{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"paragraph","content":[{"text":"This plugin does not depend on the use of the original ","type":"text"},{"text":"Duo","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/DuoAuthnConfiguration"}}]},{"text":" login flow and enabling that feature/module is not required in order to install and use this plugin. They can even theoretically co-exist in older versions of the IdP, but this hasn't been extensively tested.","type":"text"}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"2"}},"macroMetadata":{"macroId":{"value":"82498fbe4a5a63d790f230dd00c6b256"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"d433837a-d108-4085-95db-c91d9ac3f3fa"}},{"type":"heading","attrs":{"level":1},"content":[{"text":"Quick Setup Guide","type":"text"}]},{"type":"paragraph","content":[{"text":"If you're looking for a quick reference guide that assumes a basic, default, configuration, see ","type":"text"},{"text":"here","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879422"}}]},{"text":". Note, you really should read this page first.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"This authentication plugin (DuoOIDC) supports Duo’s strong two-factor authentication using their OIDC-based integration model introduced in 2021 (","type":"text"},{"text":"Duo OIDC AuthAPI","type":"text","marks":[{"type":"link","attrs":{"href":"https://duo.com/docs/oauthapi"}}]},{"text":"). This includes both the traditional prompt and the new Universal Prompt. The Universal Prompt is a major UX redesign of the older in-page iFrame prompt. In both cases, the user is redirected, via a full-frame redirect, to a Duo-hosted site using the OIDC protocol to perform second-factor authentication, and the results are made available to the IdP as a form of an OIDC ID Token. Duo's support is compliant with OIDC with a few caveats.","type":"text"}]},{"type":"paragraph","content":[{"text":"Like the ","type":"text"},{"text":"original integration","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/DuoAuthnConfiguration"}}]},{"text":" based on their WebSDK V2, this plug-in is designed to be used as a second factor of authentication, so is therefore used in conjunction with an existing ‘first-factor', usually orchestrated by the MFA login flow (see ","type":"text"},{"text":"MultiFactorAuthnConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":").","type":"text"}]},{"type":"paragraph","content":[{"text":"By default, the first-factor must produce an “official” username as part of post-login ","type":"text"},{"text":"canonicalization","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505085"}}]},{"text":" which the DuoOIDC flow can use as the Duo username in the second-factor authentication request. In unusual cases it is possible to ","type":"text"},{"text":"customize","type":"text","marks":[{"type":"link","attrs":{"href":"#DuoOIDCAuthnConfiguration-duo-oidc-username-determination"}}]},{"text":" the source of the username.","type":"text"}]},{"type":"paragraph","content":[{"text":"The result of this flow is a Java ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" containing a ","type":"text"},{"text":"DuoPrincipal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-duo.cgi/net/shibboleth/idp/authn/duo/DuoPrincipal"}}]},{"text":" as well as a custom set of additional Principals, typically representing SAML AuthenticationContextClassRefs.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Plugin Installation","type":"text"}]},{"type":"paragraph","content":[{"text":"There are two different DuoOIDC Auth API plugin implementations. Both share the majority of their codebase, the difference being how they interact with Duo’s OIDC Provider. One is based on the official ","type":"text"},{"text":"Duo WebSDK v4","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/duosecurity/duo_universal_java"}}]},{"text":", and one is based on a Shibboleth implementation using ","type":"text"},{"text":"Nimbus’s","type":"text","marks":[{"type":"link","attrs":{"href":"https://connect2id.com/products/nimbus-jose-jwt"}}]},{"text":" JOSE-JWT handling - although it is worth noting that part of the common codebase uses the Nimbus library for certain tasks irrespective of which plugin you use.","type":"text"}]},{"type":"paragraph","content":[{"text":"In most cases, we would suggest trying the Nimbus-based plugin first, particuarly if you plan to make use of the ","type":"text"},{"text":"OIDC OP","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976"}}]},{"text":" plugin as well, as this avoids a number of duplicated code libraries in the IdP. Duo built their SDK on top of a different OIDC/JOSE library stack, whereas we used Nimbus, allowing more code to be shared across the different components.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Dependencies","type":"text"}]},{"type":"paragraph","content":[{"text":"This module depends on the Shibboleth ","type":"text"},{"text":"OIDCCommon","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878852"}}]},{"text":" plugin which you must install first. The installer should prevent installation if this is not in place.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Starting with IdP 4.2 you can install the latest plugin version supported on your IdP version with","type":"text"},{"type":"hardBreak"},{"text":".\\plugin.sh -I","type":"text","marks":[{"type":"code"}]},{"text":" ","type":"text"}]}]},{"type":"table","attrs":{"layout":"full-width","width":1215.0,"localId":"1dd0d771-e25a-4b12-943d-3a3f5a58913f"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[264.0]},"content":[{"type":"paragraph","content":[{"text":"Plugin","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[370.0]},"content":[{"type":"paragraph","content":[{"text":"Plugin ID","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[184.0]},"content":[{"type":"paragraph","content":[{"text":"Module(s)","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Authentication Flow ID","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[190.0]},"content":[{"type":"paragraph","content":[{"text":"Bug Reporting","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[264.0]},"content":[{"type":"paragraph","content":[{"text":"Duo Universal Prompt via the Shibboleth Nimbus Client","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[370.0]},"content":[{"type":"paragraph","content":[{"text":"net.shibboleth.idp.plugin.authn.duo.nimbus","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[184.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"authn/DuoOIDC","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[190.0]},"content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/browse/JDUO"}},{"text":" ","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[264.0]},"content":[{"type":"paragraph","content":[{"text":"Duo Universal Prompt via the Duo WebSDK v4 Client","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[370.0]},"content":[{"type":"paragraph","content":[{"text":"net.shibboleth.idp.plugin.authn.duo.sdk","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[184.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"authn/DuoOIDC","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[190.0]},"content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/browse/JDUO"}},{"text":" ","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"hardBreak"},{"text":"The following table highlights the differences in their technical specification to help you decide which to install. Note, their functional specification (how it works for the end-user) is the same for either.","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":1800.0,"localId":"d4ecb565-3ca2-437b-9802-3419d48761fd"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Feature","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","content":[{"text":"Duo WebSDK v4","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","content":[{"text":"Shibboleth Nimbus","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Based on the official SDK","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Duo Endpoint and Configuration Health Check","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Duo 2FA result token signature (HMAC) checking","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Duo 2FA result token encryption handling (not provided by Duo)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Duo 2FA result token claims verification","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Duo 2FA result token nonce verification","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Customizable ","type":"text"},{"text":"HttpClient","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510442"}}]},{"text":" implementation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Customizable TrustEngine implementation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"HTTP Public Key Pinning","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Supports TLS Certification Revocation Checking","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[574.0]},"content":[{"type":"paragraph","content":[{"text":"Customisable JSON response mapper","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[87.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[99.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"X","type":"text"}]}]}]}]},{"type":"paragraph"},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"include","parameters":{"macroParams":{"":{"value":"PluginInstallation"}},"macroMetadata":{"macroId":{"value":"783e62fcc44102ee7a5b89a2ca1e66f5"},"schemaVersion":{"value":"1"},"title":"Include Page"}},"localId":"19de6b05-309c-4ff5-95bf-dd41a49dbb9f"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Enabling the Module","type":"text"}]},{"type":"paragraph","content":[{"text":"For a detailed guide on configuring modules, see the ","type":"text"},{"text":"ModuleConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510765"}}]},{"text":" topic. Once the plugin has been installed, its module should be enabled automatically for you:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Check Module Is Enabled","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"/%{idp.home}/bin$ ./module.sh -l\n\n...\nModule: idp.authn.DuoOIDC [ENABLED]","type":"text"}]},{"type":"paragraph","content":[{"text":"However, if you need to enable it you can using the ","type":"text"},{"text":"module","type":"text","marks":[{"type":"code"}]},{"text":" command:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Enable the module","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"/%{idp.home}/bin$ ./module.sh -e idp.authn.DuoOIDC","type":"text"}]},{"type":"paragraph","content":[{"text":"Either manual or automatic module enablement will copy across the following configuration files from the jar:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Configuration files","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"jar:duo-oidc-authn-config.xml -> conf/authn/duo-oidc-authn-config.xml\njar:duo-oidc.properties -> conf/authn/duo-oidc.properties","type":"text"}]},{"type":"paragraph"},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Automatic Flow Registration","type":"text"}]},{"type":"paragraph","content":[{"text":"The flow definition, default beans, and authentication flow descriptor are loaded automatically from well-known location(s) from the plugin’s classpath. The default behavior configured in those files can be overridden via the two configuration files shown above.