Duo Universal Referrals Question

[Jeremiah Garmatter]

Hello,

I have a service that checks the referer and origin HTTP headers against a whitelist to determine what servers it can communicate with safely. After implementing the Duo Universal Prompt on our test server, this service threw an error. Adding our Duo API host to the whitelist allowed us to authenticate to the service without the error. Turns out the Duo API Host is set in the referer header.

I was under the impression that the authentication webflow looked something like this:

Visit service -> service redirects to CAS -> CAS primary authentication occurs -> CAS redirects to DUO for universal prompt -> Duo redirects back to CAS after authentication -> Finally, CAS redirects user back to service.

It seems like Duo is redirecting users directly to the end service though (hence the duo api host in referer header)? Can someone tell me if that's correct?

[Ray Bon]

Jeremiah,

I see a series of 302s from duo to service with a stop at cas in between.

The flow you describe is correct.

I guess since the last 200 before the service was a duo api site, that is what is in the referer header key.

Ray

On Tue, 2023-01-17 at 07:58 -0800, Jeremiah Garmatter wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.