How can I set up Duo 2FA using ADManager Plus?

How can I set up Duo 2FA using ADManager Plus?

Objective 

Organizations looking to enhance login security using ADManager Plus can integrate Duo Security for two-factor authentication (2FA). This setup helps prevent unauthorized access, especially in environments with sensitive AD operations. This article explains how to configure Duo’s Web SDK, upgrade to the Universal Prompt for an improved user experience, and manage individual technician 2FA preferences, ensuring secure and flexible authentication for all user roles.

Prerequisites   

  • Access to a Duo Security admin account.

  • Administrative access to the ADManager Plus console.

  • Username patterns in Duo should match those used in ADManager Plus.

  • Duo Security Web SDK must be configured in ADManager Plus.

NotesNote: Duo Security has deprecated the Web v2 SDK. It is recommended to switch to the Web v4 SDK with the Universal Prompt for continued support and improved user experience.

Steps to follow 

Step1: Set up Duo Security using Web v2 SDK   

  1. Log in to your Duo Security admin portal.

  2. Go to Applications and click Protect an Application.

  3. Search for Web SDK and click Protect.

  4. Copy the Integration Key, Secret Key, and API Hostname.

  5. In the ADManager Plus console, navigate to Delegation > Configuration > Logon Settings > Two Factor Authentication > expand Duo Security.

  6. Check Enable Duo Security and select Web v2 SDK as the Integration Type.

  7. Paste the copied Integration Key, Secret Key, and API Host Name into the corresponding fields in ADManager Plus.

  8. Enter the correct Username Pattern that matches your Duo configuration.

  9. Click Save.

Step 2: Upgrade to Duo Universal Prompt (Web v4 SDK)   

To switch from the Web v2 SDK (Traditional Prompt) to the Web v4 SDK (Universal Prompt), follow these steps:

  1. In the Duo admin panel, locate the Web SDK app, which is already configured for ADManager Plus.

  2. Scroll to the Universal Prompt section and confirm the App Update Ready message is visible.

  3. Copy the Integration Key, Secret Key, and API Hostname.

  4. In the ADManager Plus console, navigate to Delegation > Configuration > Logon Settings > Two Factor Authentication > expand Duo Security.

  5. Select Web v4 SDK as the Integration Type.

  6. Paste the Integration Key in the Client ID field, the Secret Key in the Client Secret field, and the API Host Name in the corresponding field.

  7. Once a user logs in with the updated SDK, the message in Duo will change to New Prompt Ready.

  8. Click Show new Universal Prompt in the Duo admin panel to enable Universal Prompt.

Step 3: Personalize your preferred 2FA method   

  1. In ADManager Plus, click My Account at the top-right.

  2. Select Manage my TFA settings from the left pane.

  3. Click Edit and choose your preferred 2FA method (e.g., Duo, Google Authenticator, Microsoft Authenticator).

  4. If you select a mobile app, scan the QR code and enter the verification code.

  5. Click Verify to confirm.

NotesNote: If you use Duo Security and have replaced or lost your smartphone, remove the old Duo account and re-enroll by repeating the setup steps above.

Tips 

  • The More options section in Logon settings (under the Delegation module) allows help desk technicians with access to manage two-factor authentication (TFA) enrollment, including removing enrolled users.

  • You can enable the Trust this browser option to temporarily bypass 2FA prompts on trusted devices.

  • It's also possible to exclude specific technicians from 2FA, based on your organization’s requirements.

                  New to ADSelfService Plus?