DUO Authentication

Connector name	`agtduo`
Connector type	Executable
Type (UI field value)	DUO Authentication
Connector status / support	Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security.

Bravura Security Fabric provides a method to obtain a challenge-response key pair for DUO Authentication using the agtduo connector for authentication methods that are available to the DUO user.

Here are a few examples of the available authentication methods that may be presented to the user:

Push notification to accept or deny from the Duo Mobile app
Passcode from the Duo Mobile app
SMS text message for a passcode
Phone call to authenticate from a key press

Bravura Security Fabric can also:

Create and delete DUO users
Enable and disable DUO users
Create and delete DUO groups
Add users to and remove users from DUO groups
View and update attributes such as the user’s Real Name and email as well as the phone numbers that a user has enrolled on the DUO Authentication web service.

Note

Added support for the rename account operation in Connector Pack 4.5.0.

The following Bravura Security Fabric operations are supported by DUO Authentication:

create account
delete account
disable account
enable account
rename account
check account enabled
create group
delete group
add user to group
delete user from group
get server information
update attributes
list account attributes
challenge response authentication
List:
- accounts
- attributes
- groups
- members
- computer objects
- subscribers

For a full list and explanation of each connector operation, see Connector operations.

Preparation

Before you can target DUO Authentication, you must:

Synchronize the time on the Bravura Security Fabric server
Configure the DUO Authentication web service
Configure the target system administrators
Create a list file to support authentication, if required
Create a template account

These steps are detailed in the sections that follow.

Synchronizing the time on the Bravura Security Fabric server

Ensure that the time is synchronized on the Bravura Security Fabric server with a time server.

The time must be accurate for proper integration between Bravura Security Fabric and DUO Authentication server.

Configuring DUO authentication

The agtduo connector uses the Authentication API for challenge response authentication and the Administrative API to update and retrieve information from the DUO Authentication web service.

The Web SDK is used for communication with the Duo Mobile app.

The DUO MFA, DUO Access, and DUO Beyond editions all support the Administrative API.

These two sites outline how to set up the DUO Authentication web service for the Authentication API and the Administrative API:

The API hostname will later be used for the Server target address configuration parameter.

Configuring administrative credentials

Bravura Security Fabric uses DUO API tokens configured in the DUO Authentication administrative console to perform Bravura Security Fabric operations.

Different functionality is available through two different types of API tokens, and for full target functionality, both have to be collected from the DUO administrative console and used in the Bravura Security Fabric target system’s Credentials tab:

The DUO Admin API provides access to the user list, and requires the System password checkbox checked in the target Credentials.
The DUO Authentication API provides access to challenge-response operations, and requires the System password checkbox unchecked in target Credentials.

Each of these API tokens contains:

An integration key which is used as the Admin ID in the target system Credentials.
A secret key which is used as the Password in the target system Credentials.

Grant the required access privileges for the operations required by the integration.

For password management, "Grant read resource" is the only access privilege required.
If Bravura Security Fabric has to provision accounts or change attributes, "Grant write resource" is required as well.

If you are using the DUO Authentication target system only for challenge-response (as a module in an authentication chain to log into the product or allow a help desk user access to an end user’s profile), only the "Authentication API" is required. This will also mean:

Any tests done on the Test credentials tab of the target will always fail, because they are done with the DUO Admin API token.
The List accounts operation must be disabled on the target system’s General tab.
The list file for this target must be prepared out-of-band and placed in the instance’s \<instance>\psconfig\ directory. For example; if the DUO application lists its accounts from an Active Directory or other LDAP source that is reachable from the primary application node, target that system and use a psupdate plugin to copy it for this target system.
See Creating a list file to support challenge-response authentication to learn how to prepare the list file.

Creating a list file to support challenge-response authentication

If you use the DUO Authentication as a challenge-response back end, you must have a SQLite database list file to associate users during auto discovery so that users can authenticate against the target system.

You can create the file by copying it from another target such as from an Active Directory or another target system.

Refer to Creating a list file and copying data from other targets for how to use the Copy data from these targets, separated by commas, during auto-discovery target system option to be able to copy the listing data from one or more other targets to use for the list file for the target. This also makes use of the Connector execution order auto-discovery list as well as a post psupdate script for the target that you are copying data to.

Alternatively, you can use the List Override target address option to create the list file as noted below.

The List Override target address option along with the listoverride.py sample script is used in this case to automatically copy the list file during auto-discovery from the other target to a new list file for the DUO target.

You can configure this using the following steps:

Copy the listoverride.py script from samples to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.
Set the List Override target address option to the example noted below.
List accounts is checked for the target system settings.
Set the Connector execution order for the targets.

If copying the list file from another source such as from Active Directory, a postHook specification must be added in order to ensure that the values from the longid fields are replaced with those from shortid. The short IDs match those of users on the DUO Authentication target system.

In this case and where ADDN is the target id from the target that you are copying from, set the List Override target address option to the following:

{action=copy;srcTargetId=ADDN;script=listoverride.py;postHook=replaceLongIdWithShortId;}

The source target must list first during auto-discovery. Configure by clicking Maintenance > Auto discovery > Connector execution order and ensuring that the source target is added and is at a higher priority than the target that you are copying to.

The list file must contain accounts for all users who have accounts on DUO, and only those users.

If the DUO list file does not contain some accounts from the DUO target system, or the account does not associate to the user’s profile, then the option to use the authentication chain described in Use case: Adding DUO authentication will not be shown to that user.
If the DUO authentication method is the only one the user can choose at any step in the authentication chain, and there is no account associated, then login will fail.
If the DUO list file contains accounts which do not exist on the DUO target, users who do not have accounts will be presented with that option for authentication, and if they choose it, it will fail.

To verify that list association worked, run a report (Manage reports > Reports > Users > Accounts) for the DUO target after running auto discovery. If account association fails (the target’s account report shows accounts as "Unclaimed" instead of "Auto-associated"), verify that the longid listed for DUO accounts matches the ProfileID, or follow the section on account association.

The following are further details on each of the KVGroup values that may be used for the List Override target system option:

Option	Value	Description
action	[copy\|move\|augment]	The copy operation copies the source database file from the target list file specified by srcTargetId. The move operation will move the list file. The augment operation runs the list operation in the connector.
srcDbFile	<path>	Provides the ability to override the path to the database list file as either an absolute or relative value. By default, listoverride calculates the path based on the database file path that is passed into the connector, such as the psconfig directory for example. Other paths that may be used could be those such as a directory within psconfig\discovered for an automatically discovered target system or another custom directory path.
script	<Python script name>	The Python script name, for example listoverride.py. See hooks below for additional requirements.
postHook/preHook/perHook		Provides both a "pre" and "post" hook to run before and after the action as well as an override "per" hook that replaces the action functionality. perHook passes in the following json argument: {"objectType": "<objectType>", "operation": "<operation>", dbFile: "dbFile"} postHook/preHook passes in the following: {"dbFile: "dbFile"} Example: specify postHook=replaceLongIdWithShortId; to replace the longid with the shortid in the list file, such as when copying from an ADDN target and to remove the domain name.
doNotLoad		When set to "1", the list file will not be loaded during the auto discovery process. This may be used in some situations such as where the source is a fake target, it can take an exceedingly long time to list, during testing and you do not wish to actually load the data until it is validated, or other scenarios where you may not with to load the data. The default value is empty. Any value that is not "1" will load the database list file.
format	db	Default is db.

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in DUO Authentication. The following example illustrates how you can create a template account in DUO Authentication:

Login to the DUO Authentication administrative web site.
Click Users .
Click Add User.
Enter a value for Username for the user ID.
Click Add User.
Fill in values for the Real Name and Email as required.
Click Save Changes.

Targeting the DUO Authentication system

For each DUO Authentication system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):

Type is DUO Authentication.
Address uses options described in the table below:

The full list of target parameters is explained in Target system options.

Table 1. DUO Authentication address configuration

Option	Description
Options marked with a are required.
Server	The domain name of the API hostname of the web server running the DUO Authentication web service. (key: server)
Port	Default is 443. (key: port)
Connection over SSL	Select to enforce SSL connections. Default is "true". (key: ssl)
Validate the server’s certificate when connecting	Determines whether to validate the server’s security certificate for SSL connections. Default is "true". (key: checkCert)
HTTP Network Proxy	Specifies a proxy URL to use for connecting. (key: proxy)
Timeout for connection (in seconds)	Amount of time the connector will wait for a response. Default: 60. (key: timeout)
Records per page	Affects the number of records returned during listing. The range must be between 1 and 300. Default: 100. (key: pagesize)
Authentication methods order	Specify the order for the list of the multifactor authentication methods that are presented to a DUO user for challenge response authentication. See Setting the order for the DUO authentication methods for details. (key: authorder)
Do asynchronous push	Make asynchronous push API calls instead of waiting for the API results. When authenticating with a DUO push notification and this option is checked (set to "true"), authentication will not wait for the API results. Once the push notification is approved from the Duo Mobile app, the user will be required to click on the Continue button after approving the push notification from the Duo Mobile app. When this option is unchecked (set to "false"), authentication will wait for the API results and will automatically proceed without further user interaction after the push notification has been approved from the Duo Mobile app. Default is "true". (key: async_push)
List Override	Provides the ability to override the default agent’s list operation functionality. Requires version 12.x or greater. (key: listOverride)

Setting the administrator credentials

As described in Configuring administrative credentials if both the Authentication API as well as the Administrative API have been configured, then the DUO Authentication target requires a set of administrative credentials for each one.

For the first administrator, set the Administrator ID to the integration key and the Password to the secret key as configured for the DUO Authentication web service for the Authentication API.

For the second administrator, set the Administrator ID to the integration key and the Password to the secret key as configured for the DUO Authentication web service for the Administrative API. Also ensure that the System password checkbox is checked for this administrator.

Setting the order for the DUO authentication methods

The Authentication methods order option may be used to specify the order for the list of the multifactor authentication methods that are presented to a DUO user for challenge response authentication.

The order may be specified by either a list on the target address configuration page or from a file.

When choosing the list option and specifying the multifactor authentication methods, these fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:

push
passcode
sms
phone

These values represent the following multifactor authentication methods:

Push notification to accept or deny from the Duo Mobile app
Passcode from the Duo Mobile app
SMS text message for a passcode
Phone call to authenticate from a key press

There is also an option to specify the authentication order in a file. To use the file, select File option from the drop-down list and specify the file name in the field.

The file must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and contain a list of the authentication order for the DUO multifactor authentication methods.

To specify the authentication order:

# KVGROUP-V2.0
   authorder = {
      "push";
      "passcode";
      "sms";
      "phone";
   };

The list of the multifactor authentication methods may be modified to re-order how they are presented to a user for challenge response authentication.

If the user has more multifactor authentication methods than what is provided for the authentication methods order, the methods provided in the list will be the first ones that are shown to the user and the remaining methods will be directly underneath in the provided list to the user.

The authentication methods are also listed first in the order of the user’s phone numbers or devices and secondly in the order as defined by Authentication methods order.

So for example, if a user has both mobile phone(s) as well as landline phone(s), all of the phone numbers across all devices and numbers will not necessarily be listed together across all phones. They will instead be grouped together first according to each phone number or set of devices.

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select DUO Authentication from the Manage the system > Resources >Account attributes > Target system type menu.

For information about the native DUO Authentication attributes managed by Bravura Security Fabric , consult your DUO Authentication documentation.

Bravura Security Fabric explicitly handles the following attributes and pseudo-attributes when creating or modifying recipient accounts for DUO Authentication target systems:

email Use email to define the email address of the user. This pseudo-attribute should be mapped to the EMAIL profile and request attribute.
firstname Use firstname to define the first name of the user. This pseudo-attribute should be mapped to the FIRST_NAME profile and request attribute.
lastname Use lastname to define the last name of the user. This pseudo-attribute should be mapped to the LAST_NAME profile and request attribute.
realname The realname attribute may be used to create full name for a user to combine the first, middle, and last names to be created or updated on the DUO Authentication web service for the user. A PSLang expression may be used to do so.
See PSLang Expressions for how to create the PSLang expression for the full name.
phones The phones attribute is used for the phone numbers that a user has enrolled on the DUO Authentication web service for themselves that are used for authentication for phone calls, SMS messages, or with the Duo Mobile app for passcodes or push notifications.
This pseudo-attribute should also be mapped to a custom profile and request attribute if it is to be included when creating new DUO users or when viewing or modifying the phone numbers for existing DUO users.

See Account attributes in the Bravura Security Fabric configuration documentation for more information.

Handling group attributes

For information about the native DUO Authentication attributes managed by Bravura Security Fabric, consult your DUO Authentication documentation.

Deleting DUO users

When a DUO user is deleted directly on the DUO Authentication web service, there is first the option for "Send to Trash". Unless the DUO users get restored, they are then permanently deleted after 7 days once they are in the "Trash".

When they are in "Trash", they will however still be included when listing using the agtduo connector. They are also essentially disabled, so the users will also be unable to authenticate to Bravura Security Fabric .

When a DUO user is deleted using Bravura Security Fabric and the agtduo connector and the delete operation, they are however permanently deleted.

Adding DUO authentication to Bravura Security Fabric

You can integrate DUO authentication in Bravura Security Fabric by configuring a custom authentication chain, using the agent.pss authentication module with the DUO Authentication connector agtduo , to perform a challenge response operation.

The following steps demonstrate how to integrate DUO authentication in Bravura Security Fabric :

Add the DUO Authentication target system .
Add a new custom authentication chain:
1. Add the Connector package agent (agent.pss) module to the chain.
2. In the module’s settings:
  - Set Target system to use for address and credentials to the target you created.
  - Set Password verification operation to ”Challenge response authentication”.
3. Enable the custom authentication chain.
Add the new custom authentication chain to the DEFAULT_LOGIN chain:
1. Click Policies > Authentication chains > Front-end login.
2. Disable the chain so that you can edit it.
3. Edit the select_chain module to add the new custom authentication chain to the list of Available chains.
4. Update and enable the DEFAULT_LOGIN chain.
Test the authentication by logging in as an end user associated with the target system.
You will be prompted for the DUO authentication methods that are available for the user and will depend on what the user has registered on the DUO Authentication server.
Here are a few examples of some of the available authentication methods that may be presented to the user:
- Phone call to authenticate from a key press
- SMS text message for a passcode
- Passcode from the Duo Mobile app
- Push notification to accept or deny from the Duo Mobile app

Troubleshooting

The following issues could occur:

Warning : Didn’t find user enrolled devices.
Warning: Can’t find user capabilities, check if it’s enrolled properly.
Ensure that:
- The DUO user has authentication methods available such as a phone number or endpoint enrolled on the DUO Authentication web service.
- The status for the DUO user is enabled and set to Active on the DUO Authentication web service.
Warning: Didn’t find user [<userid>].
Ensure that:
- The Administrator credentials that are added for the DUO Authentication target system are correct.
- The Server target system configuration parameter is correct.
Error: The server requires authentication. User name and password are missing.
Ensure that:
- The Server target system configuration parameter is correct.
- The Administrator credentials that are added for the DUO Authentication target system are correct.
- The time is synchronized on the Bravura Security Fabric server with a time server. The time must be accurate for proper integration between Bravura Security Fabric and DUO Authentication servers.
Warning: WinHttp got unexpected status code: 403.
Ensure that the Port target system configuration parameter is correct.
Warning: WinHttp got unexpected status code: 400.
Ensure that the Connection over SSL target system configuration parameter is correct.
Error: HttpQueryDataAvailable failed [12019].
Ensure that the HTTP Network Proxy target system configuration parameter is correct. Check that the API token was created in the same Application in the DUO admin console, and that API access was granted.
"message": "Invalid integration key in request credentials".
"code": 40102.
Ensure that the Server target system configuration parameter is correct.
"message": "Invalid signature in request credentials".
"code": 40103.
Ensure that the Administrator credentials that are added for the DUO Authentication target system are correct.
"message": "Bad request timestamp"
"code": 40105.
Ensure that the time is synchronized on the Bravura Security Fabric server with a time server. The time must be accurate for proper integration between the Bravura Security Fabric and DUO Authentication servers.
"status_msg": "No keypress detected. Please try again".
"result": "deny".
Challenge response authentication was attempted with a phone call and authentication was denied when no key press was performed.
"status_msg": "Incorrect passcode. Please try again ".
"result": "deny"
Challenge response authentication was attempted with a passcode (such as from the Duo Mobile app or an SMS text message) and an incorrect passcode was entered for authentication.
Error: Authentication denied. Login request denied. Failed to perform operation [challengeresponse].
Challenge response authentication was attempted with a push notification to the Duo Mobile app and the user chose to Deny the request from the app for authentication.
Warning: WinHttp got unexpected status code: 400".
message": "Invalid request parameters".
"code": 40002
An invalid phone number was provided when either adding a phone number when creating a new DUO user or when adding or modifying a phone number for an existing DUO user.
Warning: Failed in creating phone.
An invalid phone number was provided when adding a phone number when creating a new DUO user.
Warning: Parameter [pagesize] has range restriction: [1..300], using the maximum.
Ensure that the Records per page target system configuration parameter is set to a value between 1 and 300.

In this section: