Creating a list file to support challenge-response authentication
If you use the DUO Authentication as a challenge-response back end, you must have a SQLite database list file to associate users during auto discovery so that users can authenticate against the target system.
You can create the file by copying it from another target such as from an Active Directory or another target system.
For Bravura Security Fabric 12.4.0 and up, refer to Creating a list file and copying data from other targets for how to use the Copy data from these targets, separated by commas, during auto-discovery target system option to be able to copy the listing data from one or more other targets to use for the list file for the target. This also makes use of the Connector execution order auto-discovery list as well as a post psupdate script for the target that you are copying data to.
Alternatively, you can use the List Override target address option to create the list file as noted below.
The List Override target address option along with the listoverride.py sample script is used in this case to automatically copy the list file during auto-discovery from the other target to a new list file for the DUO target.
You can configure this using the following steps:
Copy the listoverride.py script from samples to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.
Set the List Override target address option to the example noted below.
List accounts is checked for the target system settings.
Set the Connector execution order for the targets.
If copying the list file from another source such as from Active Directory, a postHook specification must be added in order to ensure that the values from the longid fields are replaced with those from shortid. The short IDs match those of users on the DUO Authentication target system.
In this case and where ADDN is the target id from the target that you are copying from, set the List Override target address option to the following:
{action=copy;srcTargetId=ADDN;script=listoverride.py;postHook=replaceLongIdWithShortId;}
The source target must list first during auto-discovery. Configure by clicking Maintenance > Auto discovery > Connector execution order and ensuring that the source target is added and is at a higher priority than the target that you are copying to.
The list file must contain accounts for all users who have accounts on DUO, and only those users.
If the DUO list file does not contain some accounts from the DUO target system, or the account does not associate to the user’s profile, then the option to use the authentication chain described in Use case: Adding DUO authentication will not be shown to that user.
If the DUO authentication method is the only one the user can choose at any step in the authentication chain, and there is no account associated, then login will fail.
If the DUO list file contains accounts which do not exist on the DUO target, users who do not have accounts will be presented with that option for authentication, and if they choose it, it will fail.
To verify that list association worked, run a report (Manage reports > Reports > Users > Accounts) for the DUO target after running auto discovery. If account association fails (the target’s account report shows accounts as "Unclaimed" instead of "Auto-associated"), verify that the longid listed for DUO accounts matches the ProfileID, or follow the section on account association.
See Creating a list file to support challenge-response authentication for additional information on usage of the List Override options and the values that can be used for the option's KVGroup notation.