Duo Security Authentication

Using this method of two-factor authentication requires that you have an active account for Duo Security.
Secret Server supports using Duo Security as a second factor of authentication. See below for setup instructions.
For more information on Duo and Secret Server, see the DelineaSecret Server and Duo page.

Important Duo Security Certificate Authority Changes

This temporary section includes important information that may affect your access to Secret Server. Please read it carefully.

Cisco Duo is replacing its root certificate authority (CA) bundle. The impact on you depends on the application type configured in your Duo Admin Panel. Follow the steps below:

Determine your Application Type

In the Duo Admin Panel, go to Applications > Applications and check the Application Type column.

Application Type Action
Delinea Secret Server or Thycotic Secret Server Minimal—Duo granted an automatic extension until March 31, 2026
Auth API, Web SDK, or other custom application Urgent—authentication failures may begin February 2, 2026

If You Have a Published Secret Server

Secret Server uses Windows certificate validation, not embedded certificate pinning. Secret Server Cloud integrations require no changes. Secret Server On-Premises integrations continue to function as long as the web server receives regular Windows Updates to maintain current root CA certificates.

If You Have a Custom Application

Administrators using custom applications, such as Auth API or Web SDK, must take one of the following actions to avoid authentication failures:

  • Either contact Duo (support@duo.com) to request an extension.
  • Or switch to the published Delinea Secret Server application in the Duo Admin Panel, and update the credentials in Secret Server at Admin > Configuration > Login > Duo.

Key Dates

Date Event
February 2, 2026 Intermittent authentication failures begin for custom applications
March 31, 2026 Duo rotates CA roots; servers with outdated root certificates fail to connect

For details, see Duo's knowledge base article.

Setup

Task 1: Create a Duo Application Representing Your Secret Server (Admin)

  1. Sign up for a new Duo account, or log in to an existing one at Duo Security.

  2. Under Applications, create a new application of the DelineaSecret Server type. Name the application as you wish.

  3. Record the API hostname, integration key, and secret key from the new Duo application you just created.

Task 2: Configure Secret Server to Use Duo (Admin)

Because Duo is a service, the Secret Server instance must have outbound access (TCP port 443) to reach the API host to work. If there is a firewall rule preventing access to Duo's servers, two factor authentication will not work.

  1. Open the Administration page in Secret Server.

  2. Under Login, select Duo.

  3. Click Edit.

  4. Select the Enable Duo Integration check box.

  5. Enter the API Hostname, Integration Key, Use RADIUS Username for DUO, and Secret Key values.

  6. Click Save.

  7. Search for Users to create a test user. The Users page appears.

  8. Click the Create New button. The Add User window appears:

  9. Click the Two Factor dropdown list and select Duo.

  10. Type or select the other parameters for the new user.

  11. Log on as the test user. If there are multiple two-factor devices available, you will be prompted to select one. If you are un-enrolled you will be given a link to perform self-enrollment. You are contacted via the Duo app, SMS, or a phone call for the second factor.

  12. Add or configure actual users one at a time or by using bulk operations.

Task 3: Setting up Duo (User)

  1. Log on to Secret Server.

  2. After successful authentication, a new screen appears with the option to select a method to authenticate with.

  3. Select one of the options (Duo Push, Send SMS, or Phone), depending on your setup with Duo) and complete the selected authentication process to log in.