We’ve configured SharePoint 2016 FBA with the DUO WebSDK and its works well except for one aspect regarding FBA authentication.
login page 1.) authenticate the username and password using FBA-LDAP. login page 2.) load the duo web iframe
The method that authenticates the username and password on login page 1 is the SPClaimsUtility.AuthenticateFormsUser which persists a cookie to the site.
If the user fails the DUO authentication on login page 2, they still have an authenticated session to the site. We can force a signout and clear session cookies, but I was hoping for a cleaner approach.
Please assist with any ideas.
Thanks!
We resolved this by validating credentials on the first login page with Membership.ValidateUser which validates against the user store without creating a persisted cookie. On the second page once the user has successfully passed DUO authentication we used the SPClaimsUtility.AuthenticateFormsUser. Hope this helps anyone out there! Have a good one.