Duo Security

Note: Duo Security is an Advanced Authenticator available as part of the Professional edition of ADSelfService Plus.

If your organization uses Duo Security for multi-factor authentication, it can be integrated with ADSelfService Plus to secure logins, applications and endpoints. Users can approve or deny these login requests using a push notification or by entering the six-digit security code generated by the Duo mobile app. Authentication via Duo Security can be configured in two ways in ADSelfService Plus: Web v2 SDK and Web v4 SDK.

Web v2 SDK uses a traditional Duo prompt which will be displayed in an iframe in ADSelfService Plus, whereas Web v4 SDK uses Duo's OIDC-based universal prompt with a redesigned UI that redirects users to Duo for authentication.

Prerequisites

• Add the API hostname and admin console (for example, https://********.duosecurity.com) as a trusted site or intranet site in the users' machine if they are using older versions of Internet Explorer.
• Please follow these steps in the Duo Admin Panel to migrate from Web v2 SDK, which uses the traditional prompt, to Web v4 SDK, which employs the new Universal Prompt.

Web v4 SDK configuration steps

Note: It is required to have a secure connection to set up the Web v4 SDK authentication. Please make sure that you have enabled HTTPS in the product and Access URL.

1. Log into your Duo Security account (for example, https://********.duosecurity.com) or sign up for a new account and log in.
2. Go to Applications and click Protect an Application.



3. Search for Web SDK and click Protect.



4. Copy the Client ID, Client secret, and API hostname values.



5. From the ADSelfService Plus admin portal, navigate to Configuration > Multi-factor Authentication > Duo Security.
6. Select Web v4 SDK for Integration Type.



7. Paste the Client ID, Client secret, and API hostname obtained from the Duo Admin Panel in the respective fields.
8. Enter the same username pattern used in Duo Security in the Username Pattern field.
9. Click Save.

Configuring Auth API for Web v4 configurations of Duo Security

10. If configuring Auth API, follow these steps and obtain the Integration Key and Secret Key from the Duo Security portal.
11. Under the Web v4 SDK configuration settings for Duo Security, click Advanced Settings to open up the Auth API configuration settings.
12. Paste the Integration Key and Secret Key into the relevant fields, and click Save.

Configuring Device Management Portal settings for WebV4 configurations of Duo Security

The Duo Device Management Portal enables users to add or remove Duo-registered devices from the self-service portal. The Device Management Portal for Web v4 uses Duo's OIDC-based universal prompt with a redesigned UI that redirects users to Duo on a new tab. Here are the steps to configure the Duo Device Management portal:

1. Log into Duo Security and go to Applications > Protect an Application.
2. Search for Device Management Portal. Click Protect.
3. Copy the Client ID and Client Secret from the Details section.
4. Under the Web v4 SDK configuration settings for Duo Security, Click Advanced Settings to open the Device Management Portal settings.
5. Paste the Client ID and Client Secret into the relevant fields and click Save.

Web v2 SDK configuration steps

1. Log in to your Duo Security account (for example, https://********.duosecurity.com) or sign up for a new account and log in.
2. Go to Applications and click Protect an Application.



3. Search for Web SDK and click Protect.



4. Copy the Integration key, Secret key, and API hostname values.



5. In ADSelfService Plus, navigate to Configuration > Multi-factor Authentication > Duo Security.
6. Select Web v2 SDK for Integration Type.



7. Paste the Integration key, Secret key, and API hostname obtained from the Duo Admin Panel in the respective fields.
8. Enter the same username pattern used in Duo Security in the Username Pattern field.
9. Click Save.

Configuring Auth API for Web v2 configurations of Duo Security

10. If configuring Auth API, follow these steps and obtain the Integration Key and Secret Key from the Duo Security portal.
11. Under the Web v2 SDK configuration settings for Duo Security, click Advanced Settings to open the Auth API configuration settings.
12. Paste the Integration Key and Secret Key into the relevant fields and click Save.

Configuring Device Management Portal settings for WebV2 configurations of Duo Security

The Device Management Portal for Web v2 uses a traditional Duo prompt which will be displayed in an iframe in ADSelfService Plus.

1. Log into Duo Security and go to Applications > Protect an Application.
2. Search for Device Management Portal. Click Protect.
3. Copy the Integration key and Secret key from the Details section.
4. Under the Web v2 SDK configuration settings for Duo Security, click Advanced Settings to open the Device Management Portal settings.
5. Paste the Integration Key and Secret Key into the relevant fields and click Save.

Configuring Auth API in Duo Security

Configuring the Auth API in Duo Security is optional. Auth API configuration is used to verify the user's enrollment with Duo Security. If Auth API is not configured, then on deleting a user's enrollment in Duo Security, it is mandatory to manually remove the user's enrollment in ADSelfService Plus too. If not, the user will be added back to Duo Security when it is used for authentication in ADSelfService Plus.

Steps to be followed if configuring Auth API:

1. Login to the Duo Security portal.
2. Navigate to Applications and click Protect An Application.
3. Search for Auth API. Click Protect this Application.
4. Copy the Integration key and Secret key.

Steps to migrate to the new Universal Prompt

1. In the Duo Admin Panel, select the Web SDK application, which was previously configured for ADSelfService Plus, and copy the Integration key, Secret key and API hostname values.
2. Scroll down to the Universal Prompt section. The App Update Ready message will be displayed, indicating that Universal Prompt can now be activated for ADSelfService Plus.



3. In ADSelfService Plus, navigate to Configuration > Multi-factor Authentication > Duo Security.
4. Click Web v4 SDK and paste the Integration key, Secret key, and API hostname values in the Client ID, Client Secret, and API Host name fields respectively.
5. Once the Web v4 SDK is configured in ADSelfService Plus and a user authenticates through the frameless Duo v4 SDK, the App Update Ready message in Duo Admin Panel will be updated and the New Prompt Ready message will be displayed.



6. Select Show new Universal Prompt to activate the universal prompt for ADSelfService Plus.