Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1257
Views
0
Helpful
1
Replies

ADFS Configuration Scenario

ButlerKD
Level 1
Level 1

‎01-14-2019 12:38 PM

All,

Greetings. Wondering if the following scenario is possible, and if not, what would be the recommended course of action to take:

Currently, we have our Office 365 and another third-party application protected via Duo. As such, any logins to either application from our “trusted” ip addresses results in the Duo MFA prompt for a split second, then passing the ADFS login through as they are identified to originate from the aforementioned trusted network. Logins from outside our trusted ip addresses still prompt for MFA as expected.

We now have a new vendor and application that we are able to tie into our ADFS login, but this application needs to be prompted for MFA for all logins (note, the vendor has our ip addresses white listed, so no logins are permissible from any other network).

So, is the scenario as described possible without breaking our current configuration with ADFS, or are there other options to consider/implement?

Thanks in advance for any comments/solutions to my query.

Kevin

Labels:
0 Helpful
1 Reply 1

BusterDoney
Level 1
Level 1

‎01-15-2019 02:07 PM

Are these first two mentioned applications (O365 and the other) protected through ADFS/Duo plugin or are they Duo-protected apps that were added through the Duo portal → Applications → Protect Application?

In any case, you can configure ADFS relying party trusts to have MFA enforced per RPT rather than with a global policy and you can get pretty specific with the custom claims rules.

For example you can force MFA only for a particular security group. Or force it for external traffic only (anything hitting the ADFS portal through the ADFS WAPs). Or force it for all devices and laptops internal/external except for iphones, etc.

What version of ADFS do you use? 2.0, 3.0, or 4.0? 4.0 has some nicer built-in MFA policies that you can apply via the ADFS Gui Console… otherwise I recommend powershell:

https://help.duo.com/s/article/3174?language=en_US

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents