Solved: Receive callback from Duo Web SDK v2 *enrollment*?

gbrowins · ‎08-25-2021

Hi, I’m currently use the v2 Web SDK successfully to have users enroll with Duo and authenticate. I using the “submit_callback” argument to Duo.init() successfully to have my own JavaScript handle signature verification for the authentication.

Is it possible to get a separate callback after a new user has enrolled their first device with Duo? The iframe contains a “Continue to Login” button on the “My Settings & Devices” screen at this point. That button transfers control to the authentication flow and my callback only receives the “AUTH|…” message.

I’d like to run some custom logic when the user completes enrollment, but I’ve never received an “ENROLL|…” message from this SDK. I see the iframe communicating with “/frame/enroll/finish” but I don’t see how my app can be notified of the successful enrollment.

Thank you!

-Gregg

Amy2 · ‎09-22-2021

Hey Gregg, I’m not sure if what you’re asking for exactly can be done. I’ll try to find out for you. However, in the meantime, it’s possible to check the enrollment status of individual users though using the Auth API enroll status Take a look at the documentation here for more information: Duo Auth API | Duo Security

View solution in original post

Amy2 · ‎09-22-2021

Hey Gregg, I’m not sure if what you’re asking for exactly can be done. I’ll try to find out for you. However, in the meantime, it’s possible to check the enrollment status of individual users though using the Auth API enroll status Take a look at the documentation here for more information: Duo Auth API | Duo Security

DuoKristina · ‎09-22-2021

There isn’t a way to do this now. When a user enters inline enrollment during auth via WebSDK at the end the user then actually authenticates with the newly-enrolled device, and the auth success gets returned to the application for verification.

Duo, not DUO.

gbrowins · ‎09-23-2021

Ok, thank you both for weighing in on this. We’ve used the Auth API before so that shouldn’t be too big a problem. I just wanted to make sure I wasn’t missing something obvious/easy in the Web SDK. Good to get confirmation.

DuoKristina · ‎09-23-2021

I looked at the v4 Web SDK (the OIDC one) but I don’t think you can get the enroll info from there either. If an unenrolled user enters the OIDC flow, they get sent to the Duo /v4/auth, then /v4/enroll which then takes them to ../device-management/portal. After enrolling they get sent back to /v4/auth/prompt to log in with the newly enrolled factor, and after that finally sent back to the redirect_uri of the original application, with this info in the access token:

    },
    "auth_result": {
        "result": "allow",
        "status": "allow",
        "status_msg": "Login Successful"
    },

So again, no surfacing of inline enrollment during auth back to the application.

Duo, not DUO.

gbrowins · ‎09-24-2021

Thank you for your thoroughness on this Kristina. We opted for the v2 iframe approach so the user doesn’t completely leave our existing authentication flow (where other MFA options can be initiated). Still, it is very good to know that moving to the v4 OIDC design wouldn’t net us anything with regards to the Duo enrollment notification either.

DuoKristina · ‎09-24-2021

Ah, OK. Keep in mind that will reach end of support sooner rather than later. We expect to announce a timeline for v2 deprecation when the Universal Prompt exits public preview.

Duo, not DUO.