Versions Compared

Old Version 64

changes.mady.by.user Philip Smart

Saved on

compared with

New Version 65

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

This feature requires V2.1.0+ of the DuoOIDC plugin. It is currently unreleased and this material is experimental in nature. In particular, the configuration is in flux, and the exact requirements needed to configure Duo will depend on some features that are currently only in preview.

Table of Contents

Background

...

The new feature also has been designed with some knowledge of shared machine considerations, and also allows for various kinds of “gradual adoption” scenarios such as pilot groups and so forth, to manage the introduction of the feature to a large community.

Overview

Ultimately the MFA flow is used to control the use of this new feature and orchestrate the use of the flow in its new form or its traditional mode. Examples of how to configure this are included near the end of this topic, and of course the MFA flow feature in the IdP can be configured to do many more exotic things in support of this workflow depending on local requirements.

...

  1. After a standard Duo authentication is completed, a condition is run evaulated against the request and if true, the subject is given a choice to “opt-in” so that an encrypted cookie containing the username is issued set for future requests. The plugin will also identify scenarios where an existing cookie should be removed. If the subject opts-out, then this decision is also remembered with a fixed cookie value to avoid constant nagging.

  2. Subsequent requests with the feature triggered will detect the presence of the cookie, and it will (generally) present a new view prior to the handoff to Duo that identifies who it believes the subject to be so the person may indicate how they want to proceed.

  3. If traditional login is preferred, or the subject self-identifies as a different identity, then control returns to the MFA flow with specific events, after which the MFA flow is expected to do what it had been doing originally, whatever that was.

  4. If passwordless login is chosen, the plugin will invoke the Duo service using the desired passwordless integration.

  5. The factor used is checked against a set that is deemed acceptable (configurable of course) and if so, the resulting Java Subject will automatically include a UsernamePrincipal object containing the username passed to Duo, allowing the MFA flow to potentially complete with no additional configuration needed.

...