Integration with Duo Security

If you are already a user of Duo Security Multi-factor or Two-factor authentication and would like to configure PAM to use Duo, then please perform the following steps.

Please note that you will need to be able to access and modify files on the PAM host computer. Contact your PAM System Administrator for assistance.

Pre-requisite: PAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers.

As of March 30, 2024, Duo Security will no longer support the traditional Duo Prompt and will only support Universal Prompt. This will require updating the Federated Sign-In component with the following instruction to Migration to Federated Sign-in v6.5 .

The PAM integration with Duo does not use the native Duo user directory; Duo Directory Sync is required. User accounts are first authenticated against PAM (using AD or Local users) and then the second authentication is done solely through Duo.

  1. Log on to the PAM host computer.
  2. Open the file $PAM_HOME/web/conf/catalina.properties
  3. Uncomment the following line only when a single global MFA for the entire $PAM_HOME is desired:
  4. Copy
    #cas.authn.mfa.globalProviderId=mfa-duo

    If you wish to enable different MFA providers for individual users or group, please read Configuring Different MFA Providers for Users or Groups article for additional information.

  5. Edit the following lines by replacing the values after "=" with your specific Duo configuration parameters:

    To generate the required keys in Duo, please refer to this Duo guide which describes how to create the Web SDK application.

    Copy
    cas.authn.mfa.duo[0].duoSecretKey=duoSecretKey
    cas.authn.mfa.duo[0].duoApplicationKey=duoApplicationKey|duoSecretKey
    cas.authn.mfa.duo[0].duoIntegrationKey=duoIntegrationKey
    cas.authn.mfa.duo[0].duoApiHost=duoApiHost

    Use your same Duo Secret Key for both the cas.authn.mfa.duo[0].duoSecretKey= and cas.authn.mfa.duo[0].duoApplicationKey= parameters in the above configuration.

  6. When complete, save and close this file.

  7. Restart the service PamManagement.

Adding Additional Duo Integrations

In the case where more than one Duo instance is to be used for MFA services, you may configure two or more unique Duo instances for your PAM deployment.

To add additional Duo instances:

  1. Log on to PAM host computer.
  2. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor.
  3. Locate the section where you defined your first Duo integration and add this new section below it. Change the values shown in red to those specific to your second Duo instance:
  4.  

    # Duo Authenticator (Second instance config)

    #cas.authn.mfa.globalProviderId=mfa-duo

    cas.authn.mfa.duo[1].duoSecretKey=duoSecretKey

    cas.authn.mfa.duo[1].rank=0

    cas.authn.mfa.duo[1].duoApplicationKey=duoApplicationKey|duoSecretKey

    cas.authn.mfa.duo[1].duoIntegrationKey=duoIntegrationKey

    cas.authn.mfa.duo[1].duoApiHost=duoApiHost

    cas.authn.mfa.duo[1].trustedDeviceEnabled=false

    cas.authn.mfa.duo[1].id=mfa-duo-UniqueName

    cas.authn.mfa.duo[1].name=PAMDuo

    Please note that the index for your second configuration is [1] vs [0] for your first. If you have a third, the index for that would be [2], fourth would be [3], etc.

    You must identify each Duo configuration with a unique ID defined by cas.authn.mfa.duo[n].id= and unique name cas.authn.mfa.duo[n].name= , as this is what will be displayed on the PAM’s MFA page as the Provider and what you will select to assign users or groups to their Duo instance. The user assignment is created using the ID value of your configuration, so if you change the ID later, you must manually reassign all users and groups from the original provider ID to the new provider ID. Starting on CAS v6.5 if customer has more than one instance of DUO this parameter should be unique.

  5. When complete, save and close this file.

  6. Restart the PamManagement/pammanager service.

  7. When the service comes back online, login to the System and navigate to Administration > MFA. In the Provider dropdown menu, you will now see your two Duo instances that you can use to assign your users and groups to their respective Duo instance.

To enable the Duo Universal Prompt:

  1. Log on to PAM host computer.
  2. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor.
  3. Locate the section where you defined your first Duo integration and add this new section below it:
  4. Copy
    #Duo Universal Prompt
    cas.authn.mfa.duo[0].duoSecretKey=<Client secret>
    cas.authn.mfa.duo[0].duoApplicationKey=
    cas.authn.mfa.duo[0].duoIntegrationKey=<Client ID>
    cas.authn.mfa.duo[0].duoApiHost=<API Hostname>
  5. Locate these same named parameters from your original Duo integration section and comment out each of those 4 by placing a # before the start of each line. You will need to have these 4 new parameters enabled (not commented out) to support the Duo Universal Prompt.

Please note that the parameter cas.authn.mfa.duo[0].duoApplicationKey= is present and the value provided is blank. This is required to enable the Duo Universal Prompt.

Once configured, refer to the following article Duo Security MFA – How to Login to Privileged Access Management as a User for steps on how to use Duo MFA with PAM from an end user’s perspective.