Skip to content

Duo Security Configuration

Duo Security is a popular online service providing push and code based MFA confirmation using a proprietary mobile app. This software uses the second factor authentication provided by a configured Duo Security integration to verify users logging in to the application through their use of a physical device in their possession.

The software supports multiple MFA providers assigned to different users and groups for the purpose of system authentication as well as a default MFA provider.

Create Duo Security Integration

Creating a Duo and 12Port integration requires the creation of an Application in your Duo Tenant and subsequently, using this Application's Details in your 12Port Tenant.

To begin, let's create a new Application in your Duo Tenant.

Note

Duo Users must be able to authenticate to 12Port first, prior to the user receiving their MFA challenge. The user account may be a synced AD account to Duo that is also integrated with 12Port or it may make a 12Port Local User with an identical login name.

  1. Log in to your Duo tenant with an account that can create Applications.
  2. Navigate to Applications > Protect an Application and locate the Application named Web SDK.
  3. For this Web SDK Application, click its Protect button. Duo Web SDK Application Protect
  4. Configure this new Application as required in your organization, which may include updating its Name, Policy and Settings. 12Port requires the use of the Universal Prompt. Additional information about the configurating of the Web SDK application can be found in the external Duo documentation here: https://duo.com/docs/duoweb
  5. In the Details section of this new Web SDK Application, copy the values from each of the parameters Client ID, Client secret and API hostname. These will be used later in the 12Port integration.

Duo Application Details

Next, we will perform the required integration in the 12Port application.

  1. Log in to your 12Port tenant, where this Duo integration is required, with either an Administrator or Configuration Manager account.
  2. Navigate to Configuration > Duo Security and click the Add button.
  3. Click on the parameter name for details about each or follow the guidance provided here:
    • Name: Enter a unique and recognizable name for this integration. This name will be selected when applying MFA Rules to users or groups.
    • API Host: Enter the API hostname value from the Duo Application created in the previous steps.
    • Client ID: Enter the Client ID value from the Duo Application created in the previous steps.
    • Client Secret: Enter the Client secret value from the Duo Application created in the previous steps.
    • Enabled: Click this switch to enable this integration within the tenant.
  4. When all values are populated, click the Test Connection button. If you receive any message other than Connection Successful, double check your configuration and values and try again.

To complete the integration, this new Duo integration must be assigned to user(s) or group(s) using specific MFA Rules. Please review the MFA Rules documentation for additional information.

How Duo Security Works

After this Duo Security configuration has been assigned to a user(s), group(s), or as the default MFA provider, the user will need to use the Duo app on their registered mobile device as their second factor for authentication.

Here is how the login process occurs from the user's perspective:

  1. The user opens their browser to the tenant's login page and they enter their credentials. They click the Login button to advance.

  2. They are automatically directed to a Duo generated second factor authentication page. Follow the guidance on this page to provide your second factor authentication. This may include approving a Duo Push, enter a generated Verified Duo Push code, entering a token code received via SMS/text message or other available methods.

    Duo Security Second Factor Code Prompt

  3. Once the method of second factor authentication is validated by Duo Security, the user will be redirected into 12Port.

Note

If this is an unenrolled Duo user, they may be required to perform additional steps to complete their Duo enrollment on their mobile device prior to authentication. Follow all required steps from the Duo authentication prompt until they are authenticated into 12Port.

Duo Enrollment Prompt