This would be closest to what you are doing today. Is there a way to integrate the Duo Universal Prompt into ISVA for 2FA only after login? I'd love to hear if anyone in the community has looked at this integration. However, it's not something that's provided out of the box and I'm not aware of anyone who has actually done this. Now this new service is out which is called Universal Prompt and it needs a user side browser redirect on DUO systems for MFA and back.ĭo you have any idea how to implement what is described in the DUO documentation of this service?ĭUO has a REST interface so it's likely that you *could* integrate it using a custom JavaScript module in AAC. Some time ago we already implemented a custom solution using the DUO Auth API and a custom AAC Mapping rule. Subject: ISVA & Cisco DUO Universal Prompt Perhaps someone else can suggest other approaches or comment on my ideas above. You could potentially do something with 2 authentication flows and link together with DMAP - but starting to get complicated. Not sure if DUO would allow this custom component in the redirect URL. Our redirect URL would need to include (dynamic) stateId in the query string so that authentication flow is reengaged. For OIDC, the provider (DUO) would need to be configured with a redirect URL. My concern with this approach would be around the redirect. If you have federation add-on you could make call to STS to offload the validation of JWT from DUO. You'd also have the ability to do the health check here - which wouldn't be possible with the other approaches above. Implement the OIDC flow in a custom authentication flow. You could process the claims from DUO in mapping rule to set authentication level or change group memberships etc. You would trigger appropriate OIDC RP when DUO MFA required. After OIDC complete, claims from DUO would be in user's credential and could be checked with attribute authorization in Reverse Proxy or via Context-based Access. You could trigger this authentication method when DUO MFA required. The Verify Access reverse proxy can natively act as an OIDC Relying Party. There are 3 ways you could integrate with this OIDC endpoint:ġ. Pull out claims from JWT to determine result of the DUO authentication. Call token endpoint with received authorization code and get back an OIDC JWTĥ. DUO authentication is completed and authorization code returned to configured redirect URIģ. Perform standard OIDC redirect to DUO's Authorization endpoint Call "health-check API" to ensure DUO is available (this isn't part of OIDC spec)Ģ. Looking at the documentation link, it appears that DUO have implemented a standard OpenID Connect (OIDC) provider based on Authorization Code flow. IBM TechXchange Community Partner Program.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |