Child pages
  • Duo Security Outage - Responses and Planning for Future

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. (need cookbooks for both CAS and Shib)
  2. It seems like the 'toggle' is something that Warren Curry, Brett Bieber and Rhian Resnick have a really good way of doing on a per-user basis, based on a live/replicated data source, that preserves authentication but can change authN context when needed, based on a service outage.
  3. Configure IdP to check group membership before prompting for Duo, and remove users from the group to bypass.
    1. Nebraska uses a CAS Duo Extension configured to check for a specific attribute value memberOf: cn=psp:orgs:idm:DuoEnabled,ou=grouper,ou=group,dc=unl,dc=edu
  4. ...





results to SPs

I.e., When the IdP is authenticating in bypass/fail-open mode, what should be sent to SPs indicating that the AuthN context is differentAuthentication process that took place didn't include MFA?

There are two basic scenarios in which this question might be asked:.