On Thu, Jan 6, 2022 at 5:13 PM Khoe, Yonathan <[email protected]> wrote:
> Hi, > > We’re testing the 1.4.0 version upgrade. Does this feature to be able to > prioritize the providers include tackling the issue of MFA being requested > even for internal accounts? We’ve been trying to tackle how to allow only > providers such as LDAP to multi-authenticate with Duo MFA, while internal > ones should be bypassed. > > > > Is this a scenario that anyone else have within their environment? > > > Probably not, but it may be worth clarifying a few things. First, when you talk about "Internal Accounts", my guess is that you're talking about users authenticated through the JDBC module and stored in a MySQL, PostgreSQL, or SQL Server database? My guess is that what you're looking for is two different authentication "workflows": 1) JDBC -> TOTP -> Success! 2) LDAP -> Duo -> Success! So, you can store one set of users in JDBC and have only those users do 2FA through TOTP, while users in LDAP go through Duo. I don't quite think this is possible, but it may depend upon how those services handle users not existing. What you could try is setting the order to: ldap, duo, jdbc, totp If the user exists in LDAP and is successfully authenticated, they would go to Duo, and complete authentication. What I'm unsure of is if, after completing the Duo authentication, TOTP would kick in or not - I haven't tried that out. If the user didn't exist in LDAP or Duo, JDBC would be used, and then TOTP would kick in. Might work, but quite probably not, because the TOTP module might still try to enforce an additional authentication on users already authenticated through Duo. -Nick >
