Skip to main content

Enable Duo 2FA for SSO with On-Premise AD through Datawiza

About 7 min

Overview

This document provides step-by-step instructions on how to set up and configure Datawiza Cloud Management Console (DCMC) with Duo Multi-Factor Authentication (MFA) using an on-premise Active Directory (AD). The guide is divided into four sections:

  • Duo Configuration - This section outlines how to configure AD as the Authentication Source for Duo SSO and how to create and update a Generic OIDC Relying Party application in Duo.

  • DCMC Configuration - Here, we show you how to create an application on DCMC and generate a key pair (PROVISIONING_KEY and PROVISIONING_SECRET) used by the Datawiza Access Proxy (DAP).

  • Running DAP with a Header-Based Application - This part provides guidance on deploying Docker and DAP for your operating system, helping you to bring your DAP online.

  • Testing the Application - The final part provides a practical test to ensure that your integration is functioning correctly. Here you will login using your on-premise AD account credentials, undergo Duo two-factor authentication and access a header-based app.

By the end of this guide, you will be able to incorporate Datawiza's cloud-based access management into your organization's system, and leverage Duo MFA with an on-premise Active Directory for added security.

Prerequisite

Part I: Duo Configuration

Enable Duo Single Sign-On

  1. Log in to the Duo Admin Panelopen in new window and click Single Sign-On in the navigation bar on the left.

  2. Review the information on the "Single Sign-On" page. If you agree to the terms, check the box and then click Activate and Start Setup.

  3. On the Customize your SSO subdomain page you can specify a subdomain you'd like your users to see when they are logging in with Duo Single Sign-On. For testing purposes, just click Complete later to skip this step for now.

  4. On the Add Authentication Source page choose Active Directory as your authentication source. Click the button at the bottom of the option you'd like to use to add that source type, and follow the instructions in the next section. Duo MFA AD SSO | Add Authentication Source

Configure Your Authentication Source

Follow the steps below to first configure an on-premises Authentication Proxy to connect to Duo Single Sign-On. You'll then configure Duo Single Sign-On to talk to your Active Directory domain controllers through the Authentication Proxy.

Install Duo Authentication Proxy

Duo Single Sign-On communicates with your Active Directory by having an Authentication Proxy installed and configured on-premises to connect Duo Single Sign-On and Active Directory together.

  1. Install Duo Authentication Proxy 5.5.1 or higher on a Windows or Linux server following the installation instructionsopen in new window. If you already have a Duo Authentication Proxy that you'd like to use, you can upgrade the proxyopen in new window to a supported version.

  2. Confirm that your Authentication Proxy can communicate with your Active Directory domain controllers over LDAP/LDAPS (commonly ports 389/636).

  3. Confirm that your Authentication Proxy has outbound internet access over port 443.

Connect Authentication Proxy to Duo Single Sign-On

  1. On the "Active Directory Configuration" under "1. Install the Authentication Proxy" click Add Authentication Proxy. This redirects you to a new page.

  2. You can rename your Authentication Proxy by editing the Name field to give it an easily identifiable name. You can add a description of the proxy in the Description field.

  3. Select the "Windows" or "Linux" tab based on your Authentication Proxy install to view platform-specific instructions.

  4. On your Authentication Proxy server locate and open the authproxy.cfg file in a text editor or the Proxy Manager application (available for Windows servers starting with Authentication Proxy version 5.6.0) with elevated permissions.

    OSPath
    WindowsC:\Program Files\Duo Security Authentication Proxy\conf
    Linux/opt/duoauthproxy/conf

  5. Click Copy under "Add service account credentials to authproxy.cfg" and append this to your authproxy.cfg file. A first time Authentication Proxy install may include an existing authproxy.cfg with some example content. For the purposes of these instructions, however, you should overwrite the existing sample content and paste in the copied data.

  6. If you plan to use NTLMv2 or Plain authentication then uncomment and populate the service_account_username and service_account_password lines with the credentials for a service account in your Active Directory. You do not need these lines in your authproxy.cfg if you plan to use Integrated authentication. Duo MFA AD SSO | Configure Authentication Proxy for Active Directory Any service account credentials specified in the config will be ignored during user authentication if you select Integrated authentication when completing Active Directory configuration.

  7. Save and close the authproxy.cfg file. If using the Proxy Manager for Windows, click Validate to check your configuration, and then click Save before closing the application.

  8. Follow the "2. Connect the Authentication Proxy to Duo" instructions shown in the Admin Panel to generate and then copy the command to run on your proxy server to connect your Authentication Proxy to Duo Single Sign-On. Note that the specific command syntax differs depending on whether you installed the Duo Authentication Proxy on a Windows or Linux server. Duo MFA AD SSO | Authentication Proxy Enrollment Code

  9. Click Run test under "3. Verify the proxy is connected" to confirm your Authentication Proxy is connected to Duo. If you encounter any issues check the logs on the Authentication Proxy.

  10. Once the Authentication Proxy is connected to Duo click Return to Configuration to return to the "Active Directory Configuration" page.

  11. You can add additional Authentication Proxy servers by repeating steps 1 through 9.

  12. The code below shows a demo Authentication Proxy configuration:

[ad_client]
host=127.0.0.1
service_account_username=datawiza_admin
service_account_password=************
search_dn=cn=Users,dc=datawiza,dc=com

[sso]
; Remote Identity Key, unique to this authentication source
rikey===************
service_account_username=cn=datawiza_admin,cn=Users,dc=datawiza,dc=com
service_account_password=************

Configure Active Directory

  1. On the "Active Directory Configuration" page scroll down to "2. Configure Active Directory" and fill out the form. And the image below shows a demo Active Directory Configuration corresponding to the demo config of Authentication Proxy above: Duo MFA AD SSO | Configure Active Directory The value of Email attributes is determined by the specific attribute from the AD you intend to use for login. Duo MFA AD SSO | Configure Active Directory For instance, if you wish to use the E-mail attribute of AD for login, you must enter mail. Duo MFA AD SSO | Configure Active Directory Conversely, if your preferred login attribute is the User logon name from AD, you should input userprincipalname. Duo MFA AD SSO | Configure Active Directory Keep everything else as the default.

Configure Permitted Email Domains

Duo Single Sign-On requires that you verify control of the email domains users will be logging in with by adding a DNS TXT record to the email domain's public (external) DNS.

When a user attempts to log in with an email address that has not been verified by their organization, the authentication will be rejected and the user's credentials will not be sent to the Authentication Proxy for verification. This prevents your users from accidentally exposing their credentials to a Duo Single Sign-On not owned by your organization.

  1. Type in the domain name of an email address that users from your organization will use to log in. Example: If your email address is username@datawiza.net type datawiza.net under step 1 and click Add. Duo MFA AD SSO | Configure Permitted Email Domains

  2. A table appears showing the domain name you just added, along with additional information about the DNS TXT record that needs to be created. Duo MFA AD SSO | Configure Permitted Email Domains

  3. Log into your DNS provider and create a DNS TXT record for the domain you just added in Record Name (eg. datawiza.net) with the value in the corresponding DNS Text Record Value column. We use AWS Route 53 here as the example: Duo MFA AD SSO | Configure Permitted Email Domains

  4. Once your DNS record has been created, return to the Duo Admin Panel and click the Verify button under the Status column. Duo's service queries your public DNS for the expected new TXT record.

  5. Once the record has been verified the Status column will change to Verified. Users using the verified domain will now be able to log into Duo Single Sign-On. Duo MFA AD SSO | Configure Permitted Email Domains

Test Your Setup

  1. Under "Test Active Directory Configuration" click Run tests. This will test connections between Duo Single Sign-On, your Authentication Proxy server(s), and your Active Directory. It will only report the status of an individual connection if there is an error. If you encounter an error, make the appropriate changes and click Run tests again.

  2. Click Save.

Create Your Cloud Application in Duo

  1. Navigate to Applications.

  2. Click Protect an Application and locate the entry for Generic OIDC Relying Party with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring Generic OIDC Relying Party.

Update Your Cloud Application in Duo

After creating the application, make sure to write down the Client ID, Client Secret, and Issuer. You will need this information to configure in DCMC. Duo MFA AD SSO | OIDC Application Config As DAP will function on localhost:9772, so we need to add http://localhost:9772/datawiza/authorization-code/callback as the Sign-In Redirect URLs: Duo MFA AD SSO | OIDC Application Config Add needed scopes: Duo MFA AD SSO | OIDC Application Config Scroll down to the bottom of the page and click Save.

Part II: Datawiza Cloud Management Console (DCMC) Configuration

In this section, we will show you how to create an application on the Datawiza Cloud Management Console (DCMC) and generate a pair of PROVISIONING_KEY and PROVISIONING_SECRET for this app. This key pair is used by the DAP to get the latest configurations and policies from the DCMC.

Sign Into DCMC

  1. Log into the DCMCopen in new window.

Duo MFA AD SSO | Log Into DCMC

Create New Deployment In DCMC

Welcome to the DCMC homepage! Let's get started:

  1. Click the orange button Getting started. Specify a Name and a Description, and click Next.

Duo MFA AD SSO | Getting StartedDuo MFA AD SSO | Create a New Deployment

Add Application

Configure your application with the following values:

  • App Type: WEB
  • Name: Demo App
  • Application URL: http://localhost:9772
  • Listen Port: 9772
  • Upstream Servers: http://localhost:9902Duo MFA AS SSO | Create an New Application Select Next.

IdP Configuration

  1. Select OIDC as the Protocol and Generic as the Identity Provider from the drop-down menu. Input the Client ID, Client Secret, and Issuer gotten from the Duo Cloud Application above. Use http://localhost:9772 as the OIDC Logout URL. Duo MFA AD SSO | Create a Generic OIDC IdP Click Create.

Part III: Run DAP With a Header-Based Application

To launch DAP, you will need to have Docker installed. Please refer to our Quick Start guide for instructions on how to install Docker and deploy DAP on your operating system. Duo MFA AD SSO | Deploy DAP After executing the needed steps, the DAP should be up and running.

Part IV: Test the Application

Open a browser and type in http://localhost:9772/. The login page of the Duo should be shown: Duo MFA AD SSO | Duo Login Page Input the credential of your on-premise AD account. After logging in successfully, you will be redirected to Duo two-factor authentication. Complete Duo two-factor authentication when prompted and then get redirected back to the header-based app. Duo MFA AD SSO | Duo Login Page

Copyright © 2024 Datawiza Technologies Inc