Duo Security
Duo Security is a cloud-hosted SAML Identity Provider (IdP) that adds two-factor authentication, complete with inline self-service enrollment and Duo Prompt, to popular cloud services like Salesforce and Amazon Web Services using SAML 2.0 federation.
The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.
Stored Duo Security Information
The following table describes the available integration tasks and stored data within [ProductName].
|
|
|
|
Application Roster
|
|
|
Application Access
|
|
|
Application Discovery
|
|
|
SSO Application Roster
|
|
|
SSO Application Access
|
|
Note:Consider the following:
|
•
|
The information stored is subject to change as enhancements are made to the SaaS application. |
|
•
|
For Single Sign-On (SSO) information, the SSO Name is the name of the application managed by the SSO provider. The SSO Display Name is the display name of the application managed by the SSO provider. Depending on the application, these two names may appear the same or different. Therefore, both SSO Name and SSO Display Name are stored in SaaS Management. |
Required Minimum Permissions for Duo Security
The required minimum permissions are Administrator with the Owner role. For more information, see the Duo Admin API documentation topic, First Steps.
Duo Security Authentication Method
The Basic authentication method is required.
Required Duo Security Credentials
The following credentials are required:
Integrating Duo Security With SaaS Management
To integrate Duo Security with SaaS Management, perform the following tasks.
Adding the Admin API Application in the Duo Admin Panel
Administrators with the Owner role perform the following steps to add the Admin API application in the Duo Admin Panel. You need to obtain the Integration Key, Secret Key, and API Hostname values from the Duo Admin Panel before Integrating Duo Security With SaaS Management.
Note: This API is automatically available to paying Duo Beyond, Duo Access, and Duo MFA plan customers. New customers with an Access or Beyond trial account may contact Duo Support to request Admin API access.
To add the Admin API application in the Duo Admin panel:
|
1.
|
Sign in to the Duo Admin Panel and go to Applications. |
|
2.
|
On the Applications page, click Protect an Application and locate the entry for Admin API in the applications list. |
|
3.
|
On the far-right of the Applications page, click Protect to configure the application. The Admin API page opens. |
|
4.
|
On the Admin API page: |
|
a.
|
In the Details section, copy and paste your Integration Key, Secret Key, and API Hostname values into a file. You will need this information to complete the integration with SaaS Management. |
|
b.
|
Enable the following Admin API permissions: |
|
•
|
Grant applications: permit this Admin API application to add, modify, and delete applications. |
|
•
|
Grant read log: permit this Admin API application to read logs. |
|
•
|
Grant read resource: permit this Admin API application to read resources such as users, phones, and hardware tokens. |
Integrating Duo Security With SaaS Management
Complete the following steps to integrate Duo Security with SaaS Management.
To integrate Duo Security with SaaS Management:
|
3.
|
Copy and paste the following Duo Security information into SaaS Management: |
|
•
|
API Hostname of the Admin APIs’ API endpoints. |
Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.
Duo Security API Endpoints
Application Roster and Application Access
https://api-XXXXXXXX.duosecurity.com/admin/v1/users
Application Discovery
https://api-XXXXXXXX.duosecurity.com/admin/v1/integrations
SSO Application Roster
|
•
|
https://api-XXXXXXXX.duosecurity.com/admin/v1/users |
|
•
|
https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication |
SSO Application Access
https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication