Allow Duo to be only applied to specific groups

instipod / DuoUniversalKeycloakAuthenticator

Keycloak Authenticator for Duo's new Universal Prompt

GNU General Public License v3.0

50 stars 15 forks source link

Allow Duo to be only applied to specific groups #9

Closed treydock closed 1 year ago

treydock commented 1 year ago

Add Docker based building of jar file

instipod commented 1 year ago

Can you update this to the changes on master?

I'm curious about the use case for the groups feature. Duo will allow you to pass everyone in, and selectivity enforce MFA or enrollment on a user or group basis at no extra cost. Is there a specific use case that filtering at the Authenticator level makes sense for you?

treydock commented 1 year ago

I rebased against master branch.

I'm not aware of a way to limit Duo access by group other than doing it in the Keycloak SPI. We've been using this approach for quite a long time to ensure members of our "duo" LDAP group are the only ones getting Duo prompts. We use that same group to limit who gets Duo prompts via SSH too.