Excluding local users

[terwilliger12]

We've recently implemented DUO in our Confluence setup and we've noticed local users are prompted for DUO credentials, is there a way to exclude local users from DUO?

[AaronAtDuo]

@terwilliger12 Unfortunately, we don't know of any way within the Confluence plugin to distinguish local users from any other type of user. So I don't believe we can conditionally exempt users at the plugin level.

[terwilliger12]

@AaronAtDuo any chance there is a way to exclude them in web.xml before the plugin comes into play?

[AaronAtDuo]

@terwilliger12 You're thinking of something like an 'exempt' user list - along the same idea as the exempt URL list?

Couple question on that. Can you tell me a bit more about these 'local' users, and why they are exempted from 2FA. Are these something along the lines of system accounts, that don't correlate to humans? Is the number of local users small and fairly static, so keeping web.xml updated would be feasible?

Off the top of my head, it seems like an exempt users list could be pretty easy from a code perspective.

[xdesai]

@terwilliger12 I'm also curious if you think it would be feasible for you to exempt those users in the Duo Admin Panel. If it's just a couple of service accounts for example maybe you could create those users in your Duo account and set their status to bypass. Or put the collection of users into a Duo group and set that group to bypass.

[terwilliger12]

@AaronAtDuo - An exemption list would work, we currently just want to exempt one user, the local Confluence admin user we have setup that doesn't exist in our Active Directory.

@xdesai I don't have access to our University's DUO account. It sounds like what you suggested would work since the account should never match something in our AD (so we wouldn't accidentally allow a bypass for a domain user), but if a static exemption list via Confluence config files like @AaronAtDuo is suggesting is possible and not difficult to implement, I'd rather that take route to avoid requesting changes to our DUO account.

[AaronAtDuo]

@terwilliger12 Thanks for the additional context. We've had this same request from other customers, so please contact our support team (https://duo.com/support) to express your interest in this feature as well.

Now, the bad news is that we have some other work going on with the Confluence plugin at the moment; it's unlikely we'd be able to do feature work on it any time soon. So if this is something you need in the short term, I think you'll need to investigate the ideas @xdesai outlined.

[terwilliger12]

@AaronAtDuo - I'll ask the our team member responsible for our DUO account to try to exempt the user in question. Thanks for your help!

[AaronAtDuo]

Hopefully you were able to get this to work! Closing out this old issue.