Reference Material | Duo

Configuring Duo with Specops Authentication for uReset will extend Duo Security’s two-factor authentication system to uReset users.

There are two ways to connect to Duo, Web SDK and Auth API. Auth API is the newer of the two and is used by all new customers, To check which method you are using, perform the following steps:

  1. Log in to the Specops Authentication web: https://login.specopssoft.com/authentication/admin
  2. Select Identity Services in the left sidebar navigation, then select Duo.
  3. Make sure it says “Auth API”.

Configuring Duo with Web SDK

Note: Web SDK is only available to customers who started using Duo prior to the 8.16 release of Specops Authentication. Customers who start using Duo from 8.16 onwards must use Auth API (see below) to configure Duo.

Pre-requisites: The Owner, Administrator, or Application Manager Administrative Roles are required in Duo.

  1. Log in to the Specops Authentication web: https://login.specopssoft.com/authentication/admin
  2. Select Identity Services in the left sidebar navigation, then select Duo.
  3. Select Enable, then in the pop-up select Enable again. This will make the service available for use in Specops services.
  4. Log into the Duo Admin Panel.

    Duo Administration page

    Duo administration page

  5. Select Applications in the left sidebar navigation, then select Protect an Application.
  6. The next page shows a list of the different types of services that can be integrated with Duo Security. In the list, find Web SDK and select Protect this application.
  7. Set a policy for the application by using an existing one or creating a new one.
    Note: the New User Policy setting should be set to Require enrollment. Allow access without 2FA will allow users to bypass Duo Security without authenticating. Deny access will block users from authenticating with Duo Security.
    Note: the Group Access Policy setting should be set to No action. As with the New User Policy, it cannot be set to Allow access without 2FA or Deny access.
  8. Configure the Settings and enter a name.
  9. Select Save.
  10. From the Details section, copy the Integration key, Secret key, and API hostname into their corresponding fields in the Specops Authentication client.
    Note: the Attribute name field can be left blank to use the default Active Directory attribute (sAMAccountName), unless you need to use a different AD attribute.
  11. Select Test connection. If the connection was successful, a message saying Connection test successful will apear.

    Successful test connection

    Successful test connection

  12. Select Save.

To add Duo to your policy

  1. Select Secure Service Desk in the left sidebar navigation, then select Configure in the Policies section.
  2. Drag Duo from the Unselected Identity Services section to the Selected Identity Services section, and configure Weight, Required and Protected settings.
  3. Select Save.
Configuring Duo with Auth API

Note: Customers who started using Duo prior to the 8.16 release of Specops Authentication have the option to revert back to using Web SDK for configuring Duo.

Pre-requisites: The Owner, Administrator, or Application Manager Administrative Roles are required in Duo.

  1. Log in to the Specops Authentication web: https://login.specopssoft.com/authentication/admin
  2. Select Identity Services in the left sidebar navigation, then select Duo.
  3. Select Enable, then in the pop-up select Enable again. This will make the service available for use in Specops services.
  4. Log into the Duo Admin Panel.
  5. Select Applications in the left sidebar navigation, then select Protect an Application.
  6. The next page shows a list of the different types of services that can be integrated with Duo Security. In the list, find Partner Auth API and select Protect this application.
  7. Set a policy for the application by using an existing one or creating a new one.
    Note: the New User Policy setting should be set to Require enrollment. Allow access without 2FA will allow users to bypass Duo Security without authenticating. Deny access will block users from authenticating with Duo Security.
    Note: the Group Access Policy setting should be set to No action. As with the New User Policy, it cannot be set to Allow access without 2FA or Deny access.
  8. Configure the Settings and enter a name.
  9. Select Save.
  10. From the Details section, copy the Integration key, Secret key, and API hostname into their corresponding fields in the Specops Authentication client.
    Note: the Attribute name field can be left blank to use the default Active Directory attribute (sAMAccountName), unless you need to use a different AD attribute.
  11. Select your desired setting for Auto-enroll users in Specops Authentication. Setting it to yes will automatically enroll all users.

    Note: In order to use Duo with Quick Verification, this setting must be set to Yes

  12. Select Test connection. If the connection was successful, a message saying Connection test successful will apear.

    Successful test connection

    Successful test connection

  13. Select Save.

To add Duo to your policy

  1. Select Secure Service Desk in the left sidebar navigation, then select Configure in the Policies section.
  2. Drag Duo from the Unselected Identity Services section to the Selected Identity Services section, and configure Weight, Required and Protected settings.
  3. Select Save.
Using Duo with Quick Verification

Quick Verification can only be used with Auth API. Note that when the Auto-enroll users in Specops Authentication setting is set to No, you can not use Quick Verification (or Advanced Verification) for users who have not enrolled with Duo.

Note: customers using Web SDK to configure Duo are not able to use Duo for Quick Verification. It will only be availabe as an Advanced Verification.