You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using Universal Prompt to send authorization requests to Duo Security, provide for a secure strategy that allows the caller to control which authentication factors would be allowed for the user/request.
Detailed Description
CAS deployments have the ability to register multiple DUO integrations. The typical use case or need for this is that each Duo integration is configured to enable/disable certain settings that deal with allowed authentication factors like telephony, and this allows CAS with a few small conditions to determine which integration should be enabled or activated for the user or the application registered with CAS. The scenario would then be to teach CAS: if user has claim X and/or application is Y, use Duo integration A that allows telephony, or no use integration B that disables it.
As far as we can tell, the Universal Prompt authorization does not support this sort of dynamic selection of authentication factors today.
Use Case
As discussed, we'd like to be able to control which authentication factors can be allowed for the request, without having to define multiple duo integrations in CAS. Ideally, the duo prompt would be able to adapt the list of options based on the properties of the authorization request without requiring the user/developer to define multiple integrations each with unique and different capabilities.
Workarounds
As noted, we typically handle this by defining distinct DUO integration profiles. This works in simple scenarios, but you can imagine the the matrix of options that one can mix and match might grow.
The text was updated successfully, but these errors were encountered:
When using Universal Prompt to send authorization requests to Duo Security, provide for a secure strategy that allows the caller to control which authentication factors would be allowed for the user/request.
Detailed Description
CAS deployments have the ability to register multiple DUO integrations. The typical use case or need for this is that each Duo integration is configured to enable/disable certain settings that deal with allowed authentication factors like telephony, and this allows CAS with a few small conditions to determine which integration should be enabled or activated for the user or the application registered with CAS. The scenario would then be to teach CAS: if user has claim X and/or application is Y, use Duo integration A that allows telephony, or no use integration B that disables it.
As far as we can tell, the Universal Prompt authorization does not support this sort of dynamic selection of authentication factors today.
Use Case
As discussed, we'd like to be able to control which authentication factors can be allowed for the request, without having to define multiple duo integrations in CAS. Ideally, the duo prompt would be able to adapt the list of options based on the properties of the authorization request without requiring the user/developer to define multiple integrations each with unique and different capabilities.
Workarounds
As noted, we typically handle this by defining distinct DUO integration profiles. This works in simple scenarios, but you can imagine the the matrix of options that one can mix and match might grow.
The text was updated successfully, but these errors were encountered: