Duo Security

Duo Security is a cloud-hosted SAML Identity Provider (IdP) that adds two-factor authentication, complete with inline self-service enrollment and Duo Prompt, to popular cloud services like Salesforce and Amazon Web Services using SAML 2.0 federation.

The following sections provide prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Duo Security Information
Required Minimum Permissions for Duo Security
Duo Security Authentication Method
Required Duo Security Credentials
Integrating Duo Security With SaaS Management
Duo Security API Endpoints

Stored Duo Security Information

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Information Stored

Application Roster

User ID
Email
Real Name
Active Date

Application Access

User ID
Last Login

Application Discovery

SSO Application ID
SSO Name

SSO Application Roster

User ID
Email
Real Name
Active Date
SSO Application ID
SSO Name

SSO Application Access

User ID
Occurred
Event Type
SSO Application ID
SSO Name

Note:the following:

The information stored is subject to change as enhancements are made to the SaaS application.
For Single Sign-On (SSO) information, the SSO Name is the name of the application managed by the SSO provider. The SSO Display Name is the display name of the application managed by the SSO provider. Depending on the application, these two names may appear the same or different. Therefore, both SSO Name and SSO Display Name are stored in SaaS Management.

Required Minimum Permissions for Duo Security

Administrator with the Owner role. For more information, see the Duo Admin API documentation topic: First Steps.

Duo Security Authentication Method

Basic

Required Duo Security Credentials

Integration Key
Secret Key
API Hostname

Integrating Duo Security With SaaS Management

To integrate Duo Security with SaaS Management, perform the following tasks.

Adding the Admin API Application in the Duo Admin Panel
Integrating Duo Security With SaaS Management

Adding the Admin API Application in the Duo Admin Panel

Administrators with the Owner role perform the following steps to add the Admin API application in the Duo Admin Panel. You need to obtain the Integration Key, Secret Key, and API Hostname values from the Duo Admin Panel before Integrating Duo Security With SaaS Management.

Note: This API is automatically available to paying Duo Beyond, Duo Access, and Duo MFA plan customers. New customers with an Access or Beyond trial account may contact Duo Support to request Admin API access.

To add the Admin API application in the Duo Admin panel:

1. Sign in to the Duo Admin Panel and go to Applications.
2. On the Applications page, click Protect an Application and locate the entry for Admin API in the applications list.
3. On the far-right of the Applications page, click Protect to configure the application. The Admin API page opens.
4. On the Admin API page:
a. In the Details section, copy and paste your Integration Key, Secret Key, and API Hostname values into a file. You will need this information to complete the integration with SaaS Management.
b. Enable the following Admin API permissions:
Grant applications: permit this Admin API application to add, modify, and delete applications.
Grant read log: permit this Admin API application to read logs.
Grant read resource: permit this Admin API application to read resources such as users, phones, and hardware tokens.
5. Proceed to Integrating Duo Security With SaaS Management.

Integrating Duo Security With SaaS Management

Complete the following steps to integrate Duo Security with SaaS Management.

To integrate Duo Security with SaaS Management:

1. Complete the prerequisite steps in Adding the Admin API Application in the Duo Admin Panel.
2. Add the Duo Security application in SaaS Management. For details, see Adding an Application.
3. Copy and paste the following Duo Security information into SaaS Management:
Integration Key 
Secret Key 
API Hostname of the Admin APIs’ API endpoints.
4. Click Authorize.

Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For details, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Duo Security API Endpoints

Application Roster and Application Access

https://api-XXXXXXXX.duosecurity.com/admin/v1/users

Application Discovery

https://api-XXXXXXXX.duosecurity.com/admin/v1/integrations

SSO Application Roster

https://api-XXXXXXXX.duosecurity.com/admin/v1/users 
https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication 

SSO Application Access

https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication