...
Info |
---|
Starting with IdP 4.2 you can the install the latest plugin version supported on your IdP version with |
Plugin | Plugin ID | Module |
---|
(s) | Authentication Flow ID |
---|
Bug Reporting | |||
---|---|---|---|
Duo Universal Prompt via the Shibboleth Nimbus Client | net.shibboleth.idp.plugin.authn.duo.nimbus | idp.authn.DuoOIDC | authn/DuoOIDC |
Duo Universal Prompt via the Duo WebSDK v4 Client | net.shibboleth.idp.plugin.authn.duo.sdk | idp.authn.DuoOIDC | authn/DuoOIDC |
The following table highlights the differences in their technical specification to help you decide which to install. Note, their functional specification (how it works for the end-user) is the same for either.
Feature | Duo WebSDK v4 | Shibboleth Nimbus |
---|---|---|
Based on the official SDK | X | |
Duo Endpoint and Configuration Health Check | X | X |
Duo 2FA result token signature (HMAC) checking | X | X |
Duo 2FA result token encryption handling (not provided by Duo) | ||
Duo 2FA result token claims verification | X | X |
Duo 2FA result token nonce verification | X | |
Customizable HttpClient implementation | X | |
Customizable TrustEngine implementation | X | |
HTTP Public Key Pinning | X | X |
Supports TLS Certification Revocation Checking | X | X |
Customisable JSON response mapper | X |
Include Page | ||||
---|---|---|---|---|
|
...
Info |
---|
Automatic Flow RegistrationThe flow definition, default beans, and authentication flow descriptor are loaded automatically from well-known location(s) from the plugin’s classpath. The default behavior configured in those files can be overridden via the two configuration files shown above. |
Systems IdP installations upgraded from versions prior to V4.1 are also likely to require adding the idp.searchForProperties=true property to their idp.properties file, or else an explicit reference would have to be added to the new property file added by the module. It's best easiest to clean up the property situation prior to using plugins that add their own.
...
Expand | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
For a basic configuration, you set the
Both are described below. Directly on the DuoOIDCIntegration You can define Principal sets per Duo Integration. This is particularly useful if you have more than one integration, and want each to satisfy a different Authentication Context Class Reference requested by a Service Provider. In the examples, the bean properties set are purely examples, they could be set inline or rely on property names of your own choice. Per Integration Supported Principals
Context to Principal Mapping Strategy If you want to add Principals to the Java Subject based on runtime information received inside a Duo result (authentication) token, you can add a Java bean named shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy that could, for example, inspect the JWT ClaimsSet of the Duo token. The type of this bean is Function<ProfileRequestContext,Collection<Principal>> (input is the profile request context tree, and the output is the collection to inject into the Subject). The following example script adds the ACR "http://example.org/ac/classes/mfa/strong" to the Java Subject if the 'duo_push' two-factor authentication method was used (this is not a commentary on the "strength" of push-based MFA, strictly an example). Example Context To Principal Mapping Strategy
It is important to note that if the mapping strategy bean is defined, the default The following JSON listing shows an example of the current Duo JWT ClaimsSet for reference when constructing a mapping strategy. Refer to Duo's documentation as the final word on the subject. Duo JWT ClaimsSet
|
...
Expand | ||
---|---|---|
| ||
Neither plugin/client is configured by default to check the revocation status of the certificates presented during the TLS handshake. Generally, there are three options for this:
To configure revocation checking with the Duo WebSDK v4 plugin, use the normal Java Trust Manager system properties (see the CertPathDocs). To enable revocation checking with the Shibboleth Nimbus plugin, you will need to set the property idp.duo.oidc.nimbus.checkRevocation to true in the conf/authn/duo-oidc.properties file *and* do one or more of the following:
Note that Duo does not support OSCP stapling, so this is not an option at this stage. |
...
Expand | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
Bean ID / Type | Default | Description | shibboleth.authn.DuoOIDC.DuoIntegration DuoOIDCIntegration | Derived from properties in
| |||||||
The HTTPClientBuilder object that is the base for the HTTPClient beans has properties for HTTP proxy settings. To configure a proxy for use by the Nimbus plugin, add this bean to conf/authn/duo-oidc .properties | Defines a single/static Duo OIDC Integration with Duo, you can override this bean to supply a non-property-configured alternative | shibboleth.authn.DuoOIDC.DuoIntegrationStrategy Function<ProfileRequestContext,DuoOIDCIntegration> | Optional bean to supply the Duo OIDC integration settings dynamically |
Code Block | ||
---|---|---|
| ||
<bean id="shibboleth.authn.DuoOIDC |
Function<ProfileRequestContext,String>
Optional bean to supply username
.nimbus.HttpClient"
parent="shibboleth.authn.DuoOIDC.nimbus.InternalHttpClient"
p:connectionProxyHost="proxy.example.org"
p:connectionProxyPort="3128" /> |
Expand | ||
---|---|---|
| ||
Before each Duo 2FA request, a back-channel lookup is made to Duo’s health check endpoint to determine if the Duo servers are accessible and accepting requests. If for some reason they aren’t, the 2FA attempt fails but the IdP’s authentication flows resume. This is a standard part of Duo’s 2FA workflow. The benefit of this approach is, it occurs before the URL redirect in the browser, and if the Duo 2FA endpoint were not available the IdP remains in control of the authentication process. Otherwise, the user’s browser might timeout during the 2FA request, or the user might get stuck on an error page of some kind. However, this involves an extra, frequent, back-channel network lookup and as such is subject to the same reliability/availability issues as the actual 2FA request. From investigation, it appears possible to bypass this check and still have the 2FA proceed as normal. Consequently, from v1.3.0 onward we have included a property (idp.duo.oidc.healthcheck.enabled) that allows the deployer to turn off this check. |
Expand | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||
Since v1.3.0 it is possible to enable audit logging for Duo2FA interactions by setting the property idp.duo.oidc.audit.enabled to true in /conf/authn/duo-oidc.properties. From v1.4.0 onward you also need to enable the general authentication audit logging on the IdP using the property idp.authn.audit.enabled in /conf/authn.properties. Once enabled, audit log statements are routed through a logger named Shibboleth-Audit.DuoOIDC. From v1.4.0 onward, you can change the name of this logger using the property idp.duo.oidc.audit.category in /conf/authn/duo-oidc.properties. Without further configuration, the audit statements will appear in the normal idp-audit.log log file. This may be sufficient for your needs, if not and you would rather those exclusively appear in a new audit log file, you will need to add a new Logback appender and logger to the logback.xml file, for example:
Audit Format The default audit format is shown below (the fields are described in the table underneath).
