This is a quick setup guide for the Duo OIDC 2FA Auth API plugin. Please see DuoOIDCAuthnConfiguration for more detailed information including advanced configuration options.


  1. Installation of the OIDCCommon plugin

    Typically this can be achieved as follows;

    $ /opt/shibboleth-idp/bin/plugin.sh -I net.shibboleth.oidc.common


    C:>\opt\shibboleth-idp\bin\plugin.bat -I net.shibboleth.oidc.common

What we will install and configure

  1. Installation of the DuoOIDC plugin.

    1. Using the recommended Duo Client.

  2. Configuring a basic Duo integration.

  3. Configuring a basic MFA flow.

  4. Enable MFA flow

1. Installation of the DuoOIDC plugin

Please check DuoOIDCAuthnConfiguration for links to the latest version.

Plugin Install
$ /opt/shibboleth-idp/bin/plugin.sh -I net.shibboleth.idp.plugin.authn.duo.nimbus


2. Configuring a Duo Integration

Open the conf/authn/duo-oidc.properties file. Change the following with details of your Duo protected application:

Duo Integration Properties

3. Configuring a basic MFA flow

First, ensure the MFA and Password modules are enabled. Then, open the conf/authn/mfa-authn-config.xml file and add a basic MFA flow which includes Username and Password as a first factor. You must ensure the Password flow is properly configured.

Basic MFA Setup

4. Enable MFA flow

We need to ensure that MFA is called, so open conf/authn/auth.properties file and set idp.authn.flows accordingly