Duo Authentication

This documentation is a detailed guide for setting up Duo authentication on the Delinea Platform.

The following procedures require copying and pasting information between Cisco Duo and the Delinea Platform. We recommend opening both applications before you begin, and keeping both open until you are finished.

For details on enabling MFA on the Delinea Platform, see Creating Identity Policies.

Prerequisites

On the Delinea Platform, you will need to be a Platform Admin or have a role with the following permission: delinea.platform/identity/admin/manage
In Duo, you must be an Administrator and have access to the Duo Admin Console where you can protect applications and create users.

Build a Duo Application

In the Duo Admin Console, navigate to Applications.
Select Protect an Application.
Filter the list of applications by entering Web SDK.
In the Web SDK row, click Protect.
Copy and save the Client ID, Client secret, and API hostname. You will need these to configure Duo authentication on the Delinea Platform.
Under Universal Prompt, ensure that Show new Universal Prompt is selected.
(Optional) Configure policies per your requirements. Also see Duo Policies below.
(Optional) Configure settings per your requirements. To enable self-service, see Duo’s Self-Service Portal documentation.
Navigate to the Settings section and update the Name field to something your users would recognize, like Delinea Platform.
Click Save.

Add Duo to the Platform

Adding Duo as an MFA Provider

Log in to the Delinea Platform.
From the left navigation menu, click Settings, then click MFA Providers.
From the Add Provider button, select Duo.
On the Add Duo page:
1. Enter a name.
2. Set the state to Enabled to activate the integration.
3. Enter the API hostname copied from Duo.
4. Enter the Client ID copied from Duo.
5. Enter the Client secret copied from Duo.
Click Add Provider.

Adding an Authentication Profile with Duo as an Authentication Challenge

For more information, see Creating Authentication Profiles.

From the left navigation menu, click Settings, then click Authentication profiles.
Click Add Authentication Profile.
Add a Profile name.
Under Authentication challenges, select Duo and other authentication challenges such as Password, as required.

Enabling the Authentication Profile in an Identity Policy

For more information on identity policies and how to set up, edit, and assign them, see Identity Policies.

From the left navigation menu, click Access, then click Identity policies.
Select the identity policy that should use Duo.
In the Overview section, if the policy is not Enabled, select Edit, set the state to Enabled, and Save.
Select Authentication.
Next to Services, click Edit.
Select Enable authentication policy controls.
Click Default authentication profile.
From the drop-down menu, select the authentication profile that has Duo configured as an authentication challenge.
Click Save.

For more information see Authentication Profiles.

When using authentication rules in identity policies, these rules may override the default authentication profile. For more information, see the Authentication Rules documentation.

Enrolling Duo Users

You are now ready to invite users to use Duo as an authentication method.

In the Duo Admin Console, navigate to Users.
Select the desired user.
Click Send Enrollment Email. This action will send an email to the user with the necessary enrollment links. Users must complete enrollment with Duo to receive authentication challenges.

When adding a user to Duo, make sure to use the same username and email address they use on the Delinea Platform.

For details on enrolling users, see the Duo documentation, Duo Administration – Enroll Users.

For details on managing users, see the Duo documentation, Duo Administrators – Manage Users.

Duo Policies

To prevent users who have not yet enrolled in Duo from accessing the Delinea Platform, set the New User Policy to Deny Access.

For details, see Duo’s documentation on Users Policy Settings.