![]() Nebraska uses a CAS Duo Extension configured to check for a specific attribute value memberOf: cn=psp:orgs:idm:DuoEnabled,ou=grouper,ou=group,dc=unl,dc=edu.Configure IdP to check group membership before prompting for Duo, and remove users from the group to bypass.It seems like the 'toggle' is something that Warren Curry, Brett Bieber and Rhian Resnick have a really good way of doing on a per-user basis, based on a live/replicated data source, that preserves authentication but can change authN context when needed, based on a service outage.Applications would be able to drop specific assertions or access requests above and beyond the protests of the IAM system, but users that had opted in to two factor wouldn’t be locked out of everything.Ī few solutions were offered to support a fail-open integration, to allow AuthN to continue in a weakened state: This provides a middle of the road solution to protect that which “must” be protected and allow those with lower risk profiles to continue to operate.įail-open becomes more defensible as a steady state if the IdP accurately reports the authentication mechanism used. However, the much larger (generally speaking) user base of self service and less secure application can continue to operate in an event. Those applications that must remain protected (HIPPA, FISMA Moderate, in their opinion) remain protected during an incident. The right answer depends on tolerance for risk (in terms of less-secure authentication, as well as loss of the authentication service itself) and what price you're willing to pay. Different DUO services – Duo iFrame (Web SDK integration) VS use of the API which endpoint to monitor depending on how a site is using DUOĬhoosing an approach – fail-open VS fail-closed – implications of choosing each approach.This can be utilized with a script to automatically email if packets are consistently dropped or if a connection is unable to be made.” I double-checked with them if this would be superior to the simple ping of the host, and they said yes it does exercise the application. I didn’t see any data in the thread on how to actually do the monitoring, so I asked Duo in a support ticket and they recommended a particular link on the API host to pull: where APIHOST is your specific hostname which would look something like: This pulls a little JSON packet like so: The specific recommendation was "The best course of action for monitoring your API hostname to discover when an issue may occur would be to set up a heartbeat ping to your specific API hostname.Based on today's incident, it appears that you should at least perform an HTTP GET on some API host resource and alert on slow responses and/or error status codes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |