Duo Authentication

This topic describes how to add a Duo MFA challenge to Platform login. After entering their password, users see a Duo prompt (push notification, passcode, etc.) before gaining access.

The following procedures require copying and pasting information between Cisco Duo and the Delinea Platform. Open both applications before you begin, and keep both open until you finish.

For details on enabling MFA on the Delinea Platform, see Creating Identity Policies.

Support Scope

The Delinea Platform supports Duo in one officially validated configuration:

Duo as an MFA provider — Platform can prompt users for Duo multi-factor authentication during login. This works the same way Duo MFA works in Secret Server. Configuration steps are documented and supported by Delinea Support. Customers who want Duo-based login should configure Duo as an MFA provider, not as a federated IdP.

The Delinea Platform does not officially support Duo as a federated identity provider (IdP):

  • Duo SAML federation — Because Duo is not a traditional IdP (it relies on a separate identity source such as Active Directory), using Duo as a SAML federation provider with Platform is not a validated configuration. Although the Delinea documentation includes a Duo SAML integration topic, it links to Duo's generic SSO documentation and does not provide Delinea-tested setup steps. Delinea Development has not set up or verified this configuration.

  • Duo OIDC federation — No documentation or validated configuration exists for using Duo as an OIDC provider with Platform.

Customers who need federated SSO should use a supported IdP (such as Okta, Microsoft Entra ID, Google, or Ping Identity) and can layer Duo MFA on top through that IdP's own Duo integration.

If a customer chooses to configure Duo SAML or OIDC federation on their own, Delinea Support can offer very limited assistance. Troubleshooting the Duo-side configuration is outside Delinea's support scope.

Duo Application Types and Authentication Profiles

Duo offers two application types that integrate with the Delinea Platform. Each application type corresponds to a different authentication challenge option in a Delinea Platform authentication profile.

Duo Application Auth Profile Challenge Credentials Description
Web SDK Duo Universal Prompt Client ID, Client secret, API hostname Duo's current recommended integration. Uses a browser-based redirect flow to present the Duo Universal Prompt, which supports the full range of Duo authentication methods including WebAuthn/FIDO2 security keys. Provides a customizable, mobile-friendly experience.
Partner Auth API Duo Auth API Integration Key, Secret Key, API hostname A server-side authentication flow. This is a legacy integration pattern that may be required for non-browser-based authentication scenarios.

Administrators should create the Duo application that corresponds to the authentication challenge they plan to use. To use both authentication challenges, create both Duo applications.

Duo recommends the Universal Prompt (Web SDK) for new integrations. For more information, see the Duo Universal Prompt documentation.

Prerequisites

  • On the Delinea Platform, an administrator must be a Platform Admin or have a role with the following permission: delinea.platform/identity/admin/manage

  • In Duo, an administrator must have access to the Duo Admin Console with permissions to protect applications and create users.

Build a Universal Authenticator Duo Application

This procedure creates the Web SDK application in Duo. The credentials generated here are used when an authentication profile is configured with the Duo Universal Prompt challenge type.

  1. In the Duo Admin Console, navigate to Applications.

  2. Select Add Application.

  3. Filter the list of applications by entering Web SDK.

  4. In the Web SDK row, click Add.

  5. Copy and save the Client ID, Client secret, and API hostname. These values are required to configure Duo authentication on the Delinea Platform.

  6. Under Universal Prompt, ensure that Show new Universal Prompt is selected.

  7. (Optional) Configure policies per your requirements. Also see Duo Policies below.

  8. (Optional) Configure settings per your requirements. To enable self-service, see Duo's Self-Service Portal documentation.

  9. Navigate to the Settings section and update the Name field to something users recognize, such as Delinea Platform.

  10. Click Save.

Build an Auth API Duo Application

This procedure creates the Partner Auth API application in Duo. The credentials generated here are used when an authentication profile is configured with the Duo Auth API challenge type.

  1. In the Duo Admin Console, navigate to Applications.

  2. Select Add Application.

  3. Filter the list of applications by entering Partner Auth API.

  4. In the Partner Auth API row, click Add.

  5. Copy and save the Integration Key, Secret Key, and API hostname. These values are required to configure Duo authentication on the Delinea Platform.

  6. (Optional) Configure policies per your requirements. Also see Duo Policies below.

  7. (Optional) Configure settings per your requirements. To enable self-service, see Duo's Self-Service Portal documentation.

  8. Navigate to the Basic Configuration section and update the Name field to something users recognize, such as Delinea Platform.

  9. Click Save.

Add Duo to the Platform

Add Duo as an MFA Provider

  1. Log in to the Delinea Platform.

  2. Navigate to the MFA Providers page.

  3. From the Add Provider button, select Duo.

  4. On the Add Duo page:

    1. Enter a name.

    2. Set the state to Enabled to activate the integration.

    3. Ensure that the Duo Auth API configuration type is selected.

    4. Enter the Integration Key copied from Duo.

    5. Enter the Secret Key copied from Duo.

    6. Enter the Client secret copied from Duo.

    7. Click Add Provider.

Add an Authentication Profile with Duo as an Authentication Challenge

The authentication challenge selected in this procedure determines which Duo authentication flow users experience at login. Duo Universal Prompt uses the Web SDK application credentials; Duo Auth API uses the Partner Auth API application credentials. For details on how these options map to Duo applications, see Duo Application Types and Authentication Profiles.

For more information, see Creating Authentication Profiles.

  1. Navigate to the Authentication profiles page.

  2. Click Add Authentication Profile.

  3. Enter a profile name.

  4. Under Authentication challenges, select Duo Auth API or Duo Universal Prompt and other authentication challenges such as Password, as required.

Enable the Authentication Profile in an Identity Policy

For more information on identity policies and how to set up, edit, and assign them, see Identity Policies.

  1. Navigate to the Identity policies page.

  2. Select the identity policy that should use Duo.

  3. In the Overview section, if the policy is not enabled, select Edit, set the state to Enabled, and click Save.

  4. Select Authentication.

  5. Next to Services, click Edit.

  6. Select Enable authentication policy controls.

  7. Click Default authentication profile.

  8. From the drop-down menu, select the authentication profile that has Duo configured as an authentication challenge.

  9. Click Save.

For more information see Authentication Profiles.

When using authentication rules in identity policies, these rules may override the default authentication profile. For more information, see the Authentication Rules documentation.

Enroll Duo Users

After configuring Duo on the Platform, administrators can invite users to enroll in Duo authentication.

  1. In the Duo Admin Console, navigate to Users.

  2. Select the desired user.

  3. Click Send Enrollment Email. Duo sends the user an email with enrollment links. Users must complete enrollment to receive authentication challenges.

When adding a user to Duo, use the same username and email address the user has on the Delinea Platform.

For details on enrolling users, see the Duo documentation, Duo Administration – Enroll Users.

For details on managing users, see the Duo documentation, Duo Administrators – Manage Users.

Duo Policies

To prevent users who have not yet enrolled in Duo from accessing the Delinea Platform, set the New User Policy to Deny Access.

For details, see Duo's documentation on Users Policy Settings.