Overview
This article explains how to use Duo as a second-factor of authentication when logging into services that use Shibboleth Single Sign-On (SSO).
Its intended audience is IT staff and power users comfortable with the concept of cookies.
The Two-Step Login with Shibboleth SSO service includes use of both a password and a second-factor of authentication when accessing Shibboleth SSO services, providing additional protection to your online identity. The service is applied by-user and not by-service. Once a user is enrolled, they will rely on the Duo second-factor authentication for all Shibboleth service provider sites they visit.
Information
Enrollment
The service has been rolled out to all University of Oregon faculty, staff, graduate employees (GEs), and students.
Authentication Flow
When you access Shibboleth service providers you will continue to be presented with the username and password request window as shown below:
Image Description: This image above shows the the white-on-green University of Oregon text located on the top. Below this is the black-on-yellow Login Required text. Below this, the window has a field to capture Username and a field to capture Password . Below these is a white-on-green text Login button used to submit your credentials.
Once you log in successfully with your credentials, you will be presented with a Duo screen. This example is showing the Verified Push prompt.
Image Description: This image above shows the Duo Universal Prompt Verified Push screen which allows the user to select the Other options link to choose the Duo second-factor device they would like to use.
The Other options link allows you to pick the Duo device you would like to use for the second factor. If you are looking to add or manage registered methods, this can be done by choosing the This can be any of the devices you have registered using the Duo prompt. More information on registering devices can be found in the related article How to register and manage devices for Duo.
Once you have authenticated, you will be prompted to choose whether the device is trustworthy.
- If you select the Yes, this is my device option, Duo will remember that device for future login attempts for seven days.
- If you select No, other people use this device option, Duo will remember that the device cannot be trusted for 14 days.
For more information, please consult the Remember me with Duo Universal Prompt article.
Shibboleth Cookie
To allow for single sign-on, a cookie is stored in your web browser when you authenticate with Shibboleth. This cookie is set to expire after thirty consecutive minutes of non-use or one hour after creation, whichever comes first. The cookie is used when you visit subsequent service providers that rely on Shibboleth authentication. Shibboleth confirms your identity by the existence of the active cookie instead of prompting you to re-enter your credentials. These basic Shibboleth SSO settings have not been changed for the Shibboleth with Duo pilot.
Duo Cookie
Duo also uses a cookie in your browser to remember when you have last successfully authenticated with Duo. When you select the Yes, this is my device button, described in the above Authentication Flow section, a cookie is stored in your web browser with an expiration date of seven days into the future. Subsequent authentication attempts from the same browser will automatically log you into the service without prompting you for the Duo second-factor of authentication prior to the cookie's expiration.
Upon authentication after seven days, a Remember me checkbox will appear checked to remember for another seven days. Unchecking the box will implement an untrusted cookie and the device will not be trusted for 14 days.
Cookie Jars
Your web browser has a public and private space, each with its own cookie jar. The Shibboleth and Duo cookies are stored in the cookie jar of the space you are using at the time of authentication. If you subsequently move to a different container space or different browser, you will be required to sign-in again with Shibboleth and Duo.
Cookie jar example
Let's examine the case wherein you have the following four browsers all running at the same time:
- Chrome browser window
- Chrome Incognito browser window
- Firefox browser window
- Firefox Private browser window
If you log into Confluence, authenticating into Shibboleth and Duo, while using your Firefox browser window, the cookies will be stored in the Firefox public cookie jar and you will experience single-sign on when subsequently visiting other Shibboleth service providers using the same Firefox browser window. You will not experience single-sign on in the other three browser windows until authenticating in each of those spaces, resulting in creation of new cookies within those cookie jars.
Remember that Chrome Incognito and Firefox Private modes are both configured to delete your cookies when you close the browser window, even those cookies with future-dated expiration. Likewise in the public Chrome and Firefox windows, your cookies will be deleted if you manually clear them out using the browser's settings or third-party extensions and plug-ins.
Request Help
To submit questions or report problems with the Two-Step Login with Shibboleth SSO service, please proceed to the UO Service Portal.