Guide
TrainingSupportCommunity

Use DUO MFA

Suggest Edits

Duo Security two-factor authentication

Duo Security is a multi-factor authentication (MFA) provider that confirms the identity of users and the health of their devices before the user connects to your applications. Duo supports push notifications, TOTP (time-based one-time password), SMS (text message), voice calls, and emails as second factor authentication (2FA) features as a service.

Enterprise Application Access (EAA) provides remote access and MFA for on premise applications and also integrates with Duo’s 2FA services. If you use Duo as a 2FA solution for access to your applications, you simply need to provide some Duo-specific information in Enterprise Application Access to allow the products to communicate and verify identity and access privileges.

Within the Duo application, a Duo administrator can generate a unique set of configuration parameters that the applications use to authenticate 2FA. These configuration parameters are then entered into the Enterprise Application Access corresponding MFA fields. The configuration parameters are the following:

  • Integration key or ikey. A unique identifier that allows you to retrieve users' API keys based on email and password.

  • Secret key or skey. A unique identifier is used for encryption of data.

  • API hostname. Your API hostname used for all API interactions with Duo. For example, api-XXXXXXXX.duosecurity.com.

The ikey and skey uniquely identify a specific application to Duo. API hostname is unique to your account, but shared by all of your applications.

  • Duo UserID attribute. When selected in Enterprise Application Access determines how the usernames listed in Duo appear. Choose one of the following:
  • Email
  • SAM account name
  • User principal name (UPN)
  • Domain/SAM account name

When you use the Enterprise Application Access Cloud directory or Open LDAP to authenticate users in the Login Portal, Enterprise Application Access supports only email as the Duo UserID attribute.
When you use the Active Directory (AD) to authenticate users in the Login Portal, Enterprise Application Access supports all Duo UserID attributes.
All communication between EAA Login Portal and Duo is secured with TLS. Enterprise Application Access validates the server certificate before sending any information or data to the Duo service.

Integrate Duo MFA with EAA

To configure Duo Security two-factor authentication (2FA) in Enterprise Application Access (EAA) you need to set up and admin account in Duo and retrieve some key information to use it in configuration of Duo MFA in Enterprise Application Access.

  1. Create Duo admin account and retrieve some key information.

    1. Create a Duo admin account.

    2. Follow the on-screen prompts to activate Duo Mobile.

    3. Go to the Duo Applications page.

    4. Locate the respective Duo application to protect and select.

    5. To generate the Integration key, Secret key, and API hostname, click Protect an Application.

Next, configure Duo MFA in Enterprise Center. You can add Duo multi-factor authentication (MFA) to any EAA IdP you have configured. Duo MFA is configured similar to, and works alongside, other EAA MFA options.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity providers.

  3. Select your identity provider (IdP) you wish to configure or Add a new identity provider.

  4. In Settings select IDP Login Requires MFA. It's an optional step to enable this setting.

a. Select MFA factors to apply.

b. Select Duo.
The Duo configuration parameters appear.

Note: You can also select Email, TOTP, SMS, or Akamai MFA as a second factor along with DUO.

c. Enter Integration key, Secret key, and API hostname from previous steps.

d. Select Duo UserID attribute.

  1. Set MFA Verification Trust Duration. The user is prompted for MFA verification the very first time they use the browser. Then, within the trust duration period, the user is exempt from MFA challenge if they use the same browser. The default is 365 days.

  2. Go to the Directories tab.

a. Click Add Directory. Select the directory where you have added the Login Preference to match the DUO UserID attribute. You can also add the EAA Cloud Directory.

  1. Click Save.

  2. Deploy the identity provider.

If you configured multiple MFA methods, also see Configure end-user's device to receive MFA tokens to learn how end users can receive MFA tokens on their device and configure the primary method.

Updated 7 months ago