Skip to main content

Preparation

Before you can target DUO Authentication, you must:

  • Synchronize the time on the Bravura Security Fabric server

  • Configure the DUO Authentication web service

  • Configure the target system administrators

  • Create a list file to support authentication, if required

  • Create a template account

These steps are detailed in the sections that follow.

Synchronizing the time on the Bravura Security Fabric server

Ensure that the time is synchronized on the Bravura Security Fabric server with a time server.

The time must be accurate for proper integration between Bravura Security Fabric and DUO Authentication server.

Configuring DUO authentication

The agtduo connector uses the Authentication API for challenge response authentication and the Administrative API to update and retrieve information from the DUO Authentication web service.

The Web SDK is used for communication with the Duo Mobile app.

The DUO MFA, DUO Access, and DUO Beyond editions all support the Administrative API.

These two sites outline how to set up the DUO Authentication web service for the Authentication API and the Administrative API:

The API hostname will later be used for the Server target address configuration parameter.

Configuring administrative credentials

Bravura Security Fabric uses DUO API tokens configured in the DUO Authentication administrative console to perform Bravura Security Fabric operations.

Different functionality is available through two different types of API tokens, and for full target functionality, both have to be collected from the DUO administrative console and used in the Bravura Security Fabric target system’s Credentials tab:

  • The DUO Admin API provides access to the user list, and requires the System password checkbox checked in the target Credentials.

  • The DUO Authentication API provides access to challenge-response operations, and requires the System password checkbox unchecked in target Credentials.

Each of these API tokens contains:

  • An integration key which is used as the Admin ID in the target system Credentials.

  • A secret key which is used as the Password in the target system Credentials.

Grant the required access privileges for the operations required by the integration.

  • For password management, "Grant read resource" is the only access privilege required.

  • If Bravura Security Fabric has to provision accounts or change attributes, "Grant write resource" is required as well.

If you are using the DUO Authentication target system only for challenge-response (as a module in an authentication chain to log into the product or allow a help desk user access to an end user’s profile), only the "Authentication API" is required. This will also mean:

  • Any tests done on the Test credentials tab of the target will always fail, because they are done with the DUO Admin API token.

  • The List accounts operation must be disabled on the target system’s General tab.

  • The list file for this target must be prepared out-of-band and placed in the instance’s \<instance>\psconfig\ directory. For example; if the DUO application lists its accounts from an Active Directory or other LDAP source that is reachable from the primary application node, target that system and use a psupdate plugin to copy it for this target system.

    See Creating a list file to support challenge-response authentication to learn how to prepare the list file.

Creating a list file to support challenge-response authentication

If you use the DUO Authentication as a challenge-response back end, you must have a SQLite database list file to associate users during auto discovery so that users can authenticate against the target system.

You can create the file by copying it from another target such as from an Active Directory or another target system.

For Bravura Security Fabric 12.4.0 and up, refer to Creating a list file and copying data from other targets for how to use the Copy data from these targets, separated by commas, during auto-discovery target system option to be able to copy the listing data from one or more other targets to use for the list file for the target. This also makes use of the Connector execution order auto-discovery list as well as a post psupdate script for the target that you are copying data to.

Alternatively, you can use the List Override target address option to create the list file as noted below.

The List Override target address option along with the listoverride.py sample script is used in this case to automatically copy the list file during auto-discovery from the other target to a new list file for the DUO target.

You can configure this using the following steps:

  1. Copy the listoverride.py script from samples to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.

  2. Set the List Override target address option to the example noted below.

  3. List accounts is checked for the target system settings.

  4. Set the Connector execution order for the targets.

If copying the list file from another source such as from Active Directory, a postHook specification must be added in order to ensure that the values from the longid fields are replaced with those from shortid. The short IDs match those of users on the DUO Authentication target system.

In this case and where ADDN is the target id from the target that you are copying from, set the List Override target address option to the following:

{action=copy;srcTargetId=ADDN;script=listoverride.py;postHook=replaceLongIdWithShortId;}

The source target must list first during auto-discovery. Configure by clicking Maintenance > Auto discovery > Connector execution order and ensuring that the source target is added and is at a higher priority than the target that you are copying to.

The list file must contain accounts for all users who have accounts on DUO, and only those users.

  • If the DUO list file does not contain some accounts from the DUO target system, or the account does not associate to the user’s profile, then the option to use the authentication chain described in Use case: Adding DUO authentication will not be shown to that user.

  • If the DUO authentication method is the only one the user can choose at any step in the authentication chain, and there is no account associated, then login will fail.

  • If the DUO list file contains accounts which do not exist on the DUO target, users who do not have accounts will be presented with that option for authentication, and if they choose it, it will fail.

To verify that list association worked, run a report (Manage reports > Reports > Users > Accounts) for the DUO target after running auto discovery. If account association fails (the target’s account report shows accounts as "Unclaimed" instead of "Auto-associated"), verify that the longid listed for DUO accounts matches the ProfileID, or follow the section on account association.

See Creating a list file to support challenge-response authentication for additional information on usage of the List Override options and the values that can be used for the option's KVGroup notation.

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in DUO Authentication. The following example illustrates how you can create a template account in DUO Authentication:

  1. Login to the DUO Authentication administrative web site.

  2. Click Users .

  3. Click Add User.

  4. Enter a value for Username for the user ID.

  5. Click Add User.

  6. Fill in values for the Real Name and Email as required.

  7. Click Save Changes.

In this section: