Targeting the DUO Authentication system
For each DUO Authentication system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):
Type is DUO Authentication.
Address uses options described in the table below:
The full list of target parameters is explained in Target system options.
Option | Description |
|---|---|
Options marked with a | |
Server | The domain name of the API hostname of the web server running the DUO Authentication web service. (key: server) |
Port | Default is 443. (key: port) |
Connection over SSL | Select to enforce SSL connections. Default is "true". (key: ssl) |
Validate the server’s certificate when connecting | Determines whether to validate the server’s security certificate for SSL connections. Default is "true". (key: checkCert) |
HTTP Network Proxy | Specifies a proxy URL to use for connecting. (key: proxy) |
Timeout for connection (in seconds) | Amount of time the connector will wait for a response. Default: 60. (key: timeout) |
Records per page | Affects the number of records returned during listing. The range must be between 1 and 300. Default: 100. (key: pagesize) |
Authentication methods order | Specify the order for the list of the multifactor authentication methods that are presented to a DUO user for challenge response authentication. See Setting the order for the DUO authentication methods for details. (key: authorder) |
Do asynchronous push | Make asynchronous push API calls instead of waiting for the API results. When authenticating with a DUO push notification and this option is checked (set to "true"), authentication will not wait for the API results. Once the push notification is approved from the Duo Mobile app, the user will be required to click on the Continue button after approving the push notification from the Duo Mobile app. When this option is unchecked (set to "false"), authentication will wait for the API results and will automatically proceed without further user interaction after the push notification has been approved from the Duo Mobile app. Default is "true". (key: async_push) |
List Override | Provides the ability to override the default agent’s list operation functionality. Requires version 12.x or greater. (key: listOverride) |
Setting the administrator credentials
As described in Configuring administrative credentials if both the Authentication API as well as the Administrative API have been configured, then the DUO Authentication target requires a set of administrative credentials for each one.
For the first administrator, set the Administrator ID to the integration key and the Password to the secret key as configured for the DUO Authentication web service for the Authentication API.
For the second administrator, set the Administrator ID to the integration key and the Password to the secret key as configured for the DUO Authentication web service for the Administrative API. Also ensure that the System password checkbox is checked for this administrator.
Setting the order for the DUO authentication methods
The Authentication methods order option may be used to specify the order for the list of the multifactor authentication methods that are presented to a DUO user for challenge response authentication.
The order may be specified by either a list on the target address configuration page or from a file.
When choosing the list option and specifying the multifactor authentication methods, these fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:
push
passcode
sms
phone
These values represent the following multifactor authentication methods:
Push notification to accept or deny from the Duo Mobile app
Passcode from the Duo Mobile app
SMS text message for a passcode
Phone call to authenticate from a key press
There is also an option to specify the authentication order in a file. To use the file, select File option from the drop-down list and specify the file name in the field.
The file must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and contain a list of the authentication order for the DUO multifactor authentication methods.
To specify the authentication order:
# KVGROUP-V2.0
authorder = {
"push";
"passcode";
"sms";
"phone";
};The list of the multifactor authentication methods may be modified to re-order how they are presented to a user for challenge response authentication.
If the user has more multifactor authentication methods than what is provided for the authentication methods order, the methods provided in the list will be the first ones that are shown to the user and the remaining methods will be directly underneath in the provided list to the user.
The authentication methods are also listed first in the order of the user’s phone numbers or devices and secondly in the order as defined by Authentication methods order.
So for example, if a user has both mobile phone(s) as well as landline phone(s), all of the phone numbers across all devices and numbers will not necessarily be listed together across all phones. They will instead be grouped together first according to each phone number or set of devices.