Configuring Duo authentication for use upon request
Triggering Duo, or any authentication method, by request involves naming that method, including that method in the IdP configuration and then requesting it from the SP.
Naming the method
...
| Note | ||
|---|---|---|
| ||
SAML V2.0 introduced the notion of an Authentication Context Class, denoted by an URI. A particular Authentication Context Class addresses a wide range of assurance issues including user registration, identity proofing and credentialing, in addition to the method of authentication. |
Naming the method
Since username/password authentication is the norm, an IdP usually asserts the following Authentication Context Class URI:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
This name is part of a standard namespace. When selecting your own name, don't just change the ending because your selected name won't actually be part of the standard.
This is the method The above Authentication Context Class is defined by the OASIS SAML specification, which is why the URI has stem "urn:oasis". To define your own Authentication Context Class, begin by choosing an appropriate URI. For example, the URI selected for use at USC is:
urn:usc.edu:ac:classes:PasswordProtectedTransport:duo
Modifying this name for your own purposes could be as simple as changing the usc.edu part into an identifier representing your own institution.
Next, configure this into Alternatively, choose a URL in your institution's namespace, that is, a URL rooted in a domain owned by your institution. (In this case, the URL is just a name, so it need resolve to an actual web resource.)
Now configure the chosen Authentication Context Class URI into the Duo login handler in the handler.xml of the IdP. After following their the Duo instructions to achieve a basic install, you should have a LoginHandler of type two factor:TwoFactorLogin. This Normally the login handler would normally be configured with like this:
| Code Block |
|---|
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> |
Change that this to:
| Code Block |
|---|
<ph:AuthenticationMethod>urn:usc.edu:ac:classes:PasswordProtectedTransport:duo</ph:AuthenticationMethod> |
But, of course, using the name you selectedUse the Authentication Context Class URI chosen for this purpose.
Modify servlet parameters:
...
The SessionInitiator is extremely configurable and can allow for many customizations and different ways of using it. In the latest releases, this element is not configured by default and the software automatically configures it to the defaults. The following line can be added to the Sessions element, or it can be used inside of another SessionInitiator of type="Chaining" if you have multiple ways to initiate a session. In any case, the key attribute is authnContextClassRef. This attribute is configured on the SessionInitiator of type SAML2. For example:
...