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"IdP installations upgraded from versions prior to V4.1 are also likely to require adding the ","type":"text"},{"text":"idp.searchForProperties=true","type":"text","marks":[{"type":"strong"}]},{"text":" property to their ","type":"text"},{"text":"idp.properties","type":"text","marks":[{"type":"em"}]},{"text":" file, or else an explicit reference would have to be added to the new property file added by the module. It's easiest to clean up the property situation prior to using plugins that add their own.","type":"text"}]},{"type":"paragraph","content":[{"text":"Once installed and enabled, you will then need to start ","type":"text"},{"text":"configuring","type":"text","marks":[{"type":"link","attrs":{"href":"#General-Configuration"}}]},{"text":" the flow.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"General Configuration","type":"text"}]},{"type":"expand","attrs":{"title":"Overview"},"content":[{"type":"paragraph","content":[{"text":"Once you have configured a Shibboleth ‘Protected Application’ and enabled support for the Universal Prompt in the ","type":"text"},{"text":"Duo Admin Panel","type":"text","marks":[{"type":"link","attrs":{"href":"https://admin.duosecurity.com/"}}]},{"text":" (see also ","type":"text"},{"text":"Duo Universal Prompt","type":"text","marks":[{"type":"link","attrs":{"href":"https://duo.com/docs/duoweb-v4"}}]},{"text":"), you'll need to copy across your ","type":"text"},{"text":"client ID","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"API hostname","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"client secret","type":"text","marks":[{"type":"code"}]},{"text":" into the ","type":"text"},{"text":"conf/authn/duo-oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":" file to form your Duo Integration. The client ID and secret will likely appear as integration key and secret key until you make your first request using the new AuthAPI i.e. actually use this plugin for authentication. Note, you may want to keep the ","type":"text"},{"text":"client secret","type":"text","marks":[{"type":"code"}]},{"text":" in ","type":"text"},{"text":"credentials/secrets.properties","type":"text","marks":[{"type":"em"}]},{"text":" for consistency with other IdP secrets","type":"text"}]},{"type":"paragraph","content":[{"text":"Next, you need to specify a redirection URI as per the OAuth2.0 specification (RFC6749). This is the endpoint the Duo Universal Prompt will redirect the end-users user-agent (browser) to after successful second-factor authentication. By default, Duo does ","type":"text"},{"text":"not","type":"text","marks":[{"type":"strong"}]},{"text":" require you to pre-register redirect URIs (you can request this if desired), instead taking one supplied by the IdP inside a ","type":"text"},{"text":"signed","type":"text","marks":[{"type":"em"}]},{"text":" JWT request object. This opens a few different possibilities depending on which of the two clients you choose. The simplest, supported by both clients, is to define a static ","type":"text"},{"text":"idp.duo.oidc.redirectURL","type":"text","marks":[{"type":"strong"}]},{"text":" property in the ","type":"text"},{"text":"conf/authn/duo-oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":" file:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Redirect URI","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"idp.duo.oidc.redirectURL = https://:/idp/profile/Authn/Duo/2FA/duo-callback","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Where ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" match that of your running IdP - the port can be omitted if your IdP uses the standard HTTP/HTTPS port e.g. 80 and 443 respectively. You are free to change part of that path i.e. ","type":"text"},{"text":"Authn/Duo/2FA","type":"text","marks":[{"type":"code"}]},{"text":" by setting the ","type":"text"},{"text":"idp.duo.oidc.externalAuthnPath","type":"text","marks":[{"type":"strong"}]},{"text":" property. Although in most cases there is little reason for doing so. The endpoint itself needs only be accessible by the end-user’s user-agent (browser).","type":"text"}]},{"type":"paragraph","content":[{"text":"Alternatively","type":"text","marks":[{"type":"strong"}]},{"text":", you can let the plugin determine the redirect URI from the Host header sent from the client that issues the 'first' Duo 2FA request. To do so, comment out the ","type":"text"},{"text":"idp.duo.oidc.redirectURL","type":"text","marks":[{"type":"strong"}]},{"text":" property and then, in order to prevent HTTP Host header injection attacks (and possibly leaking your authorization code to a malicious actor), declare one or more comma-seperated allowed 'origins' [RFC6454] in the property ","type":"text"},{"text":"idp.duo.oidc.redirecturl.allowedOrigins.","type":"text","marks":[{"type":"strong"}]},{"text":" Each origin is a combination of scheme, host, and port. For schemes where the default port is used e.g. HTTPS on port 443, the port can be omitted. For example, assuming a production IdP has a hostname of “prod.example.com” using the https scheme over the default port, and a matching development IdP has a hostname of “dev.example.com” running on a custom port 8443, the following origins would be sufficient:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Allowed Origins","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"idp.duo.oidc.redirecturl.allowedOrigins = https://prod.example.com, https://dev.example.com:8443","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"This can be useful if you want to keep a single generic configuration between development, staging, and production servers, etc.","type":"text"}]},{"type":"paragraph","content":[{"text":"Further to this, if you are using the Shibboleth Nimbus client, the redirect URI will be created dynamically from the Host header ","type":"text"},{"text":"per-request - ","type":"text","marks":[{"type":"em"}]},{"text":"there is no extra configuration for this, it works per-request by default. This ","type":"text"},{"text":"could","type":"text","marks":[{"type":"em"}]},{"text":" be useful, for example, if a single IdP instance is serving requests from more than one virtual-host, and each Duo 2FA request will need to be redirected back to the originating Hostname in order to successfully complete the request.","type":"text"}]},{"type":"paragraph","content":[{"text":"As an ","type":"text"},{"text":"advanced configuration option","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1374027959/DuoOIDCAuthnConfiguration#https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1374027959/DuoOIDCAuthnConfiguration#Advanced-Configuration"}}]},{"text":", you can specify more than one Duo integration and use a runtime function to determine which is used per authentication request. ","type":"text"}]},{"type":"paragraph","content":[{"text":"Given that Duo's 'second-factor' authentication runs after a 'first-factor' authentication method, you will also need to enable the \"","type":"text"},{"text":"idp.authn.MFA","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":"\" module in addition to an appropriate first-factor (e.g., the Password flow module, \"","type":"text"},{"text":"idp.authn.Password","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505587"}}]},{"text":"\"), and typically will need to configure the MFA flow to make use of this one as a second factor.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Non-Browser Use"},"content":[{"type":"paragraph","content":[{"text":"The flow supports a secondary integration allowing use of the Duo AuthAPI for non-browser use cases such as SAML ECP. To enable support for the AuthAPI, you will need to define an additional integration with Duo. A second set of properties is defined to allow this.","type":"text"}]},{"type":"paragraph","content":[{"text":"Also, the default settings for this login flow mark it as not supporting non-browser use. This needs to be adjusted by setting the ","type":"text"},{"text":"idp.authn.DuoOIDC.nonBrowserSupported","type":"text","marks":[{"type":"strong"}]},{"text":" property.","type":"text"}]},{"type":"paragraph","content":[{"text":"By default, a built-in HttpClient bean is used to communicate with the Duo AuthAPI with fairly vanilla TLS behavior that relies on the system defaults. It's possible to customize this heavily using a pair of beans. More advanced documentation is in the ","type":"text"},{"text":"HttpClientConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510442"}}]},{"text":" topic.","type":"text"}]}]},{"type":"expand","attrs":{"title":"MFA Configuration"},"content":[{"type":"paragraph","content":[{"text":"Here we describe an example MFA flow using both the ","type":"text"},{"text":"MFA","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":" and ","type":"text"},{"text":"Password","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505587"}}]},{"text":" flows (in addition to the new DuoOIDC flow). Of course, this example assumes you have also enabled those modules in addition to this plugin/module, as per their documentation pages.","type":"text"}]},{"type":"paragraph","content":[{"text":"For testing, the credential store of the ","type":"text"},{"text":"Password","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505587"}}]},{"text":" flow can be configured from a simple flat file of usernames/passwords, for example, using the ","type":"text"},{"text":"HTPasswdCredentialValidator","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505813"}}]},{"text":" in ","type":"text"},{"text":"conf/authn/password-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" as shown below. If this file is missing, you have not yet enabled the \"idp.authn.Password\" module.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example password validator","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Or, you may already have configured a 'production' ready password validator e.g. using LDAP. Either way, your next step is to compose both these flows into a suitable multi-factor authentication flow. An example flow defined in ","type":"text"},{"text":"conf/authn/mfa-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" file is shown below. If this file is missing, you have not yet enabled the \"idp.authn.MFA\" module.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example MFA configuration","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n\n \n \n \n \n \n \n\n \n \n \n \n \n \n \n ","type":"text"}]},{"type":"paragraph","content":[{"text":"In summary, the IdP will run the \"authn/Password\" flow followed by the \"authn/DuoOIDC\" flow. More complex business/orchestration logic can be added to the ","type":"text"},{"text":"checkSecondFactor","type":"text","marks":[{"type":"code"}]},{"text":" script if required, see the ","type":"text"},{"text":"MFA","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":" page for a full discussion of the possibilities.","type":"text"}]},{"type":"paragraph","content":[{"text":"After configuring the MFA orchestration logic appropriately, you should consider how to represent the multi-factor authentication mechanism to the ","type":"text"},{"text":"outside world","type":"text","marks":[{"type":"link","attrs":{"href":"#DuoOIDCAuthnConfiguration-duo-oidc-principals"}}]},{"text":".","type":"text"}]}]},{"type":"expand","attrs":{"title":"Authentication Context Classes (i.e., Supported Principals)"},"content":[{"type":"paragraph","content":[{"text":"As the DuoOIDC plugin typically runs after a first-factor authentication method orchestrated by the ","type":"text"},{"text":"MFA","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505534"}}]},{"text":" flow, the MFA flow must present to the system a ","type":"text"},{"text":"supportedPrincipals","type":"text","marks":[{"type":"code"}]},{"text":" collection compatible with this type of authentication mechanism alongside any other factor(s) used. In the SAML 2.0 world (and nowadays more generally, e.g., OpenID Connect) these are specified as an Authentication Context Class.","type":"text"}]},{"type":"paragraph","content":[{"text":"Those already set by default on the MFA flow are described by the ","type":"text"},{"text":"idp.authn.MFA.supportedPrincipals","type":"text","marks":[{"type":"strong"}]},{"text":" property in the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"conf/authn/authn.properties ","type":"text","marks":[{"type":"em"}]},{"text":"file. (If your system has been upgraded from V4.0 or earlier, then you may not have migrated to the property-centric settings V4.1 allows, and may have the supported Principals enumerated in ","type":"text"},{"text":"conf/authn/general-authn.xml","type":"text","marks":[{"type":"em"}]},{"text":".) Either way,these need to be adjusted to also include those that are also exposed by the \"authn/DuoOIDC\" flow.","type":"text"}]},{"type":"paragraph","content":[{"text":"This flow defaults to an example set defined by the ","type":"text"},{"text":"idp.authn.DuoOIDC.supportedPrincipals","type":"text","marks":[{"type":"strong"}]},{"text":" property in ","type":"text"},{"text":"conf/duo-oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":". If not set, it will fall back to the definition of the ","type":"text"},{"text":"idp.authn.Duo.supportedPrincipals ","type":"text","marks":[{"type":"strong"}]},{"text":"property.","type":"text"}]},{"type":"paragraph","content":[{"text":"As for what these values should be:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Supported Principals","type":"text"}]},{"type":"paragraph","content":[{"text":"There is no \"standard\" context class (or SAML 1 authentication method) to represent most forms of MFA, and experience has shown that it's a bad idea to create a strong coupling between applications and the exact technologies that you use for authentication.","type":"text"}]},{"type":"paragraph","content":[{"text":"As a result, the default configuration contains only a placeholder value to use that you will need to change, but there is currently no standard value to use. One possible choice to consider is the ","type":"text"},{"text":"REFEDS","type":"text","marks":[{"type":"link","attrs":{"href":"https://refeds.org/profile/mfa"}}]},{"text":" profile, but your particular deployment may or may not satisfy its requirements. Regardless of specifics, the approach is a good one in general: a generic URI representing the use of MFA.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"For more advanced ","type":"text"},{"text":"supportedPrincipal","type":"text","marks":[{"type":"code"}]},{"text":" configurations, see below.","type":"text"}]}]},{"type":"expand","attrs":{"title":"User Interface"},"content":[{"type":"paragraph","content":[{"text":"The plugin itself does ","type":"text"},{"text":"not","type":"text","marks":[{"type":"strong"}]},{"text":" provide a native IdP view to customize because all second-factor authentication interactions occur on a Duo-hosted site to which the IdP redirects the user-agent (browser). See the ","type":"text"},{"text":"Duo Admin Panel","type":"text","marks":[{"type":"link","attrs":{"href":"https://admin.duosecurity.com/"}}]},{"text":" to see what customizations are possible on the Duo site. It is important to note that unsuccessful second-factor authentication terminates on the Duo site. The IdP will not receive notification of the failure, and hence authentication failure cannot be propagated further to the SP.","type":"text"}]},{"type":"paragraph","content":[{"text":"The non-browser variant has no UI and relies on a set of HTTP request headers from the client. Authentication relies on knowing the type of Duo factor to use, the device to use, and occasionally a passcode. Often none are needed and the whole process is automatic (the factor and device are defaulted to \"auto\"). Specifying a device is generally done using a name the user must associate with the device themselves. Some factors rely on a passcode being supplied.","type":"text"}]},{"type":"paragraph","content":[{"text":"The headers can be changed but default to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"X-Shibboleth-Duo-Factor","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"X-Shibboleth-Duo-Device","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"X-Shibboleth-Duo-Passcode","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Factor is one of \"auto\", \"push\", \"phone\", or \"passcode\". The \"sms\" factor does not work, but will fail while resulting in the issuance of codes via SMS for subsequent use.","type":"text"}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Advanced Topics","type":"text"}]},{"type":"expand","attrs":{"title":"Username Determination"},"content":[{"type":"paragraph","content":[{"text":"By default, the Duo flow is designed to operate with a username derived from one of:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"a pre-existing session","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"a previously executed login flow","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Configuring it to run after a 'first-factor' flow will automatically satisfy this requirement, and allows you to supply a canonical username from a previous method into the Duo integration, which is typically the best approach.","type":"text"}]},{"type":"paragraph","content":[{"text":"If you need a more flexible approach, you can configure a bean named ","type":"text"},{"text":"shibboleth.authn.DuoOIDC.UsernameLookupStrategy","type":"text","marks":[{"type":"strong"}]},{"text":" of type ","type":"text"},{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String"}}]},{"text":">","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":", which can be defined in ","type":"text"},{"text":"conf/authn/duo-oidc-authn-config.xml. ","type":"text","marks":[{"type":"em"}]},{"text":"The function returns the canonical username to use and can introspect the ","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":" if required.","type":"text"}]}]},{"type":"expand","attrs":{"title":"HTTP Public Key Pinning (HPKP)"},"content":[{"type":"paragraph","content":[{"text":"Both plugin variants are, by default, configured with the same static set of ‘pinned’ root certificate authority certificates (trust anchors). As a result, the chain of trust associated with the end-entity certificate presented by the Duo API must be anchored by one of these root authorities and no other e.g. not the default set provided by the JDK. The current set of pinned root certificates are listed in the table below:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"6316ced5-1520-47fa-a032-a2afed94bb92"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"Root Certificate","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Public Key Hash","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=SecureTrust Corporation, CN=SecureTrust CA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=SecureTrust Corporation, CN=Secure Global CA","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=Amazon, CN=Amazon Root CA 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=Amazon, CN=Amazon Root CA 2","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/f0KW/FtqTjs108NpYj42SrGvOB2PpxIVM8nWxjPqJGE=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=Amazon, CN=Amazon Root CA 3","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/NqvDJlas/GRcYbcWE8S/IceH9cq77kg0jVhZeAPXq8k=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=US, O=Amazon, CN=Amazon Root CA 4","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/9+ze1cZgR9KO1kZrVDxA4HQ6voHRCSVNz4RdTCx4U8U=","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[412.0]},"content":[{"type":"paragraph","content":[{"text":"C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"sha256/j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g=","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"The Duo WebSDK v4 plugin uses public-key hash pinning, whereas the Shibboleth Nimbus plugin pins the entire CA certificate. The set of pinned hashes/certificates can be overridden for each plugin by including one of the following beans in the ","type":"text"},{"text":"conf/authn/duo-oidc-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" file:","type":"text"}]},{"type":"paragraph","content":[{"text":"For the Shibboleth Nimbus plugin - the values in the list are any valid Spring ","type":"text"},{"text":"Resource","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/spring.cgi/org.springframework.core.io.Resource"}}]},{"text":":","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Override Shibboleth Nimbus Pinned Trusted Certificates","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n file://cert-filename.crt\n","type":"text"}]},{"type":"paragraph","content":[{"text":"For the Duo WebSDK v4 plugin - the values in the list are the public key hashes of pinned certificates:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Override Duo WebSDK v4 Pinned Trusted Certificates","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n sha256/public-key-hashvalue\n","type":"text"}]},{"type":"panel","attrs":{"panelType":"error"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Empty Certificate List","type":"text"}]},{"type":"paragraph","content":[{"text":"If you set an empty list for the Duo WebSDK v4 plugin's TrustedCertificates, the default certificate pins hardcoded inside the Duo WebSDK v4 client will be used. For the Shibboleth Nimbus plugin, an empty list represents an empty set of trusted root certificates, and requests will always fail.","type":"text"}]}]}]},{"type":"expand","attrs":{"title":"Advanced Principal Configuration"},"content":[{"type":"paragraph","content":[{"text":"For a basic configuration, you set the ","type":"text"},{"text":"supportedPrincipals","type":"text","marks":[{"type":"code"}]},{"text":" property on both the \"authn/MFA\" and \"authn/DuoOIDC\" underlying ","type":"text"},{"text":"AuthenticationFlowDescriptor","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.AuthenticationFlowDescriptor"}}]},{"text":" objects. These are copied across as ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" objects to the resulting Java ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" after successful authentication. If you need greater granularity, you can configure custom ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" sets in the following ways:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Directly on the DuoOIDCIntegration bean. This is useful if you have more than one Duo integration and want one to satisfy a request the other does not, usually due to different policies or factors supported on the Duo end. This works the same as the original ","type":"text"},{"text":"Duo","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/DuoAuthnConfiguration#DuoAuthnConfiguration-Integration-SpecificPrincipalSets"}}]},{"text":" integration.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Via a strategy function. This allows runtime decisions about ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" to be made from the Duo 2FA result token.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Both are described below.","type":"text"}]},{"type":"paragraph","content":[{"text":"Directly on the DuoOIDCIntegration","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"You can define Principal sets per Duo Integration. This is particularly useful if you have more than one integration, and want each to satisfy a different Authentication Context Class Reference requested by a Service Provider. In the examples, the bean properties set are purely examples, they could be set inline or rely on property names of your own choice.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Per Integration Supported Principals","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\t\n \t \t\n \t\t \n \t \n \t\n \t\n\n\n\n\t\t\n \t \t\n \t\t \n \t\n \t\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Context to Principal Mapping Strategy","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"If you want to add Principals to the Java Subject based on runtime information received inside a Duo result (authentication) token, you can add a Java bean named ","type":"text"},{"text":"shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy","type":"text","marks":[{"type":"strong"}]},{"text":" that could, for example, inspect the JWT ","type":"text"},{"text":"ClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/com/nimbusds/jwt/JWTClaimsSet.html"}}]},{"text":" of the Duo token. The type of this bean is ","type":"text"},{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"Collection","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Collection"}}]},{"text":"<","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":">> (input is the profile request context tree, and the output is the collection to inject into the Subject).","type":"text"}]},{"type":"paragraph","content":[{"text":"The following example script adds the ACR \"http://example.org/ac/classes/mfa/strong\" to the Java Subject if the 'duo_push' two-factor authentication method was used (this is not a commentary on the \"strength\" of push-based MFA, strictly an example).","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example Context To Principal Mapping Strategy","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"It is important to note that if the mapping strategy bean is defined, the default ","type":"text"},{"text":"supportedPrincipals","type":"text","marks":[{"type":"code"}]},{"text":" of the underlying flow descriptor are ","type":"text"},{"text":"not","type":"text","marks":[{"type":"strong"}]},{"text":" added to the Java Subject irrespective of the value of the property ","type":"text"},{"text":"idp.authn.DuoOIDC.addDefaultPrincipals","type":"text","marks":[{"type":"strong"}]},{"text":". Instead, alongside those added by the Function, only a ","type":"text"},{"text":"DuoPrincipal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-duo.cgi/net.shibboleth.idp.authn.duo.DuoPrincipal"}}]},{"text":", and any Principals defined on the DuoOIDCIntegration itself are added.","type":"text"}]},{"type":"paragraph","content":[{"text":"The following JSON listing shows an example of the current Duo JWT ClaimsSet for reference when constructing a mapping strategy. Refer to Duo's ","type":"text"},{"text":"documentation","type":"text","marks":[{"type":"link","attrs":{"href":"https://duo.com/docs/oauthapi"}}]},{"text":" as the final word on the subject.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Duo JWT ClaimsSet","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"javascript"},"content":[{"text":"{\n \"iss\": \"https://api.duosecurity.com/oauth/v1/token\",\n \"sub\": \"subject\",\n \"aud\": \"DDFGGSGERGERR\",\n \"exp\": 1590070939,\n \"iat\": 1590067340,\n \"auth_time\": 1590067339,\n \"auth_result\": {\n \"status_msg\": \"Login Successful\",\n \"status\": \"allow\",\n \"result\": \"allow\"\n },\n \"auth_context\": {\n \"result\": \"success\",\n \"timestamp\": 1590067339,\n \"auth_device\": {\n \"ip\": \"100.100.100.12\",\n \"name\": \"telephone\",\n \"location\": {\n \"state\": \"State\",\n \"city\": \"City\",\n \"country\": \"United Kingdom\"\n }\n },\n \"txid\": \"b1287968-1dd1-4488-bb3c-0c72fc398b8b\",\n \"event_type\": \"authentication\",\n \"reason\": \"user_approved\",\n \"access_device\": {\n \"ip\": \"100.100.100.13\",\n \"location\": {\n \"state\": \"State\",\n \"city\": \"City\",\n \"country\": \"United Kingdom\"\n }\n },\n \"application\": {\n \"key\": \"DDFGGSGERGERR\",\n \"name\": \"Duo Integration\"\n },\n \"factor\": \"duo_push\",\n \"user\": {\n \"key\": \"DDFGGSGERGERR\",\n \"name\": \"username\"\n }\n }\n}","type":"text"}]}]},{"type":"expand","attrs":{"title":"Shibboleth Nimbus HttpClient"},"content":[{"type":"paragraph","content":[{"text":"As is common for OIDC Providers, Duo presents an HTTP API for the IdP to communicate with directly as a callback. With the Shibboleth Nimbus plugin, you have the option to override the default HttpClient object used during that communication by specifying your own ","type":"text"},{"text":"HttpClientFactoryBean","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510442"}}]},{"text":" bean named ","type":"text"},{"text":"shibboleth.authn.DuoOIDC.nimbus.HttpClient","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"It is then up to you what 'security' features you add to this client e.g. certificate trust, alongside standard connection properties such as connection timeouts.","type":"text"}]},{"type":"paragraph","content":[{"text":"The default client already contains enough sensible, overridable, defaults that it would only be in very unusual cases that you would want to override it but is a standard approach to allow for it.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Multiple Duo Integrations"},"content":[{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Unchanged functionality","type":"text"}]},{"type":"paragraph","content":[{"text":"If you're already family with this functionality from the original ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"Duo","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/DuoAuthnConfiguration"}}]},{"text":" integration, very little of the approach has changed.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]}]},{"type":"paragraph","content":[{"text":"If you need to support multiple sets of Duo integration parameters, you can implement a ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"DuoOIDCIntegration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.duo.DuoIntegration"}}]},{"text":"> in Java or a script in a bean named ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"shibboleth.authn.DuoOIDC.DuoIntegrationStrategy","type":"text","marks":[{"type":"strong"}]},{"text":", which can be defined in ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"conf/authn/duo-oidc-authn-config.xml","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}},{"type":"em"}]},{"text":".","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"paragraph","content":[{"text":"As an example ","type":"text"},{"text":"let's say you want to create a table that maps certain services to a particular integration, and uses a separate default for everything else. You can implement this with a simple map and a script that operates on it. In the examples, the bean properties set are purely examples, they could be set inline or rely on property names of your own choice.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Multiple Duo Integrations","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n\n\n\t\n\t\n\t\n\n\n\n\t\n\t\t\n\t\t\n\t\t\n\t\n","type":"text"}]}]},{"type":"expand","attrs":{"title":"Certificate Revocation Checking"},"content":[{"type":"paragraph","content":[{"text":"Neither plugin/client is configured by default to check the revocation status of the certificates presented during the TLS handshake. Generally, there are three options for this:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Revocation checking from a Certificate Revocation List defined in a local store.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Revocation checking from a Certificate Revocation List fetched from a distribution point defined in the certificate.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Revocation checking from querying an Online Certificate Status Protocol (OCSP) endpoint defined in the certificate.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"To configure revocation checking with the ","type":"text"},{"text":"Duo WebSDK v4 plugin","type":"text","marks":[{"type":"strong"}]},{"text":", use the normal Java Trust Manager system properties (see the ","type":"text"},{"text":"CertPathDocs","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html"}}]},{"text":").","type":"text"}]},{"type":"paragraph","content":[{"text":"To enable revocation checking with the","type":"text"},{"text":" Shibboleth Nimbus plugin,","type":"text","marks":[{"type":"strong"}]},{"text":" you will need to set the property ","type":"text"},{"text":"idp.duo.oidc.nimbus.checkRevocation","type":"text","marks":[{"type":"strong"}]},{"text":" to true in the ","type":"text"},{"text":"conf/authn/duo-oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":" file *","type":"text"},{"text":"and","type":"text","marks":[{"type":"strong"}]},{"text":"* do one or more of the following:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add one or more 'approved' (issuer and signature verified) static CRLs as Resources to a list bean named ","type":"text"},{"text":"shibboleth.authn.DuoOIDC.tls.CRLs ","type":"text","marks":[{"type":"strong"}]},{"text":"to the ","type":"text"},{"text":"conf/authn/duo-oidc-authn-config.xml ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}},{"type":"em"}]},{"text":"file.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Enable CRL checking from an online distribution point via the system property ","type":"text"},{"text":"com.sun.security.enableCRLDP ","type":"text","marks":[{"type":"strong"}]},{"text":"(as described in the ","type":"text"},{"text":"CertPathDocs","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html"}}]},{"text":")","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Enable OCSP via the ","type":"text"},{"text":"security","type":"text","marks":[{"type":"strong"}]},{"text":" system property ","type":"text"},{"text":"oscp.enabled","type":"text","marks":[{"type":"strong"}]},{"text":" (as described in the ","type":"text"},{"text":"CertPathDocs","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.oracle.com/en/java/javase/11/security/java-pki-programmers-guide.html"}}]},{"text":")","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Note that Duo does not support OSCP stapling, so this is not an option at this stage.","type":"text"}]}]},{"type":"expand","attrs":{"title":"HTTP Proxy"},"content":[{"type":"paragraph","content":[{"text":"The HTTPClientBuilder object that is the base for the HTTPClient beans has properties for HTTP proxy settings. To configure a proxy for use by the Nimbus plugin, add this bean to ","type":"text"},{"text":"conf/authn/duo-oidc-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" ","type":"text"}]}]},{"type":"expand","attrs":{"title":"Duo Health Check (V1.3.0+)"},"content":[{"type":"paragraph","content":[{"text":"Before each Duo 2FA request, a back-channel lookup is made to Duo’s health check endpoint to determine if the Duo servers are accessible and accepting requests. If for some reason they aren’t, the 2FA attempt fails but the IdP’s authentication flows resume. This is a standard part of Duo’s 2FA workflow. The benefit of this approach is, it occurs before the URL redirect in the browser, and if the Duo 2FA endpoint were not available the IdP remains in control of the authentication process. Otherwise, the user’s browser might timeout during the 2FA request, or the user might get stuck on an error page of some kind.","type":"text"}]},{"type":"paragraph","content":[{"text":"However, this involves an extra, frequent, back-channel network lookup and as such is subject to the same reliability/availability issues as the actual 2FA request. From investigation, it appears possible to bypass this check and still have the 2FA proceed as normal. Consequently, from v1.3.0 onward we have included a property (","type":"text"},{"text":"idp.duo.oidc.healthcheck.enabled","type":"text","marks":[{"type":"strong"}]},{"text":") that allows the deployer to turn off this check. ","type":"text"}]}]},{"type":"expand","attrs":{"title":"Audit Logging (V1.3.0+)"},"content":[{"type":"paragraph","content":[{"text":"Since V1.3.0 it is possible to enable audit logging for Duo2FA interactions by setting the property ","type":"text"},{"text":"idp.duo.oidc.audit.enabled","type":"text","marks":[{"type":"strong"}]},{"text":" to ","type":"text"},{"text":"true ","type":"text","marks":[{"type":"strong"}]},{"text":"in ","type":"text"},{"text":"/conf/authn/duo-oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":". ","type":"text"},{"text":"From V1.4.0","type":"text","marks":[{"type":"strong"}]},{"text":" onward you also need to enable the general ","type":"text"},{"text":"authentication audit logging","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505085"}}]},{"text":" on the IdP using the property ","type":"text"},{"text":"idp.authn.audit.enabled","type":"text","marks":[{"type":"strong"}]},{"text":" in ","type":"text"},{"text":"/conf/authn.properties.","type":"text","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"text":"Once enabled, audit log statements are routed through a logger named ","type":"text"},{"text":"Shibboleth-Audit.DuoOIDC. ","type":"text","marks":[{"type":"em"}]},{"text":"From V1.4.0 ","type":"text","marks":[{"type":"strong"}]},{"text":"onward, you can change the name of this logger using the property ","type":"text"},{"text":"idp.duo.oidc.audit.category","type":"text","marks":[{"type":"strong"}]},{"text":" in ","type":"text"},{"text":"/conf/authn/duo-oidc.properties.","type":"text","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"text":"Without further configuration, the audit statements will appear in the normal ","type":"text"},{"text":"idp-audit.log","type":"text","marks":[{"type":"em"}]},{"text":" log file. This may be sufficient for your needs, if not and you would rather those exclusively appear in a new audit log file, you will need to add a new Logback appender and logger to the ","type":"text"},{"text":"logback.xml","type":"text","marks":[{"type":"em"}]},{"text":" file, for example:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n ${idp.logfiles}/idp-duo2fa-audit.log\n\n \n ${idp.logfiles}/idp-duo2fa-audit-%d{yyyy-MM-dd}.log.gz\n ${idp.loghistory}\n \n\n \n UTF-8\n %msg%n\n \n\n \n\n\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Audit Format","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"The default audit format is shown below (the fields are described in the table underneath). ","type":"text"}]},{"type":"codeBlock","content":[{"text":"%AAF|%a|%T|%DuoU|%DuoRedirect|%DuoCID|%DuoReqS|%DuoRespS|%DuoTXID|%DuoDID|%DuoDN|%DuoR|%DuoF","type":"text"}]},{"type":"paragraph","content":[{"text":"Custom Audit Format V1.3.0","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"For V1.3.0, the audit format can be adjusted by specifying your own bean, ","type":"text"},{"text":"shibboleth.authn.DuoOIDC.AuditFormattingMap","type":"text","marks":[{"type":"strong"}]},{"text":", in ","type":"text"},{"text":"/conf/authn/duo-oidc-authn-config.xml.","type":"text","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"text":"Custom Audit Format V1.4.0+","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"For V1.4.0+, the audit format can be adjusted using the ","type":"text"},{"text":"idp.duo.oidc.audit.format","type":"text","marks":[{"type":"strong"}]},{"text":" property in ","type":"text"},{"text":"/conf/authn/duo-oidc.properties. ","type":"text","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"text":"Audit Logging Fields","type":"text","marks":[{"type":"strong"}]}]},{"type":"table","attrs":{"layout":"default","localId":"c4373bc2-5718-444b-94ea-abedf9bcf83d"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Field","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"AAF","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The ID of the currently running authentication flow i.e. authn/DuoOIDC in this case","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoRedirect","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The location of the IdP’s callback endpoint Duo will redirect the user too after successful authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoCID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The Duo client identifier used for this request","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoTXID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The transaction ID contained in the Duo 2FA response","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoDID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The ID of the device used to authenticate the user","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoDN","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The friendly name of the device used to authenticate the user","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoR","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The authentication reason","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoF","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The factor used for 2FA e.g. a Security Key or SMS.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoU","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The username of the authenticating user sent in the Duo 2FA request","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoRespS","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"state ","type":"text","marks":[{"type":"em"}]},{"text":"OAuth 2.0 parameter returned in the Duo response","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"DuoReqS","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[604.0]},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"state ","type":"text","marks":[{"type":"em"}]},{"text":"OAuth 2.0 parameter sent to Duo in the 2FA request (client authorization request)","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Passwordless Authentication using Duo (V2.1+)"},"content":[{"type":"paragraph","content":[{"text":"V2.1 and later versions of the plugin can be configured to support passwordless authentication using FIDO2/WebAuthn technology, such as platform authenticators like TouchID and Windows Hello, Passkeys, or hardware tokens that support PINs. Refere to the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3360686194"}},{"text":" topic for complete documentation.","type":"text"}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"Beans (General)"},"content":[{"type":"table","attrs":{"layout":"full-width","localId":"b516c52d-baab-4bd4-b683-8c04b7b1756b"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.DuoIntegration","type":"text"}]},{"type":"paragraph","content":[{"text":"DuoOIDCIntegration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.net/cgi-bin/java-duo.cgi/net/shibboleth/idp/plugin/authn/duo/DuoOIDCIntegration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Derived from properties in ","type":"text"},{"text":"conf/authn/duo-oidc.properties","type":"text","marks":[{"type":"em"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Defines a single/static Duo OIDC Integration with Duo, you can override this bean to supply a non-property-configured alternative","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.DuoIntegrationStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"DuoOIDCIntegration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.net/cgi-bin/java-duo.cgi/net/shibboleth/idp/plugin/authn/duo/DuoOIDCIntegration"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Optional bean to supply the Duo OIDC integration settings dynamically","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.UsernameLookupStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",String>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"CanonicalUsernameLookupStrategy","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Optional bean to supply username","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.resultCachingPredicate","type":"text"}]},{"type":"paragraph","content":[{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID controlling whether to preserve the authentication result in an IdP session","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.CleanUpHook","type":"text"}]},{"type":"paragraph","content":[{"text":"Consumer","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Consumer"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Bean that removes the DuoOIDAuthenticationContext from the tree","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"A cleanup hook that is executed on successful authentication.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.jwt.claims.CleanUpHook","type":"text"}]},{"type":"paragraph","content":[{"text":"Consumer","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Consumer"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Bean that removes the nonce value from the DuoOIDAuthenticationContext","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"A cleanup hook to execute after either successful or unsuccessful claims validation","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.DuoTokenClaimsVerifier","type":"text"}]},{"type":"paragraph","content":[{"text":"JWTClaimsValidation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"DefaultDuoTokenClaimsVerifier ","type":"text","marks":[{"type":"em"}]},{"text":"Claims verification in accordance with the Duo specification. Also OIDC compliant for the special Duo id_token case.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Duo result token (OIDC id_token) claims verifier using a 'chain' of ClaimsValidators e.g. audience, issuer, expiration checks etc. You can either replace the claims validator completely, change some of the behavior of existing validators individually, or add to a new validation check using a custom ","type":"text"},{"text":"BiFunction","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiFunction"}}]},{"text":", see ","type":"text"},{"text":"shibboleth.authn.DuoOIDC.ExtendedClaimsValidator.","type":"text","marks":[{"type":"em"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.jwt.IssuerLookupStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"BiFunction","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiFunction"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":", ","type":"text"},{"text":"JWTClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/jose.cgi/com.nimbusds.jwt.JWTClaimsSet"}}]},{"text":", String>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Combines the HTTPS scheme, with the Duo API Hostname, and the Duo token IssuerPath.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Lookup strategy that returns the OIDC issuer. An issuer contains the scheme, host, and optionally, port and path components that identify the id_token issuer.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.jwt.AudienceLookupStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"BiFunction","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiFunction"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"JWTClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/jose.cgi/com.nimbusds.jwt.JWTClaimsSet"}}]},{"text":", String>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"The clientID of the Duo Integration pertaining to the request.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Lookup the client_id for the Relying Party.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.jwt.UsernameLookupStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"BiFunction","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiFunction"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"JWTClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/jose.cgi/com.nimbusds.jwt.JWTClaimsSet"}}]},{"text":", String>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"The authenticating principal's username from the context pertaining to the request.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Lookup the authenticating principal's username to match Duo's ","type":"text"},{"text":"preferred_username","type":"text","marks":[{"type":"code"}]},{"text":" field in the id_token.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.jwt.AuthTimeActivationCondition","type":"text"}]},{"type":"paragraph","content":[{"text":"BiPredicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiPredicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"JWTClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/jose.cgi/com.nimbusds.jwt.JWTClaimsSet"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Returns true if forced authentication has been requested by the Relying Party.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Should the auth_time field be validated for the given request?","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.jwt.NonceLookupStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"BiFunction","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiFunction"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"JWTClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/jose.cgi/com.nimbusds.jwt.JWTClaimsSet"}}]},{"text":", String>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"The nonce that was used in the authorization request and stored in the Duo authentication context.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Lookup the nonce that was used in the authorization request and should be present in the id_token.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.jwt.NonceActivationCondition","type":"text"}]},{"type":"paragraph","content":[{"text":"BiPredicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiPredicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"JWTClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/jose.cgi/com.nimbusds.jwt.JWTClaimsSet"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Returns true iff the id_token contains a nonce.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Should we validate the nonce value in the id_token?","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.RequiredOIDCClaims","type":"text"}]},{"type":"paragraph","content":[{"text":"Set","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"text":"Used by the ","type":"text"},{"text":"DefaultDuoTokenClaimsVerifier ","type":"text","marks":[{"type":"em"}]},{"text":"above. Defaults to those claims ","type":"text"},{"text":"required ","type":"text","marks":[{"type":"strong"}]},{"text":"by the OIDC specification (","type":"text"},{"text":"https://openid.net/specs/openid-connect-core-1_0.html#IDToken","type":"text","marks":[{"type":"link","attrs":{"href":"https://openid.net/specs/openid-connect-core-1_0.html#IDToken"}}]},{"text":")","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"The names of the claims required to be present in the Duo result token (OIDC id_token).","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"Collection","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Collection"}}]},{"text":"<","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":">>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Map information in the ","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":", most likely in the Duo result id_token, to a collection of Principals the execution of the flow supports. See ","type":"text"},{"text":"this advanced topic","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki#DuoOIDCAuthnConfiguration-duo-oidc-adv-principals"}}]},{"text":".","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.ExtendedClaimsValidator","type":"text"}]},{"type":"paragraph","content":[{"text":"BiFunction","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiFunction"}}]},{"text":"<","type":"text"},{"text":"JWTClaimsSet","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/jose.cgi/com.nimbusds.jwt.JWTClaimsSet"}}]},{"text":",","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",JWTValidationException>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Optional ","type":"text"},{"text":"BiFunction","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiFunction"}}]},{"text":" extension point for custom claims validation of the Duo token","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.PreDuoPopulateAuditExtractors ","type":"text"},{"text":"1.3.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]},{"type":"paragraph","content":[{"text":"Map>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Map of Pre-Duo 2FA redirect audit extractors that take the ","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":" and return an object (usually a String)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.PostDuoPopulateAuditExtractors ","type":"text"},{"text":"1.3.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]},{"type":"paragraph","content":[{"text":"Map","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.Map"}}]},{"text":"<","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String"}}]},{"text":",","type":"text"},{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/pages/resumedraft.action?draftId=1265631711"}}]},{"text":",Object>>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Map of Post-Duo 2FA audit extractors that take the ","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":" and return an object (usually a String)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.AuditFormattingMap ","type":"text"},{"text":"1.3.0(only)","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]},{"type":"paragraph","content":[{"text":"Map","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[173.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[207.0]},"content":[{"type":"paragraph","content":[{"text":"Map of logging categories to audit formatting strings for Duo 2FA audit logging","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans (Duo WebSDK)"},"content":[{"type":"paragraph","content":[{"text":"These beans are specific to the Duo WebSDK-based plugin only:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"bf98599a-fecf-4913-9da8-9c273f666471"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[246.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[145.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[339.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[246.