Name | Default | Description |
---|
idp.duo.oidc.apiHost | | DuoOIDC API hostname assigned to the integration |
idp.duo.oidc.clientId | | The OAuth 2.0 Client Identifier valid at the Authorization Server |
idp.duo.oidc.redirectURL | | Redirection URI to which the 2FA response will be sent |
idp.duo.oidc.redirecturl.allowedOrigins |
| If the idp.duo.oidc.redirectURL is not set, one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection. |
idp.duo.oidc.secretKey |
| The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token). |
idp.duo.oidc.endpoint.health | /oauth/v1/health_check | Duo's OAuth 2.0 health check endpoint |
idp.duo.oidc.endpoint.token | /oauth/v1/token | Duo's OAuth 2.0 token endpoint |
idp.duo.oidc.endpoint.authorize | /oauth/v1/authorize | Duo's OAuth 2.0 authorization endpoint |
idp.duo.oidc.jwt.verifier.clockSkew | PT60S | Leeway allowed in token expiry calculations |
idp.duo.oidc.jwt.verifier.iatWindow | PT60S | Maximum amount (in either direction from now) of duration for which a token is valid after it is issued |
idp.duo.oidc.jwt.verifier.issuerPath | /oauth/v1/token | The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://<idp.duo.oidc.apiHost>+<idp.duo.oidc.jwt.verifier.issuerPath> |
idp.duo.oidc.jwt.verifier.preferredUsername | preferred_username | The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request. |
idp.duo.oidc.jwt.verifier.authLifetime | PT60S | How long the authentication is valid. Only applies to forced authentication requests. |
The properties below are used when enabling non-browser / AuthAPI support: |
idp.duo.oidc.nonbrowser.apiHost | ${idp.duo.oidc.apiHost} | Duo AuthAPI hostname assigned to the integration |
idp.duo.oidc.nonbrowser.integrationKey | | Duo AuthAPI integration key (supplied by Duo) |
idp.duo.oidc.nonbrowser.secretKey | | Duo AuthAPI secret key (supplied by Duo) |
idp.duo.oidc.nonbrowser.header.factor | X-Shibboleth-Duo-Factor | Name of HTTP request header for Duo AuthAPI factor |
idp.duo.oidc.nonbrowser.header.device | X-Shibboleth-Duo-Device | Name of HTTP request header for Duo AuthAPI device ID or name |
idp.duo.oidc.nonbrowser.header.passcode | X-Shibboleth-Duo-Passcode | Name of HTTP request header for Duo AuthAPI passcode |
idp.duo.oidc.nonbrowser.auto | true | Allow the factor to be defaulted in as "auto" if no headers are received |
idp.duo.oidc.nonbrowser.clientAddressTrusted | true | Pass client address to Duo in API calls to support logging, push display, and network-based Duo policies |
idp.authn.DuoOIDC.addDefaultPrincipals 1.3.0 | true | If set to false this will prevent the addition of the default principals even if a ContextToPrincipalMappingStrategy is not set. Previous to 1.3.0 if the ContextToPrincipalMappingStrategy was not set, the default principals would always have been added, you can now control that by setting this to false. |
idp.duo.oidc.healthcheck.enabled 1.3.0 | true | Perform the Duo health check for every 2FA request? Defaults to true because this is the standard Duo workflow. |
idp.duo.oidc.audit.enabled 1.3.0 | false | Enable Duo audit logging. |
idp.duo.oidc.audit.format 1.4.0 | %AAF|%a|%T|%DuoU|%DuoRedirect|%DuoCID|%DuoReqS|%DuoRespS|%DuoTXID|%DuoDID|%DuoDN|%DuoR|%DuoF | The audit format to use for audit log statements. |
idp.duo.oidc.audit.category 1.4.0 | Shibboleth-Audit.DuoOIDC | The audit logging category to use |