Details
-
New Feature
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
Description
The University of Nebraska has modified the grouper-duo provisioner to create new Duo accounts for the past few years. Typically Grouper stays out of the business of creating accounts and instead focuses on groups and memberships, but in our case it has proven to be invaluable.
With our two-factor policies in Grouper using it to provision the Duo account, once the user is in the appropriate access policy, forces the user to enroll their device when they initiate their next SSO session. We could use our IdMS system, but using Grouper is more timely (no batch process or feeds required).
Instead of maintaining the code ourselves we think this should be a configurable feature for the entire Grouper community.
When we began our work there was no code to refer to, but now that the Duo provisioner supports creating admin accounts the class method (updateDuoUser) we built may be redundant.
Attached is a Git patch that shows the changes we made – should be straightforward (I hope, I did have some challenges with the line endings).
We included a new property in grouper-loader.properties to make it configurable.
grouperDuo.provisionUsers = true