Deep Dive Topic: Using Two-Step Login with Shibboleth SSO


This article explains how to use Duo as a second-factor of authentication when logging into services that use Shibboleth Single Sign-On (SSO).

Its intended audience is IT staff and power users comfortable with the concept of cookies.

The Two-Step Login with Shibboleth SSO service includes use of both a password and a second-factor of authentication when accessing Shibboleth SSO services, providing additional protection to your online identity. The service is applied by-user and not by-service. Once a user is enrolled, they will rely on the Duo second-factor authentication for all Shibboleth service provider sites they visit.



The service has been rolled out to all University of Oregon faculty, staff, graduate employees (GEs), and students.

Authentication Flow

When you access Shibboleth service providers you will continue to be presented with the username and password request window as shown below:

Image Description:  This image shows the the white-on-green "University of Oregon" text located on the top.  Below this is the black-on-yellow "Login Required" text.  Below this, the window has a field to capture "Username" and a field to capture "Password".  Below these is a white-on-green text "Login" button used to submit your credentials.

Image Description:  This image above shows the the white-on-green University of Oregon text located on the top.  Below this is the black-on-yellow Login Required text.  Below this, the window has a field to capture Username and a field to capture Password .  Below these is a white-on-green text Login button used to submit your credentials.

Once you log in successfully with your credentials, you will be presented with the Duo screen as shown below:

Image Description:  This image above shows the Duo selection box allows the user to select the Duo second factor Device they would like to use and Choose an authentication method , including Send Me a Push , Call Me , and Enter a Passcode . At the bottom of the Duo selection box is a Remember me for 7 days check box.

The second window allows you to pick the Duo device you would like to use for the second factor. This can be any of the devices you have registered using the Duo prompt. More information on registering devices can be found in the related article How to register and manage devices for Duo.

At the bottom of this window is a check box, optionally allowing Duo to remember you for the next seven days.  If you check this box, you will not be prompted to provide your second factor during that time.

If you are automatically sent a push when you get to this new Duo screen and are not allowed to select the Remember me for 7 days option, this is because you've enabled auto-push on your Duo second-factor device. Anywhere the Duo prompt appears, click My Settings & Devices link on the left. For your device, change the When I log in drop-down menu option from Automatically send this device a Duo push to the alternative Ask me to choose an authentication method.

If you are presented with the message You need to enable cookies in order to remember this device when you select the Remember me for 7 days box, you need to go into your browser settings and allow cookies and cross-site tracking.

Shibboleth Cookie

To allow for single sign-on, a cookie is stored in your web browser when you authenticate with Shibboleth. This cookie is set to expire after thirty consecutive minutes of non-use or one hour after creation, whichever comes first. The cookie is used when you visit subsequent service providers that rely on Shibboleth authentication. Shibboleth confirms your identity by the existence of the active cookie instead of prompting you to re-enter your credentials.  These basic Shibboleth SSO settings have not been changed for the Shibboleth with Duo pilot.

Duo Cookie

Duo also uses a cookie in your browser to remember when you have last successfully authenticated with Duo. When you select the Remember me for 7 days check box, described in the above Authentication Flow section, a cookie is stored in your web browser with an expiration date of seven days into the future. Subsequent authentication attempts from the same browser will automatically log you into the service without prompting you for the Duo second-factor of authentication prior to the cookie's expiration.

Cookie Jars

Your web browser has a public and private space, each with its own cookie jar. The Shibboleth and Duo cookies are stored in the cookie jar of the space you are using at the time of authentication. If you subsequently move to a different container space or different browser, you will be required to sign-in again with Shibboleth and Duo.  

Cookie jar example

Let's examine the case wherein you have the following four browsers all running at the same time: 

  • Chrome browser window
  • Chrome Incognito browser window
  • Firefox browser window
  • Firefox Private browser window

If you log into Confluence, authenticating into Shibboleth and Duo, while using your Firefox browser window, the cookies will be stored in the Firefox public cookie jar and you will experience single-sign on when subsequently visiting other Shibboleth service providers using the same Firefox browser window. You will not experience single-sign on in the other three browser windows until authenticating in each of those spaces, resulting in creation of new cookies within those cookie jars.

Remember that Chrome Incognito and Firefox Private modes are both configured to delete your cookies when you close the browser window, even those cookies with future-dated expiration. Likewise in the public Chrome and Firefox windows, your cookies will be deleted if you manually clear them out using the browser's settings or third-party extensions and plug-ins.

Request Help

To submit questions or report problems with the Two-Step Login with Shibboleth SSO service, please proceed to the UO Service Portal.   



Article ID: 71026
Mon 1/28/19 8:44 PM
Tue 2/21/23 4:06 PM