Name | Default | Description |
---|
idp.duo.oidc.apiHost | | DuoOIDC API hostname assigned to the integration |
idp.duo.oidc.clientId | | The OAuth 2.0 Client Identifier valid at the Authorization Server |
idp.duo.oidc.redirectURL | | Redirection URI to which the 2FA response will be sent |
idp.duo.oidc.redirecturl.allowedOrigins |
| If the idp.duo.oidc.redirectURL is not set, one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection. |
idp.duo.oidc.secretKey |
| The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token). |
idp.duo.oidc.endpoint.health | /oauth/v1/health_check | Duo's OAuth 2.0 health check endpoint |
idp.duo.oidc.endpoint.token | /oauth/v1/token | Duo's OAuth 2.0 token endpoint |
idp.duo.oidc.endpoint.authorize | /oauth/v1/authorize | Duo's OAuth 2.0 authorization endpoint |
idp.duo.oidc.jwt.verifier.clockSkew | PT60S | Leeway allowed in token expiry calculations |
idp.duo.oidc.jwt.verifier.iatWindow | PT60S | Maximum amount (in either direction from now) of duration for which a token is valid after it is issued |
idp.duo.oidc.jwt.verifier.issuerPath | /oauth/v1/token | The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://<idp.duo.oidc.apiHost>+<idp.duo.oidc.jwt.verifier.issuerPath> |
idp.duo.oidc.jwt.verifier.preferredUsername | preferred_username | The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request. |
idp.duo.oidc.jwt.verifier.authLifetime | PT60S | How long the authentication is valid. Only applies to forced authentication requests. |
The properties below are used when enabling non-browser / AuthAPI support: |
idp.duo.oidc.nonbrowser.apiHost | ${idp.duo.oidc.apiHost} | Duo AuthAPI hostname assigned to the integration |
idp.duo.oidc.nonbrowser.integrationKey | | Duo AuthAPI integration key (supplied by Duo) |
idp.duo.oidc.nonbrowser.secretKey | | Duo AuthAPI secret key (supplied by Duo) |
idp.duo.oidc.nonbrowser.header.factor | X-Shibboleth-Duo-Factor | Name of HTTP request header for Duo AuthAPI factor |
idp.duo.oidc.nonbrowser.header.device | X-Shibboleth-Duo-Device | Name of HTTP request header for Duo AuthAPI device ID or name |
idp.duo.oidc.nonbrowser.header.passcode | X-Shibboleth-Duo-Passcode | Name of HTTP request header for Duo AuthAPI passcode |
idp.duo.oidc.nonbrowser.auto | true | Allow the factor to be defaulted in as "auto" if no headers are received |
idp.duo.oidc.nonbrowser.clientAddressTrusted | true | Pass client address to Duo in API calls to support logging, push display, and network-based Duo policies |