Open CodeNameTheOnlyOne opened 2 years ago
@CodeNameTheOnlyOne
We don't have this capability to do, this currently (and it's not terribly easy to add unfortunately), but we will consider this for our backlog for a future release. I appreciate the detail provided to articulate the case for this. It is well understood.
For what its worth, there shouldn't be any issue running ADFS and AMS on the same server, as you can tie AMS to a specific host name to listen on, so it shouldn't conflict. You'd have to run this in a VM though if you only had a single server which was the DC, so I agree this is not ideal.
The only other option I could suggest is using Yubikey devices as smart cards. This would require a PKI server, but I believe this can be deployed along side the DC role.
Throwing my 2 cents in here. I think when people ask for Duo support they'd probably accept RADIUS or LDAP support. I can't speak for others, but we point a ton of IT infrastructure at our Duo Auth Proxy server for MFA. To the application it just looks like RADIUS or LDAP, but we get the protection of Duo MFA.
Support for Duo MFA would be great, or RADIUS where Duo Proxy could be used.
As a workaround for now, we have Azure AD P2 and Duo for admins, so we are able to setup Azure AD Conditional Access that calls out to Duo using custom control. Not great in that it has a dependency on Azure AD CA, but it works.
a simple method of combining the built in windows authentication with either a google authenticator code/ or some other service like duo to provide a simple mfa for new insurance requirements. i know i can do this with adfs but i have some customers that only have one server and running domain controller/lithnet/adfs all on the same server does not seem feasible, as iis/ams would both want 80/443 and adfs does not seem to like running on a dc.
a method of combining windows auth + some mfa all inside of ams would be great, i would be willing to pay for enterprise for this.
it could be as simple as sending an email with a code, that i could email to a cell phone, or a otp code.
if there is a method of doing this currently that would be great, just let me know if i missed something.