Skip to main content

Configuring administrative credentials

Bravura Security Fabric uses DUO API tokens configured in the DUO Authentication administrative console to perform Bravura Security Fabric operations.

Different functionality is available through two different types of API tokens, and for full target functionality, both have to be collected from the DUO administrative console and used in the Bravura Security Fabric target system’s Credentials tab:

  • The DUO Admin API provides access to the user list, and requires the System password checkbox checked in the target Credentials.

  • The DUO Authentication API provides access to challenge-response operations, and requires the System password checkbox unchecked in target Credentials.

Each of these API tokens contains:

  • An integration key which is used as the Admin ID in the target system Credentials.

  • A secret key which is used as the Password in the target system Credentials.

Grant the required access privileges for the operations required by the integration.

  • For password management, "Grant read resource" is the only access privilege required.

  • If Bravura Security Fabric has to provision accounts or change attributes, "Grant write resource" is required as well.

If you are using the DUO Authentication target system only for challenge-response (as a module in an authentication chain to log into the product or allow a help desk user access to an end user’s profile), only the "Authentication API" is required. This will also mean:

  • Any tests done on the Test credentials tab of the target will always fail, because they are done with the DUO Admin API token.

  • The List accounts operation must be disabled on the target system’s General tab.

  • The list file for this target must be prepared out-of-band and placed in the instance’s \<instance>\psconfig\ directory. For example; if the DUO application lists its accounts from an Active Directory or other LDAP source that is reachable from the primary application node, target that system and use a psupdate plugin to copy it for this target system.

    See Creating a list file to support challenge-response authentication to learn how to prepare the list file.

In this section: