Skip navigation
Documentation

Duo for Shibboleth Identity Provider

Last Updated: February 25th, 2021

Duo Security's two-factor authentication secures Shibboleth identity provider logins, complete with self-service enrollment and Duo Prompt.

Shibboleth versions 3.3 and later include a supported Duo authentication plugin (DuoAuthnConfiguration). Shibboleth 4.1 and later use a new plugin mechanism, with an updated Duo plugin (DuoOIDCAuthnConfiguration) available which supports the Duo Universal Prompt.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

Before starting:

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate the entry for Shibboleth in the applications list. Click Protect to the far-right to configure the application. and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.

    Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Duo Universal Prompt

Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers.

Migration to Universal Prompt for your Shibboleth application is a two-step process:

  • Install an update for the Shibboleth application to support the Universal Prompt.
  • Enable the Universal Prompt experience for users of that Duo Shibboleth application (when the Universal Prompt becomes available).

New Shibboleth Applications

When you install the latest version of Shibboleth you're ready to use Universal Prompt once it's released. When you create a new Shibboleth application in the Duo Admin Panel, its "Universal Prompt" section shows the status as "Waiting on Duo". If you're configuring Shibboleth now, proceed with the installation instructions in this document. When you're done, you'll see the current Duo prompt experience.

Universal Prompt Info - Application Updated

When the Universal Prompt becomes available, you'll return here to activate it for users of this application. The status will change to "New Prompt Ready", and you'll see the control here for turning it on or off. Until then, your users continue to experience the current Duo prompt.

Existing Shibboleth Applications

Shibboleth needs a software update installed to support the Universal Prompt when it's ready. The "Universal Prompt" section reflects this status as "App Update Ready" today. To update the Shibboleth Duo application to a newer version, follow the update directions below.

Universal Prompt Info - Update Available

Once a user authenticates to Shibboleth via the updated Duo plugin, the "Universal Prompt" section of the Shibboleth application page reflects this status as "Waiting on Duo".

Universal Prompt Info - Application Updated

When the Universal Prompt becomes available, you'll return here to activate it for users of this application. The status will change to "New Prompt Ready", and you'll see the control here for turning it on or off. Until then, your users continue to experience the current Duo prompt.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

Universal Prompt Private Preview

If you've updated your eligible application so that its update status shows "New Prompt Ready" and you're interested in participating in a private preview of the Universal Prompt experience, please apply using this form.

The Duo Shibboleth authentication plugin performs a second factor authentication after primary authentication, so you will need a working service provider configured with Shibboleth before continuing.

Configure Shibboleth

Shibboleth 4.1 is the first release with support for Duo Universal Prompt. After installing Shibboleth 4.1 or later, configure the DuoOIDCAuthnConfiguration authentication plugin within Shibboleth, using the application information from the First Steps instructions above.

Update Shibboleth

If you are running Shibboleth versions below 4.1, you'll need to upgrade your Shibboleth installation to version 4.1 or later to be able to use the Universal Prompt. Consult the Shibboleth upgrade documentation for more information about planning your upgrade, and use the DuoOIDCAuthnConfiguration authentication plugin instructions to configure Duo after your Shibboleth upgrade.

Network Diagram

Duo Shibboleth Network Diagram

  1. Application or Service connection initiated
  2. Primary authentication
  3. Client connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Shibboleth client receives authentication response.
  6. Application or Service session logged in