Duo Authentication
This documentation is a detailed guide for setting up Duo authentication on the Delinea Platform.
The following procedures require copying and pasting information between Cisco Duo and the Delinea Platform. We recommend opening both applications before you begin, and keeping both open until you are finished.
For details on enabling MFA on the Delinea Platform, see Creating Identity Policies.
Prerequisites
-
On the Delinea Platform, you will need to be a Platform Admin or have a role with the following permission:
delinea.platform/identity/admin/manage
-
In Duo, you must be an Administrator and have access to the Duo Admin Console where you can protect applications and create users.
Build a Universal Authenticator Duo Application
-
In the Duo Admin Console, navigate to Applications.
-
Select Add Application.
-
Filter the list of applications by entering
Web SDK
. -
Copy and save the Client ID, Client secret, and API hostname. You will need these to configure Duo authentication on the Delinea Platform.
-
Under Universal Prompt, ensure that Show new Universal Prompt is selected.
-
(Optional) Configure policies per your requirements. Also see Duo Policies below.
-
(Optional) Configure settings per your requirements. To enable self-service, see Duo’s Self-Service Portal documentation.
-
Navigate to the Settings section and update the Name field to something your users would recognize, like Delinea Platform.
-
Click Save.
Build an Auth API Duo Application
This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.
-
In the Duo Admin Console, navigate to Applications.
-
Select Add Application.
-
Filter the list of applications by entering Partner Auth API.
-
Copy and save the Integration Key, Secret Key, and API hostname. You will need these to configure Duo authentication on the Delinea Platform.
-
(Optional) Configure policies per your requirements. Also see Duo Policies below.
-
(Optional) Configure settings per your requirements. To enable self-service, see Duo’s Self-Service Portal documentation.
-
Navigate to the Basic Configuration section and update the Name field to something your users would recognize, like Delinea Platform.
-
Click Save.
Add Duo to the Platform
Adding Duo as an MFA Provider
-
Log in to the Delinea Platform.
-
Navigate to the MFA Providers page.
-
From the Add Provider button, select Duo.
-
On the Add Duo page:
-
Enter a name.
-
Set the state to Enabled to activate the integration.
-
Ensure that the Duo Auth API configuration type is selected.
-
Enter the Integration Key copied from Duo.
-
Enter the Secret Key copied from Duo.
-
Enter the Client secret copied from Duo.
-
Click Add Provider.
-
Adding an Authentication Profile with Duo as an Authentication Challenge
For more information, see Creating Authentication Profiles.
-
Navigate to the Authentication profiles page.
-
Click Add Authentication Profile.
-
Add a Profile name.
-
Under Authentication challenges, select Duo Auth API or Duo Universal Prompt and other authentication challenges such as Password, as required.
Enabling the Authentication Profile in an Identity Policy
For more information on identity policies and how to set up, edit, and assign them, see Identity Policies.
-
Navigate to the Identity policies page.
-
Select the identity policy that should use Duo.
-
In the Overview section, if the policy is not Enabled, select Edit, set the state to Enabled, and Save.
-
Select Authentication.
-
Next to Services, click Edit.
-
Select Enable authentication policy controls.
-
Click Default authentication profile.
-
From the drop-down menu, select the authentication profile that has Duo configured as an authentication challenge.
-
Click Save.
For more information see Authentication Profiles.
When using authentication rules in identity policies, these rules may override the default authentication profile. For more information, see the Authentication Rules documentation.
Enrolling Duo Users
You are now ready to invite users to use Duo as an authentication method.
-
In the Duo Admin Console, navigate to Users.
-
Select the desired user.
-
Click Send Enrollment Email. This action will send an email to the user with the necessary enrollment links. Users must complete enrollment with Duo to receive authentication challenges.
When adding a user to Duo, make sure to use the same username and email address they use on the Delinea Platform.
For details on enrolling users, see the Duo documentation, Duo Administration – Enroll Users.
For details on managing users, see the Duo documentation, Duo Administrators – Manage Users.
Duo Policies
To prevent users who have not yet enrolled in Duo from accessing the Delinea Platform, set the New User Policy to Deny Access.
For details, see Duo’s documentation on Users Policy Settings.