MFA Duo Security

If you are already a user of Duo Security Multi-factor or Two-factor authentication and would like to configure Privileged Access Management(PAM) to use Duo, then please perform the following steps.

Please note that you will need to be able to access and modify files on the System host computer. Contact your PAM System Administrator for assistance.

Pre-requisite:

PAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers.

The System integration with Duo does not use the native Duo user directory; Duo Directory Sync is required.

User accounts are first authenticated against PAM (using AD or Local users) and then the second authentication is done solely through Duo.

  1. Log on to the PAM host computer.
  2. Open the file $PAM_HOME/web/conf/catalina.properties.
  3. Find the heading # Duo Security.
  4. Uncomment the following line only when a single global MFA for the entire PAM is desired:
  5. Copy
    #cas.authn.mfa.globalProviderId=mfa-duo

     

    If you wish to enable different MFA providers for individual users or group, please read this article for additional information.

  6. Edit the following lines by replacing the values after equals "=" with your specific Duo configuration parameters:
  7. Copy
    cas.authn.mfa.duo[0].duoSecretKey=duoSecretKey
    cas.authn.mfa.duo[0].duoApplicationKey=duoApplicationKey|duoSecretKey
    cas.authn.mfa.duo[0].duoIntegrationKey=duoIntegrationKey
    cas.authn.mfa.duo[0].duoApiHost=duoApiHost

     

    Use your same Duo Secret Key for both the cas.authn.mfa.duo[0].duoSecretKey= and cas.authn.mfa.duo[0].duoApplicationKey= parameters in the above configuration.

  8. When complete, save and close this file.
  9. Restart the service PamManagement.

Once configured, refer to the following article MFA Login as a User for steps on how to use Duo MFA with PAM from an end user’s perspective.