MCB v1.1.4 and mcb-duo-2.0.1 in the IDP. Without authnContextClassRef defined in SP, I was prompted for password authentication. With authnContextClassRef set to the duo context in SP, I was hoping for password authentication first, then prompt to Duo authentication. But nothing happened, no password authentication, I just got a white screen. Here is error in the idp-process.log,

ERROR [edu.uchicago.identity.mcb.authn.provider.duo.DuoLoginSubmodule:84] - The DuoLoginSubmodule may not be invoked unless the user already has authenticated using another method. No user principal detected.

I guess password authentication not happening was because SP only requested duo authentication. If my guess is correct, then how to configure SP to request password authentication first, then follow Duo authentication? I would like the whole SP site require Duo authentication.

Thanks,
Hong
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Rich Graves
2014-09-09 20:32:07 UTC
Permalink
Yes, you need to configure some user/password provider as primary authentication, then Duo. The directions are correct, but need to be followed EXACTLY.

If you want a working Shib+MCB+Duo installation to poke at (and to diff -u -r from yours), download http://go.carleton.edu/shibcentos6 and an associated draft SANS research paper at http://tinyurl.com/shib-centos6/
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...