In this article, we’re going to take a look at how to configure Duo hosted single sign-on (SSO) to enable two-factor (2FA) for cloud-based applications.
Now, the great thing about Duo is the documentation; it’s great! and so, if you’re looking for more generic documentation head over to the documentation here or use this article as supplementary content. With that said, I won’t reinvent the wheel and explain what Duo hosted SSO is and how it works, I’ll just focus on the configuration steps.
Before we get started there are a couple of pre-requisites that you need to be aware of. Click here to familiarise yourself with them.
Active Duo SSO
With access to the Duo Admin panel, log in using an admin (owner) account and navigate to Single Sign-On. Before continuing with the setup, if it is your first time using the Single Sign-On feature, you will be asked to accept that you have read Duo’s privacy statements before continuing. If you’re happy, accept and continue to the next step.
Create a SSO Sub-Domain
Create an SSO sub-domain that your users will be able to see when logging with SSO. Ensure that the name is something meaningful as this cannot be changed later.
Add Authentication Source
Once the SSO sub-domain has been configured, it’s time to select the authentication source that will be used to check users credentials against. Multiple authentication sources can be configured however, only one can be enabled at any one time.
In this demonstration, we will use an on-premise Active Directory (AD) server as our authentication source. As we have opted to use an on-premise server, we will also need to make use of an authentication proxy (a lightweight application installed on the server). Select ‘Add an Active Directory’ to proceed.
Add the Active Directory Configuration
We are now presented with four steps to configure Active Directory for Duo. The first step is to install the authentication proxy on your Active Directory server. In this demonstration we will use only one authentication proxy, however, when configuring for a production environment, Duo recommends that at least three authentication proxies are used to provide high availability.
- Click ‘Add Authentication Proxy’ where you will be taken to another screen where you will be able to download the latest authentication proxy.
- Install the authentication proxy on your active directory server and open the ‘authproxy.cfg’ file.
- In step 1.2, add the SSO section to the authproxy.cfg along with a service acocunt username and password. It is important to note that these credentials will never leave your network.
- Once the authentication proxy has been configured, connect the authentication proxy to Duo by entering the following command in step 2. with elevated priviledges on the Active Directory server. This will form a connection from the auth proxy to Duo cloud.
- In the last step, verify that the proxy is connected by clicking ‘Run Test’. If successful you will receive an output ‘Connected to Duo’.
Once successfully verified, click ‘Return to Configuration’ and proceed with step 2. Configure Active Directory.
Returning back to Step 2., we continue with the Active Directory configuration. Provide the following details applicable to your environment:
- Display Name
- Domain Controller IP Address/Hostname and port
- Base DN(s)
- Authentication Type
- Transport Type
- Email Attribute
- Optional – Duo Username Attribute
- Username Normalization
- Expired Password Reset
More information about each one of the aforementioned configurations is available in the Duo documentation and/or within the Duo Admin panel as Active Directory is being configured.
Once complete, proceed to step 3.
To ensure that your users are logging into the correct SSO account, we need to specify email domains that belong to your organisation. Specify your email domain/s and click ‘Add’. You will be presented with a unique DNS TXT record that will need to be added to your DNS provider. Once complete, verify the email domain/s TXT records have successfully been added; the status will change to ‘Verified’ with a green tick.
Once complete, the last step (4) is to run tests against the Active Directory configuration to ensure Duo SSO with AD is configured correctly. Click ‘Run tests’ to verify your AD configuration. If tests are successful a green tick should be returned with a status of ‘Active Directory correctly configured’.
If all tests have been completed successfully, click ‘Save’.
Now that the AD setup is complete and functioning with Duo, we’re now ready to protect a cloud-based application. In the next article demonstration here, we will protect the Cisco Meraki dashboard. Documentation for this can be found here.