Using Two-Factor Authentication with Shibboleth
The University uses a two-factor authentication system for users who need access to its enterprise-level applications, to ensure another level of security when working with sensitive data. Learn more about two-factor authentication, and why you might need to enable it for your application, on the Duo Security Two-Factor Authentication page.
To enable Duo for use with your application, two messages need to be conveyed: an SP needs to signal the IdP that it requires Duo authentication, and the IdP needs to inform the SP whether or not Duo was actually used for a particular authentication event.
Set your SP to ask for Duo
In SAML 2, the SP asks for Duo authentication by including an
AuthnContextClassRef XML element in the
RequestedAuthnContext element within the SAML
Different SAML SPs manage configuration in different ways, so check your SP's documentation to determine how best to set your SP's
If you're using the Shibboleth SP, you can accomplish this by adding an authnContextClassRef parameter to your existing RequestMap element, or by setting the following configuration directive in your one of your web server's .htaccess or .conf files:
Prepare your app to check for Duo authentication
At this point, your SP can ask for two-factor authentication, but no part of your application is checking to ensure two-factor authentication is successful. The IdP informs the SP that Duo was used by including an
AuthnContextClassRef element inside the
AuthnStatement in the SAML
<AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_xxxx"><AuthnContext><AuthnContextClassRef></AuthnContextClassRef></AuthnContext></AuthnStatement>
You may decide to handle this at the SP, at the web server, or in your application, depending on the capabilities of the SP, web server, or application you choose to use.
The Shibboleth SP can check that this is set using the
<AccessControl> function in the
<RequestMap> with a
This can also be accomplished with an Apache .htaccess
Require authnContextClassRef https://www.umn.edu/shibboleth/classes/authncontext/duo
To see if Duo authentication was successful in your application, check either of the environment variables
Shib-AuthnContext-Class. The value should be “https://www.umn.edu/shibboleth/classes/authncontext/duo”. The Shibboleth SP populates both variables with the same information, so either can be used.