The scenario you’re getting is pretty close! Yes, “internal accounts” as in the
ones stored on the JDBC (ex. guacadmin). We don’t use TOTP or any MFA for this
one, we just want it to go straight in. Secondly, we want to use LDAP with the
Duo MFA as extra auth method. So essentially:
If (Account found in JDBC) then
Validate authentication
End if
If (account found in LDAP) then
Validate authentication
Validate Duo MFA
End if
I tried setting ‘extension-priority: ldap, duo, jdbc’, as well as ‘jdbc, ldap,
duo’, unfortunately those didn’t seem to work. So perhaps you’re right that
the current workflow doesn’t take into account this sort of scenario. Our API
work has to be through a piggyback server that doesn’t have Duo MFA installed.
Yonathan Khoe
Senior Systems Administrator
CVAD IT
University of North Texas
940.565.4793
[email protected]<mailto:[email protected]>
https://itservices.cvad.unt.edu/
From: Nick Couchman <[email protected]>
Sent: Sunday, January 9, 2022 3:46 PM
To: [email protected]
Subject: [EXT] Re: 1.4.0 Feature: Support for 2ndary SSO Provider includes MFA?
On Thu, Jan 6, 2022 at 5:13 PM Khoe, Yonathan
<[email protected]<mailto:[email protected]>> wrote:
Hi,
We’re testing the 1.4.0 version upgrade. Does this feature to be able to
prioritize the providers include tackling the issue of MFA being requested even
for internal accounts? We’ve been trying to tackle how to allow only providers
such as LDAP to multi-authenticate with Duo MFA, while internal ones should be
bypassed.
Is this a scenario that anyone else have within their environment?
Probably not, but it may be worth clarifying a few things. First, when you talk
about "Internal Accounts", my guess is that you're talking about users
authenticated through the JDBC module and stored in a MySQL, PostgreSQL, or SQL
Server database? My guess is that what you're looking for is two different
authentication "workflows":
1) JDBC -> TOTP -> Success!
2) LDAP -> Duo -> Success!
So, you can store one set of users in JDBC and have only those users do 2FA
through TOTP, while users in LDAP go through Duo. I don't quite think this is
possible, but it may depend upon how those services handle users not existing.
What you could try is setting the order to:
ldap, duo, jdbc, totp
If the user exists in LDAP and is successfully authenticated, they would go to
Duo, and complete authentication. What I'm unsure of is if, after completing
the Duo authentication, TOTP would kick in or not - I haven't tried that out.
If the user didn't exist in LDAP or Duo, JDBC would be used, and then TOTP
would kick in. Might work, but quite probably not, because the TOTP module
might still try to enforce an additional authentication on users already
authenticated through Duo.
-Nick
