MFA Duo Security
If you are already a user of Duo Security Multi-factor or Two-factor authentication and would like to configure Privileged Access Management(PAM) to use Duo, then please perform the following steps.
Please note that you will need to be able to access and modify files on the System host computer. Contact your PAM System Administrator for assistance.
Pre-requisite:
PAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers.
The System integration with Duo does not use the native Duo user directory; Duo Directory Sync is required.
User accounts are first authenticated against PAM (using AD or Local users) and then the second authentication is done solely through Duo.
- Log on to the PAM host computer.
- Open the file $PAM_HOME/web/conf/catalina.properties.
- Find the heading # Duo Security.
- Uncomment the following line only when a single global MFA for the entire PAM is desired:
- Edit the following lines by replacing the values after equals "=" with your specific Duo configuration parameters:
- When complete, save and close this file.
- Restart the service PamManagement.
#cas.authn.mfa.globalProviderId=mfa-duo
If you wish to enable different MFA providers for individual users or group, please read this article for additional information.
cas.authn.mfa.duo[0].duoSecretKey=duoSecretKey
cas.authn.mfa.duo[0].duoApplicationKey=duoApplicationKey|duoSecretKey
cas.authn.mfa.duo[0].duoIntegrationKey=duoIntegrationKey
cas.authn.mfa.duo[0].duoApiHost=duoApiHost
Use your same Duo Secret Key for both the cas.authn.mfa.duo[0].duoSecretKey= and cas.authn.mfa.duo[0].duoApplicationKey= parameters in the above configuration.
Once configured, refer to the following article MFA Login as a User for steps on how to use Duo MFA with PAM from an end user’s perspective.