Versions Compared

Old Version 25

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 26

changes.mady.by.user Brent Putman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleduo-authn-config.xml
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

    default-init-method="initialize" default-destroy-method="destroy">

    <!-- Require an explicit CA root on Duo AuthAPI calls. -->

    <bean id="shibboleth.authn.Duo.NonBrowser.HttpClientSecurityParameters"
            class="org.opensaml.security.httpclient.HttpClientSecurityParameters">
        <property name="tLSTrustEngine">
            <bean parent="shibboleth.StaticPKIXTrustEngine"
                p:trustedNames="*.duosecurity.com"
                p:checkNames="true">
				<property name="certificates">
					<list>
						<bean class="org.springframework.core.io.FileSystemResource"
							c:_0="%{idp.home}/credentials/duo-ca.pem"/>
					</list>
				</property>
			</bean>
		</property>
    </bean>
    
    <bean id="shibboleth.authn.Duo.NonBrowser.HttpClient"
        parent="shibboleth.NonCachingHttpClient"
        p:tLSSocketFactory-ref="shibboleth.SecurityEnhancedTLSSocketFactory" />

</beans>


The use of a forward proxy for the Duo HTTP client is also possible:

Code Block
languagexml
titleduo-authn-config.xml
collapsetrue
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

    default-init-method="initialize" default-destroy-method="destroy">

  <!-- Use forward proxy.  Additional properites are also available: connectionProxyUsername and connectionProxyPassword. -->
  
  <bean id="shibboleth.authn.Duo.NonBrowser.HttpClient"
        parent="shibboleth.NonCachingHttpClient"
        p:connectionProxyHost="myproxy.example.com"
        p:connectionProxyPort="1234" />


</beans>


Additionally, any of the properities of the HttpClientBuilder may be used when create a  custom=wired HTTP client instance.


Reference

Beans

The possible beans expected in authn/duo-authn-config.xml follow:

Bean IDTypeDefaultFunction

shibboleth.authn.Duo.DuoIntegration

DuoIntegrationDerived from settings in duo.properties

Defines a single/static DuoWeb ntegration with Duo, you can override this bean to supply a non-property-configured alternative

shibboleth.authn.Duo.NonBrowser.DuoIntegration 3.4

DuoIntegrationDerived from settings in duo.properties

Defines a single/static AuthAPI integration with Duo, you can override this bean to supply a non-property-configured alternative

shibboleth.authn.Duo.DuoIntegrationStrategy

Function<ProfileRequestContext,DuoIntegration>
Optional bean to supply the DuoWeb integration settings dynamically
shibboleth.authn.Duo.NonBrowser.DuoIntegrationStrategy 3.4Function<ProfileRequestContext,DuoIntegration>
Optional bean to supply the Duo AuthAPI integration settings dynamically
shibboleth.authn.Duo.UsernameLookupStrategy                                 Function<ProfileRequestContext,String>CanonicalUsernameLookupStrategyOptional bean to supply username
shibboleth.authn.Duo.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
shibboleth.authn.Duo.addDefaultPrincipalsBooleantrueWhether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject
shibboleth.authn.Duo.NonBrowser.HttpClient 3.4HttpClientshibboleth.NonCachingHttpClientOverrides the HttpClient implementation and settings to use for the AuthAPI (see HttpClientConfiguration)
shibboleth.authn.Duo.NonBrowser.HttpClientSecurityParameters 3.4HttpClientSecurityParameters
Custom security settings for the AuthAPI calls (see HttpClientConfiguration)

Properties

The properties defined in conf/authn/duo.properties follow:

NameTypeDefaultFunction
idp.duo.apiHost                                                    Hostname
DuoWeb API hostname assigned to the integration
idp.duo.applicationKeyString

A secret supplied by you and not shared with Duo; see https://duo.com/docs/duoweb, "Generate an akey".

idp.duo.integrationKeyString
DuoWeb integration key (supplied by Duo)
idp.duo.secretKeyString
DuoWeb secret key (supplied by Duo)
idp.duo.nonbrowser.apiHost 3.4Hostname${idp.duo.apiHost}                  Duo AuthAPI hostname assigned to the integration
idp.duo.nonbrowser.applicationKey 3.4String

a secret supplied by you and not shared with Duo; see https://duo.com/docs/duoweb, "Generate an akey".

idp.duo.nonbrowser.integrationKey 3.4String
Duo AuthAPI integration key (supplied by Duo)
idp.duo.nonbrowser.secretKey 3.4String
Duo AuthAPI secret key (supplied by Duo)
idp.duo.nonbrowser.header.factor 3.4StringX-Shibboleth-Duo-FactorName of HTTP request header for Duo AuthAPI factor
idp.duo.nonbrowser.header.device 3.4StringX-Shibboleth-Duo-DeviceName of HTTP request header for Duo AuthAPI device ID or name
idp.duo.nonbrowser.header.passcode 3.4StringX-Shibboleth-Duo-PasscodeName of HTTP request header for Duo AuthAPI passcode
idp.duo.nonbrowser.auto 3.4BooleantrueAllow the factor to be defaulted in as "auto" if no headers are received
idp.duo.nonbrowser.clientAddressTrusted 3.4BooleantruePass client address to Duo in API calls to support logging, push display, and network-based Duo policies

The Duo provided properties will appear in the Duo administrative console:

V2 Compatibility

There is no equivalent V2 feature, apart from third party extensions.

Notes

None