Versions Compared

Old Version 2

changes.mady.by.user Russ Beall

Saved on

compared with

New Version 3

changes.mady.by.user Russ Beall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Clean up a bit.

Configuring Duo authentication for use upon request

...

Next, configure this into the Duo login handler in the handler.xml of the IdP.  After following their instructions to achieve a basic install, you should have a LoginHandler of type two factor:TwoFactorLogin.  This would normally be configured with this:

Code Block
<ph:

...

AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:

...

PasswordProtectedTransport</ph:AuthenticationMethod>

Change that to:

Code Block
<ph:

...

AuthenticationMethod>urn:usc.edu:ac:classes:PasswordProtectedTransport:

...

duo</ph:AuthenticationMethod>

But, of course, using the name you selected.

...

The SessionInitiator is extremely configurable and can allow for many customizations and different ways of using it.  In the latest releases, this element is not configured by default and the software automatically configures it to the defaults.  The following line can be added to the Sessions element, or it can be used inside of another SessionInitiator of type="Chaining" if you have multiple ways to initiate a session.  In any case, the key attribute is authnContextClassRef.  This attribute is configured on the SessionInitiator of type SAML2.  For example:              <SessionInitiator

Code Block
<SessionInitiator type="SAML2" Location="/Login" isDefault="true" template="bindingTemplate.html" authnContextClassRef="urn:usc.edu:ac:classes:PasswordProtectedTransport:duo" forceAuthn="true"/>

It is good practice to use forceAuthn as well in this scenario of increased security so that the IdP will not allow the reuse of an existing authentication.

...

Many of the configurable options on the SessionInitiator can be invoked by a login from a specially crafted query string.  This method can be used as a redirect from within the app when login is needed.  For example: 

Code Block
https://sp.example.org/Shibboleth.sso/Login?

...

forceAuthn=true&authnContextClassRef=urn:usc.edu:ac:classes:PasswordProtectedTransport:duo&target=https%3A%2F%2Fsp.example.org%2Fresource.asp

Ref: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionCreationParameters

...