Integration with Duo Security

If you are already a user of Duo Security Multi-factor or Two-factor authentication and would like to configure PAM to use Duo, then please perform the following steps.

Please note that you will need to be able to access and modify files on the PAM host computer. Contact yourPAM System Administrator for assistance.

Pre-requisite: PAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers.

The PAM integration with Duo does not use the native Duo user directory; Duo Directory Sync is required. User accounts are first authenticated against PAM (using AD or Local users) and then the second authentication is done solely through Duo.

 

  1. Log on to the PAM host computer.
  2. Open the file $PAM_HOME/web/conf/catalina.properties
  3. Uncomment the following line only when a single global MFA for the entire $PAM_HOME is desired:

    4. Copy 
    #cas.authn.mfa.globalProviderId=mfa-duo

    If you wish to enable different MFA providers for individual users or group, please read this article for additional information.

  4. Edit the following lines by replacing the values after "=" with your specific Duo configuration parameters:

    To generate the required keys in Duo, please refer to this Duo guide which describes how to create the Auth API application (steps 1-3).

    Copy 
    cas.authn.mfa.duo[0].duoSecretKey=duoSecretKey
    cas.authn.mfa.duo[0].duoApplicationKey=duoApplicationKey|duoSecretKey
    cas.authn.mfa.duo[0].duoIntegrationKey=duoIntegrationKey
    cas.authn.mfa.duo[0].duoApiHost=duoApiHost

    Use your same Duo Secret Key for both the cas.authn.mfa.duo[0].duoSecretKey= and cas.authn.mfa.duo[0].duoApplicationKey= parameters in the above configuration.

  5. When complete, save and close this file.

  6. Restart the service PamManagement.

Adding Additional Duo Integrations

In the case where more than one Duo instance is to be used for MFA services, you may configure two or more unique Duo instances for your PAM deployment.

To add additional Duo instances:

  1. Log on to the System host computer
  2. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor
  3. Locate the section where you defined your first Duo integration and add this new section below it. Change the values shown in red to those specific to your second Duo instance:

    4.  

    # Duo Authenticator (Second instance config)

    #cas.authn.mfa.globalProviderId=mfa-duo

    cas.authn.mfa.duo[1].duoSecretKey=duoSecretKey

    cas.authn.mfa.duo[1].rank=0

    cas.authn.mfa.duo[1].duoApplicationKey=duoApplicationKey|duoSecretKey

    cas.authn.mfa.duo[1].duoIntegrationKey=duoIntegrationKey

    cas.authn.mfa.duo[1].duoApiHost=duoApiHost

    cas.authn.mfa.duo[1].trustedDeviceEnabled=false

    cas.authn.mfa.duo[1].id=mfa-duo-UniqueName

    cas.authn.mfa.duo[1].name=XTAMDuo

    Please note that the index for your second configuration is [1] vs [0] for your first. If you have a third, the index for that would be [2], fourth would be [3], etc.

    You must identify each Duo configuration with a unique ID defined by cas.authn.mfa.duo[n].id= as this is what will be displayed on the PAM’s MFA page as the Provider and what you will select to assign users or groups to their Duo instance. The user assignment is created using the ID value of your configuration, so if you change the ID later, you must manually reassign all users and groups from the original provider ID to the new provider ID.

  4. When complete, save and close this file.

  5. Restart the PamManagement/pammanager service.

  6. When the service comes back online, login to the System and navigate to Administration > MFA. In the Provider dropdown menu, you will now see your two Duo instances that you can use to assign your users and groups to their respective Duo instance.

Once configured, refer to the following article Duo Security MFA – How to Login to Privileged Access Manager as a User for steps on how to use Duo MFA with PAMfrom an end user’s perspective.