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.sdk.TrustedCertificates","type":"text"}]},{"type":"paragraph","content":[{"text":"List","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[145.0]},"content":[{"type":"paragraph","content":[{"text":"DefaultTrustedCertificates","type":"text","marks":[{"type":"em"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[339.0]},"content":[{"type":"paragraph","content":[{"text":"A default list of trust root CA public key hashes. See ","type":"text"},{"text":"HTTP Public Key Pinning","type":"text","marks":[{"type":"link","attrs":{"href":"#DuoOIDCAuthnConfiguration-duo-oidc-hpkp"}}]}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans (Nimbus)"},"content":[{"type":"paragraph","content":[{"text":"These beans are specific to the Nimbus-based plugin only:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"619320f1-475b-41dc-aeea-55843b8bf411"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[260.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.nimbus.TrustedCertificates","type":"text"}]},{"type":"paragraph","content":[{"text":"List<","type":"text"},{"text":"Resource","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/spring.cgi/org.springframework.core.io.Resource"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"Default trust list","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[260.0]},"content":[{"type":"paragraph","content":[{"text":"A default list of trust root CA certificates. See ","type":"text"},{"text":"HTTP Public Key Pinning","type":"text","marks":[{"type":"link","attrs":{"href":"#DuoOIDCAuthnConfiguration-duo-oidc-hpkp"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.nimbus.HttpClientSecurityParameters","type":"text"}]},{"type":"paragraph","content":[{"text":"HttpClientSecurityParameters","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.security.httpclient.HttpClientSecurityParameters"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[260.0]},"content":[{"type":"paragraph","content":[{"text":"Custom security settings for the Duo OIDC calls","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.nimbus.HttpClient","type":"text"}]},{"type":"paragraph","content":[{"text":"HttpClient","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"Internal/default HttpClient instance","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[260.0]},"content":[{"type":"paragraph","content":[{"text":"The HttpClient used to connect to Duo's OIDC endpoints. Properties can be overridden in the duo-oidc.properties file.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.nimbus.TrustEvaluator","type":"text"}]},{"type":"paragraph","content":[{"text":"PKIXTrustEvaluator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph","content":[{"text":"Default TrustEvaluator","type":"text"}]},{"type":"paragraph","content":[{"text":"Tied to a TLS Trust Engine and hence the HttpClientSecurityParameters","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[260.0]},"content":[{"type":"paragraph","content":[{"text":"Evaluates the X509 Credential","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.tls.CRLs","type":"text"}]},{"type":"paragraph","content":[{"text":"List<","type":"text"},{"text":"Resource","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/spring.cgi/org.springframework.core.io.Resource"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[155.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[260.0]},"content":[{"type":"paragraph","content":[{"text":"Supplied list of static CRL resources. See ","type":"text"},{"text":"Certificate Revocation Checking","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki#DuoOIDCAuthnConfiguration-duo-oidc-rev-checking"}}]}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans (Non-Browser Auth API)"},"content":[{"type":"paragraph","content":[{"text":"These beans refer to the Duo Auth API (non-OIDC) which supports non-browser flows.","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"e0ed39d0-fd40-4495-8297-6f7f94fd56a2"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[329.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[242.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[329.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.NonBrowser.DuoIntegration","type":"text"}]},{"type":"paragraph","content":[{"text":"DuoIntegration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-duo.cgi/net.shibboleth.idp.authn.duo.DuoIntegration"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Derived from properties in ","type":"text"},{"text":"conf/authn/duo-oidc.properties","type":"text","marks":[{"type":"em"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[242.0]},"content":[{"type":"paragraph","content":[{"text":"Defines a single/static Duo AuthAPI integration for non-browser support","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[329.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.NonBrowser.DuoIntegrationStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"DuoIntegration","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-duo.cgi/net.shibboleth.idp.authn.duo.DuoIntegration"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[242.0]},"content":[{"type":"paragraph","content":[{"text":"Optional bean to supply the Duo AuthAPI integration settings dynamically","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[329.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.NonBrowser.HttpClient","type":"text"}]},{"type":"paragraph","content":[{"text":"HttpClient","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"text":"Internal/default HttpClient instance","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[242.0]},"content":[{"type":"paragraph","content":[{"text":"Overrides the HttpClient implementation and settings to use for the AuthAPI (see ","type":"text"},{"text":"HttpClientConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510442"}}]},{"text":")","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[329.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.DuoOIDC.NonBrowser.HttpClientSecurityParameters","type":"text"}]},{"type":"paragraph","content":[{"text":"HttpClientSecurityParameters","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.security.httpclient.HttpClientSecurityParameters"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[159.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[242.0]},"content":[{"type":"paragraph","content":[{"text":"Custom security settings for the AuthAPI calls (see ","type":"text"},{"text":"HttpClientConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510442"}}]},{"text":")","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Properties (DuoOIDC-Specific)"},"content":[{"type":"paragraph","content":[{"text":"The DuoOIDC-specific properties defined in ","type":"text"},{"text":"conf/authn/duo-oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":" follow:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"21c725e8-8188-4ce1-a63c-6f1739ddd224"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.apiHost","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"DuoOIDC API hostname assigned to the integration","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.clientId","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"The OAuth 2.0 Client Identifier valid at the Authorization Server","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.redirectURL","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Redirection URI to which the 2FA response will be sent","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.redirecturl.allowedOrigins","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"If the ","type":"text"},{"text":"idp.duo.oidc.redirectURL","type":"text","marks":[{"type":"em"}]},{"text":" is not set, one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.secretKey","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token).","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.endpoint.health","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"/oauth/v1/health_check","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Duo's OAuth 2.0 health check endpoint","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.endpoint.token","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"/oauth/v1/token","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Duo's OAuth 2.0 token endpoint","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.endpoint.authorize","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"/oauth/v1/authorize","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Duo's OAuth 2.0 authorization endpoint","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.jwt.verifier.clockSkew","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"PT60S","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Leeway allowed in token expiry calculations","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.jwt.verifier.iatWindow","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"PT60S","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Maximum amount (in either direction from now) of duration for which a token is valid after it is issued","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.jwt.verifier.issuerPath","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"/oauth/v1/token","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://+","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.jwt.verifier.preferredUsername","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"preferred_username","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.jwt.verifier.authLifetime","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"PT60S","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"How long the authentication is valid. Only applies to forced authentication requests.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":3,"rowspan":1,"colwidth":[241.0,133.0,356.0]},"content":[{"type":"paragraph","content":[{"text":"The properties below are used when enabling non-browser / AuthAPI support:","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.apiHost","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"${idp.duo.oidc.apiHost}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Duo AuthAPI hostname assigned to the integration","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.integrationKey","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Duo AuthAPI integration key (supplied by Duo)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.secretKey","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Duo AuthAPI secret key (supplied by Duo)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.header.factor","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"X-Shibboleth-Duo-Factor","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Name of HTTP request header for Duo AuthAPI factor","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.header.device","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"X-Shibboleth-Duo-Device","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Name of HTTP request header for Duo AuthAPI device ID or name","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.header.passcode","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"X-Shibboleth-Duo-Passcode","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Name of HTTP request header for Duo AuthAPI passcode","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.auto","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Allow the factor to be defaulted in as \"auto\" if no headers are received","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nonbrowser.clientAddressTrusted","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Pass client address to Duo in API calls to support logging, push display, and network-based Duo policies","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.addDefaultPrincipals ","type":"text"},{"text":"1.3.