Duo Security is an access security focused application that is primarily used for multi-factor authentication. One of the ways Duo Security can be used to verify users identities is using passcodes. Here, once the user has provided their username and password successfully, they have to authenticate themselves with Duo Security in one of three ways:
- By entering the passcode they receive via a push notification in the Duo Mobile app,
- By entering the passcode they receive through SMS,
- By answering a phone call received from Duo Security and following the instructions provided.
When an organization implements solutions for self-service actions like Active Directory password reset and account unlock, it intends to increase the users' productivity by allowing them to reset their own password without having to depend on the help-desk. It also aims at reducing the help-desk's workload by exempting them from the huge number of password reset and account unlock tickets that would have been raised otherwise.
While improved user productivity and reduced help-desk workload are results organizations should work towards, security should always be of prime importance. Self-service password resets and account unlocks can turn perilous for user accounts if they aren't completely secure. Implementing MFA with Duo Security and other methods ensures a user's identity is verified before they engage in resetting their password or unlocking their account.
ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers self-service password reset along with multi-factor authentication (MFA) along with other features like self-service account unlock, enterprise single sign-on and password synchronization, password and account expiration notifications, and directory self-update
Aside from self-service password reset and account unlock ADSelfService Plus's MFA feature can also be used to secure:
- Windows, macOS, and Linux logins.
- Enterprise application logins through single sign-on (SSO).
- Self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.
The solution supports over 17 MFA methods including Duo Security, Google Authenticator, fingerprint authentication, RSA SecurID, and YubiKey Authenticator. Learn more about ADSelfService Plus and its Multi-factor Authentication feature.
Prerequisites
- Add the API hostname and admin console (for example, https://********.duosecurity.com) as a trusted site or intranet site in the users' machine if they are using older versions of Internet Explorer.
- Please follow these steps in the Duo Admin Panel to migrate from Web v2 SDK, which uses the traditional prompt, to Web v4 SDK, which employs the new Universal Prompt.
Web v4 SDK configuration steps
Note: It is required to have a secure connection to set up the Web v4 SDK authentication. Please make sure that you have enabled HTTPS in the product and Access URL.
- Log into your Duo Security account (for example, https://********.duosecurity.com) or sign up for a new account and log in.
- Go to Applications and click Protect an Application.
- Search for Web SDK and click Protect.
- Copy the Client ID, Client secret, and API hostname values.
- From the ADSelfService Plus admin portal, navigate to Configuration > Multi-factor Authentication > Duo Security.
- Select Web v4 SDK for Integration Type.
- Paste the Client ID, Client secret, and API hostname obtained from the Duo Admin Panel in the respective fields.
- Enter the same username pattern used in Duo Security in the Username Pattern field.
- Click Save.
Configuring Auth API for Web v4 configurations of Duo Security
- If configuring Auth API, follow these steps and obtain the Integration Key and Secret Key from the Duo Security portal.
- Under the Web v4 SDK configuration settings for Duo Security, click Advanced Settings to open up the Auth API configuration settings.
- Paste the Integration Key and Secret Key into the relevant fields, and click Save.
Configuring Device Management Portal settings for WebV4 configurations of Duo Security
The Duo Device Management Portal enables users to add or remove Duo-registered devices from the self-service portal. The Device Management Portal for Web v4 uses Duo's OIDC-based universal prompt with a redesigned UI that redirects users to Duo on a new tab. Here are the steps to configure the Duo Device Management portal:
- Log into Duo Security and go to Applications > Protect an Application.
- Search for Device Management Portal. Click Protect.
- Copy the Client ID and Client Secret from the Details section.
- Under the Web v4 SDK configuration settings for Duo Security, Click Advanced Settings to open the Device Management Portal settings.
- Paste the Client ID and Client Secret into the relevant fields and click Save.
Web v2 SDK configuration steps
- Log in to your Duo Security account (for example, https://********.duosecurity.com) or sign up for a new account and log in.
- Go to Applications and click Protect an Application.
- Search for Web SDK and click Protect.
- Copy the Integration key, Secret key, and API hostname values.
- In ADSelfService Plus, navigate to Configuration > Multi-factor Authentication > Duo Security.
- Select Web v2 SDK for Integration Type.
- Paste the Integration key, Secret key, and API hostname obtained from the Duo Admin Panel in the respective fields.
- Enter the same username pattern used in Duo Security in the Username Pattern field.
- Click Save.
Configuring Auth API for Web v2 configurations of Duo Security
- If configuring Auth API, follow these steps and obtain the Integration Key and Secret Key from the Duo Security portal.
- Under the Web v2 SDK configuration settings for Duo Security, click Advanced Settings to open the Auth API configuration settings.
- Paste the Integration Key and Secret Key into the relevant fields and click Save.
Configuring Device Management Portal settings for WebV2 configurations of Duo Security
The Device Management Portal for Web v2 uses a traditional Duo prompt which will be displayed in an iframe in ADSelfService Plus.
- Log into Duo Security and go to Applications > Protect an Application.
- Search for Device Management Portal. Click Protect.
- Copy the Integration key and Secret key from the Details section.
- Under the Web v2 SDK configuration settings for Duo Security, click Advanced Settings to open the Device Management Portal settings.
- Paste the Integration Key and Secret Key into the relevant fields and click Save.
Configuring Auth API in Duo Security
Configuring the Auth API in Duo Security is optional. Auth API configuration is used to verify the user's enrollment with Duo Security. If Auth API is not configured, then on deleting a user's enrollment in Duo Security, it is mandatory to manually remove the user's enrollment in ADSelfService Plus too. If not, the user will be added back to Duo Security when it is used for authentication in ADSelfService Plus.
Steps to be followed if configuring Auth API:
- Login to the Duo Security portal.
- Navigate to Applications and click Protect An Application.
- Search for Auth API. Click Protect this Application.
- Copy the Integration key and Secret key.
Steps to migrate to the new Universal Prompt
- In the Duo Admin Panel, select the Web SDK application, which was previously configured for ADSelfService Plus, and copy the Integration key, Secret key and API hostname values.
- Scroll down to the Universal Prompt section. The App Update Ready message will be displayed, indicating that Universal Prompt can now be activated for ADSelfService Plus.
- In ADSelfService Plus, navigate to Configuration > Multi-factor Authentication > Duo Security.
- Click Web v4 SDK and paste the Integration key, Secret key, and API hostname values in the Client ID, Client Secret, and API Host name fields respectively.
- Once the Web v4 SDK is configured in ADSelfService Plus and a user authenticates through the frameless Duo v4 SDK, the App Update Ready message in Duo Admin Panel will be updated and the New Prompt Ready message will be displayed.
- Select Show new Universal Prompt to activate the universal prompt for ADSelfService Plus.
Enable Duo Security for Active Directory password resets
- Go to Configuration → Self-Service → Multi-factor Authentication → MFA/TFA Settings. In the MFA for Reset/Unlock section, enter the number of authentication factors to be enforced, and select Duo Security along with the other authentication techniques
to be used.
Click Save Settings.
Enable Duo Security for Active Directory domain logins
To enable MFA for Active Directory domain logins: