08-25-2021 11:05 AM
Hi, I’m currently use the v2 Web SDK successfully to have users enroll with Duo and authenticate. I using the “submit_callback” argument to Duo.init() successfully to have my own JavaScript handle signature verification for the authentication.
Is it possible to get a separate callback after a new user has enrolled their first device with Duo? The iframe contains a “Continue to Login” button on the “My Settings & Devices” screen at this point. That button transfers control to the authentication flow and my callback only receives the “AUTH|…” message.
I’d like to run some custom logic when the user completes enrollment, but I’ve never received an “ENROLL|…” message from this SDK. I see the iframe communicating with “/frame/enroll/finish” but I don’t see how my app can be notified of the successful enrollment.
Thank you!
-Gregg
Solved! Go to Solution.
09-22-2021 09:36 AM
Hey Gregg, I’m not sure if what you’re asking for exactly can be done. I’ll try to find out for you. However, in the meantime, it’s possible to check the enrollment status of individual users though using the Auth API enroll status
Take a look at the documentation here for more information: Duo Auth API | Duo Security
09-22-2021 09:36 AM
Hey Gregg, I’m not sure if what you’re asking for exactly can be done. I’ll try to find out for you. However, in the meantime, it’s possible to check the enrollment status of individual users though using the Auth API enroll status
Take a look at the documentation here for more information: Duo Auth API | Duo Security
09-22-2021 10:44 AM
There isn’t a way to do this now. When a user enters inline enrollment during auth via WebSDK at the end the user then actually authenticates with the newly-enrolled device, and the auth success gets returned to the application for verification.
09-23-2021 01:57 PM
Ok, thank you both for weighing in on this. We’ve used the Auth API before so that shouldn’t be too big a problem. I just wanted to make sure I wasn’t missing something obvious/easy in the Web SDK. Good to get confirmation.
09-23-2021 02:27 PM
I looked at the v4 Web SDK (the OIDC one) but I don’t think you can get the enroll info from there either. If an unenrolled user enters the OIDC flow, they get sent to the Duo /v4/auth
, then /v4/enroll
which then takes them to ../device-management/portal
. After enrolling they get sent back to /v4/auth/prompt
to log in with the newly enrolled factor, and after that finally sent back to the redirect_uri of the original application, with this info in the access token:
},
"auth_result": {
"result": "allow",
"status": "allow",
"status_msg": "Login Successful"
},
So again, no surfacing of inline enrollment during auth back to the application.
09-24-2021 05:11 AM
Thank you for your thoroughness on this Kristina. We opted for the v2 iframe approach so the user doesn’t completely leave our existing authentication flow (where other MFA options can be initiated). Still, it is very good to know that moving to the v4 OIDC design wouldn’t net us anything with regards to the Duo enrollment notification either.
09-24-2021 05:34 AM
Ah, OK. Keep in mind that will reach end of support sooner rather than later. We expect to announce a timeline for v2 deprecation when the Universal Prompt exits public preview.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide