Use DUO MFA

Duo Security two-factor authentication

Duo Security is a multifactor authentication (MFA) provider that confirms the identity of users and the health of their devices before the user connects to your applications. Duo supports push notifications, TOTP (time-based one-time password), SMS (text message), voice calls, and emails as second factor authentication (2FA) features as a service.

Enterprise Application Access (EAA) provides remote access and MFA for on premise applications and also integrates with Duo’s 2FA services. If you use Duo as a 2FA solution for access to your applications, you simply need to provide some Duo-specific information in Enterprise Application Access to allow the products to communicate and verify identity and access privileges.

Within the Duo application, a Duo administrator can generate a unique set of configuration parameters that the applications use to authenticate 2FA. These configuration parameters are then entered into the Enterprise Application Access corresponding MFA fields. The configuration parameters are the following:

  • Integration key or ikey. A unique identifier that allows you to retrieve users' API keys based on email and password.

  • Secret key or skey. A unique identifier used for encryption of data.

  • API hostname. Your API hostname used for all API interactions with Duo. For example, api-XXXXXXXX.duosecurity.com.

The ikey and skey uniquely identify a specific application to Duo. API hostname is unique to your account, but shared by all of your applications.

  • Duo UserID attribute. When selected in Enterprise Application Access determines how the usernames listed in Duo appear. Choose one of the following:
  • Email
  • sAMAaccountName
  • User Principal Name (UPN)
  • Domain/sAMAaccountName

When you use the Enterprise Application Access Cloud directory or Open LDAP to authenticate users in the Login Portal, Enterprise Application Access supports only email as the Duo UserID attribute.
When you use the Active Directory (AD) to authenticate users in the Login Portal, Enterprise Application Access supports all Duo UserID attributes.
All communication between EAA Login Portal and Duo is secured with TLS. Enterprise Application Access validates the server certificate before sending any information or data to the Duo service.

Integrate Duo MFA with EAA

To configure Duo Security two-factor authentication (2FA) in Enterprise Application Access (EAA) you need to set up and admin account in Duo and retrieve some key information to use it in configuration of Duo MFA in Enterprise Application Access.

To get more information about Duo 2FA, visit Duo web help.

  1. Create Duo admin account and retrieve some key information.

    1. Create a Duo admin account.

    2. Follow the on-screen prompts to activate Duo Mobile.

    3. Go to the Duo Applications page.

    4. Locate the respective Duo application to protect and select.

    5. To generate the Integration key, Secret key, and API hostname, click Protect an Application.

Next, configure Duo MFA in Enterprise Center. You can add Duo multi-factor authentication (MFA) to any EAA IdP you have configured. Duo MFA is configured similar to, and works alongside, other EAA MFA options.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity providers.

  3. Select your identity provider (IdP) you wish to configure or Add a new identity provider.

  4. In Settings select IdP MFA Policy. It's an optional step to enable a global MFA policy.

  5. Select MFA factors to apply.

  6. Select Duo.
    The Duo configuration parameters appear.

  7. Enter Integration key, Secret key, and API hostname from previous steps.

  8. Select Duo UserID attribute.

  9. Click Save.

  10. Deploy the identity provider.


Did this page help you?