Important

This is a quick setup guide for the Duo OIDC 2FA Auth API plugin. Please see DuoOIDCAuthnConfiguration for more detailed information including advanced configuration options.

Pre-requisites

Installation of the OIDCCommon plugin
Typically this can be achieved as follows;
$ /opt/shibboleth-idp/bin/plugin.sh -I net.shibboleth.oidc.common
or
C:>\opt\shibboleth-idp\bin\plugin.bat -I net.shibboleth.oidc.common

What we will install and configure

Installation of the DuoOIDC plugin.
1. Using the recommended Duo Client.
Configuring a basic Duo integration.
Configuring a basic MFA flow.
Enable MFA flow

1. Installation of the DuoOIDC plugin

Please check DuoOIDCAuthnConfiguration for links to the latest version.

Plugin Install

$ /opt/shibboleth-idp/bin/plugin.sh -I net.shibboleth.idp.plugin.authn.duo.nimbus

or

2. Configuring a Duo Integration

Open the conf/authn/duo-oidc.properties file. Change the following with details of your Duo protected application:

Duo Integration Properties

3. Configuring a basic MFA flow

First, ensure the MFA and Password modules are enabled. Then, open the conf/authn/mfa-authn-config.xml file and add a basic MFA flow which includes Username and Password as a first factor. You must ensure the Password flow is properly configured.

Basic MFA Setup

4. Enable MFA flow

We need to ensure that MFA is called, so open conf/authn/auth.properties file and set idp.authn.flows accordingly

Identity Provider Plugins

DuoOIDCAuthnConfiguration-QuickSetup