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"If set to false this will prevent the addition of the default principals even if a ","type":"text"},{"text":"ContextToPrincipalMappingStrategy","type":"text","marks":[{"type":"em"}]},{"text":" is not set. Previous to 1.3.0 if the ","type":"text"},{"text":"ContextToPrincipalMappingStrategy","type":"text","marks":[{"type":"em"}]},{"text":" was not set, the default principals would always have been added, you can now control that by setting this to false.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.healthcheck.enabled ","type":"text"},{"text":"1.3.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Perform the Duo health check for every 2FA request? Defaults to true because this is the standard Duo workflow. ","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.audit.enabled ","type":"text"},{"text":"1.3.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"Enable Duo audit logging.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.audit.format ","type":"text"},{"text":"1.4.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"%AAF|%a|%T|%DuoU|%DuoRedirect|%DuoCID|%DuoReqS|%DuoRespS|%DuoTXID|%DuoDID|%DuoDN|%DuoR|%DuoF","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"The audit format to use for audit log statements.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[241.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.audit.category ","type":"text"},{"text":"1.4.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[133.0]},"content":[{"type":"paragraph","content":[{"text":"Shibboleth-Audit.DuoOIDC ","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[356.0]},"content":[{"type":"paragraph","content":[{"text":"The audit logging category to use","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Properties (Nimbus)"},"content":[{"type":"paragraph","content":[{"text":"The below table are properties that only apply to the Shibboleth Nimbus plugin:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"9c775288-8f6c-4022-95d6-68a79768a50b"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[206.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[277.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[247.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[206.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.connectionTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[277.0]},"content":[{"type":"paragraph","content":[{"text":"defaults to the global HttpClient options in services.properties (PT1M)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[247.0]},"content":[{"type":"paragraph","content":[{"text":"Maximum length of time to wait for the connection to be established","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[206.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.connectionRequestTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[277.0]},"content":[{"type":"paragraph","content":[{"text":"defaults to the global HttpClient options in services.properties (PT1M)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[247.0]},"content":[{"type":"paragraph","content":[{"text":"Maximum length of time to wait for a connection to be returned from the connection manager","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[206.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.socketTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[277.0]},"content":[{"type":"paragraph","content":[{"text":"defaults to the global HttpClient options in services.properties (PT1M)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[247.0]},"content":[{"type":"paragraph","content":[{"text":"Maximum period inactivity between two consecutive data packets","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[206.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.maxConnectionsTotal","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[277.0]},"content":[{"type":"paragraph","content":[{"text":"defaults to the global HttpClient options in services.properties (100)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[247.0]},"content":[{"type":"paragraph","content":[{"text":"Max total simultaneous connections allowed by the pooling connection manager","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[206.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.maxConnectionsPerRoute","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[277.0]},"content":[{"type":"paragraph","content":[{"text":"defaults to the global HttpClient options in services.properties (100)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[247.0]},"content":[{"type":"paragraph","content":[{"text":"Max simultaneous connections per route allowed by the pooling connection manager","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[206.0]},"content":[{"type":"paragraph","content":[{"text":"idp.duo.oidc.nimbus.checkRevocation","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[277.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[247.0]},"content":[{"type":"paragraph","content":[{"text":"To enable certificate revocation checking. See ","type":"text"},{"text":"Certificate Revocation Checking","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki#DuoOIDCAuthnConfiguration-duo-oidc-rev-checking"}}]}]}]}]}]}]},{"type":"expand","attrs":{"title":"Properties (General)"},"content":[{"type":"paragraph","content":[{"text":"The general properties configuring this flow via ","type":"text"},{"text":"authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" are:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"b2c8f002-b82b-441f-9b64-6b369a913fcc"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.order","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"1000","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.nonBrowserSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow should handle non-browser request profiles (e.g., ECP)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.passiveAuthenticationSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow allows for passive authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.forcedAuthenticationSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow supports forced authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.proxyRestrictionsEnforced","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.enforceProxyRestrictions:true}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow enforces upstream IdP-imposed restrictions on proxying","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.proxyScopingEnforced","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.discoveryRequired","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to invoke IdP-discovery prior to running flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.lifetime","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.defaultLifetime:PT1H}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Lifetime of results produced by this flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.inactivityTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.defaultTimeout:PT30M}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Inactivity timeout of results produced by this flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.reuseCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":"> controlling result reuse for SSO","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.activationCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":"> determining whether flow is usable for request","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.subjectDecorator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"BiConsumer","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiConsumer"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":"> for subject customization","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.supportedPrincipals","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"(see below)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Comma-delimited list of protocol-specific ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" strings associated with flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[255.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.addDefaultPrincipals ","type":"text"},{"text":"1.3.0","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[208.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to auto-attach the preceding set of ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" objects to each ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" produced by this flow","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"As a non-password based flow, the supportedPrincipals property defaults to the following XML: ","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"In property form, this is expressed as:","type":"text"}]},{"type":"paragraph","content":[{"text":"idp.authn.DuoOIDC.supportedPrincipals = saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"However, this default is (obviously) intended purely as an illustrative example of how to define your own values, as there are no standard ones to use.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Flow Descriptor XML"},"content":[{"type":"paragraph","content":[{"text":"To replace the internally defined flow descriptor bean, the following XML is required:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"In older versions and upgraded systems, this list is defined in ","type":"text"},{"text":"conf/authn/general-authn.xml","type":"text","marks":[{"type":"em"}]},{"text":". In V4.1+, no default version of the list is provided and it may simply be placed in ","type":"text"},{"text":"conf/global.xml","type":"text","marks":[{"type":"em"}]},{"text":" if needed.","type":"text"}]}]},{"type":"paragraph"}],"version":1}

Browser not supported