Custom Audit Format V1.3.0 For version 1.3.0, the audit format can be adjusted by specifying your own bean, shibboleth.authn.DuoOIDC.AuditFormattingMap, in /conf/authn/duo-oidc-authn-config.xml. Custom Audit Format V1.4.0+ For version 1.4.0+, the audit format can be adjusted using the idp.duo.oidc.audit.format property in /conf/authn/duo-oidc.properties. Audit Logging Fields
|
Reference
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
These beans are specific to the Duo WebSDK-based plugin only:
|
Expand | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
These beans are specific to the Nimbus-based plugin only:
Function<ProfileRequestContext,Collection<Principal>> Map information in the ProfileRequestContext, most likely in the Duo result id_token, to a collection of Principals the execution of the flow supports. See this advanced topic.
BiFunction<JWTClaimsSet,ProfileRequestContext,JWTValidationException> Optional BiFunction extension point for custom claims validation of the Duo token | ||||||||||||||||||
Expand | ||||||||||||||||||
| ||||||||||||||||||
These beans are specific to the Duo WebSDK-based plugin only: Bean ID / Type | DescriptionDefault
| A default DefaultTrustedCertificates
|
Expand | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
These beans are specific refer to the Nimbus-based plugin only:Duo Auth API (non-OIDC) which supports non-browser flows.
| A default list of trust root CA certificates. See HTTP Public Key PinningDefault trust list
PKIXTrustEvaluator Default TrustEvaluator Tied to a TLS Trust Engine and hence the HttpClientSecurityParameters Evaluates the X509 Credential | Supplied list of static CRL resources. See Certificate Revocation Checkingshibboleth.authn.DuoOIDC.tls.CRLs
|
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Bean ID / Type | Default | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
shibboleth.authn.DuoOIDC.NonBrowser.DuoIntegration | Derived from properties in conf/authn/duo-oidc.properties | Defines a single/static Duo AuthAPI integration for non-browser support | shibboleth.authn.DuoOIDC.NonBrowser.DuoIntegrationStrategy | Optional bean to supply the Duo AuthAPI integration settings dynamically | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
shibboleth.authn.DuoOIDC.NonBrowser.HttpClient HttpClient | Internal/default HttpClient instance | Overrides the HttpClient implementation and settings to use for the AuthAPI (see HttpClientConfiguration) | shibboleth.authn.DuoOIDC.NonBrowser.HttpClientSecurityParameters | Custom security settings for the AuthAPI calls (see HttpClientConfiguration) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Name | Default | Description | idp.duo.oidc.apiHost | DuoOIDC API hostname assigned to the integration | idp.duo.oidc.clientId | The OAuth 2.0 Client Identifier valid at the Authorization Server | idp.duo.oidc.redirectURL | Redirection URI to which the 2FA response will be sent | idp.duo.oidc.redirecturl.allowedOrigins | If the idp.duo.oidc.redirectURL is not set, one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection. | idp.duo.oidc.secretKey | The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token). | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.endpoint.health | /oauth/v1/health_check | Duo's OAuth 2.0 health check endpoint | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.endpoint.token | /oauth/v1/token | Duo's OAuth 2.0 token endpoint | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.endpoint.authorize | /oauth/v1/authorize | Duo's OAuth 2.0 authorization endpoint | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.jwt.verifier.clockSkew | PT60S | Leeway allowed in token expiry calculations | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.jwt.verifier.iatWindow | PT60S | Maximum amount (in either direction from now) of duration for which a token is valid after it is issued | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.jwt.verifier.issuerPath | /oauth/v1/token | The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://<idp.duo.oidc.apiHost>+<idp.duo.oidc.jwt.verifier.issuerPath> | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.jwt.verifier.preferredUsername | preferred_username | The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
idp.duo.oidc.jwt.verifier.authLifetime | PT60S | How long the authentication is valid. Only applies to forced authentication requests. |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The DuoOIDC-specific properties defined in conf/authn/duo-oidc.properties follow:
|
Expand | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||
The below table are properties that only apply to the Shibboleth Nimbus plugin:
|
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||
The general properties configuring this flow via authn/authn.properties are:
As a non-password based flow, the supportedPrincipals property defaults to the following XML:
In property form, this is expressed as:
However, this default is (obviously) intended purely as an illustrative example of how to define your own values, as there are no standard ones to use. |
Expand | |||||
---|---|---|---|---|---|
| |||||
To replace the internally defined flow descriptor bean, the following XML is required:
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |
...