Duo Security

Duo Security is a cloud-hosted SAML Identity Provider (IdP) that adds two-factor authentication, complete with inline self-service enrollment and Duo Prompt, to popular cloud services like Salesforce and Amazon Web Services using SAML 2.0 federation.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

•

Stored Duo Security Information

•

Required Minimum Permissions for Duo Security

•

Duo Security Authentication Method

•

Required Duo Security Credentials

•

Integrating Duo Security With SaaS Management

•

Duo Security API Endpoints

Stored Duo Security Information

The following table describes the available integration tasks and stored data within SaaS Management.

Available Integration Tasks	Information Stored
Application Roster	• User ID • Email • Real Name • Active Date
Application Access	• User ID • Last Login
Application Discovery	• SSO Application ID • SSO Name
SSO Application Roster	• User ID • Email • Real Name • Active Date • SSO Application ID • SSO Name
SSO Application Access	• User ID • Occurred • Event Type • SSO Application ID • SSO Name

Note:Consider the following:

•

The information stored is subject to change as enhancements are made to the SaaS application.

•

For Single Sign-On (SSO) information, the SSO Name is the name of the application managed by the SSO provider. The SSO Display Name is the display name of the application managed by the SSO provider. Depending on the application, these two names may appear the same or different. Therefore, both SSO Name and SSO Display Name are stored in SaaS Management.

Required Minimum Permissions for Duo Security

The required minimum permissions are Administrator with the Owner role. For more information, see the Duo Admin API documentation topic, First Steps.

Duo Security Authentication Method

The Basic authentication method is required.

Required Duo Security Credentials

The following credentials are required:

•

Integration Key

•

Secret Key

•

API Hostname.

Integrating Duo Security With SaaS Management

To integrate Duo Security with SaaS Management, perform the following tasks.

•

Adding the Admin API Application in the Duo Admin Panel

•

Integrating Duo Security With SaaS Management

Adding the Admin API Application in the Duo Admin Panel

Administrators with the Owner role perform the following steps to add the Admin API application in the Duo Admin Panel. You need to obtain the Integration Key, Secret Key, and API Hostname values from the Duo Admin Panel before Integrating Duo Security With SaaS Management.

Note: This API is automatically available to paying Duo Beyond, Duo Access, and Duo MFA plan customers. New customers with an Access or Beyond trial account may contact Duo Support to request Admin API access.

To add the Admin API application in the Duo Admin panel:

1.

Sign in to the Duo Admin Panel and go to Applications.

2.

On the Applications page, click Protect an Application and locate the entry for Admin API in the applications list.

3.

On the far-right of the Applications page, click Protect to configure the application. The Admin API page opens.

4.

On the Admin API page:

a.

In the Details section, copy and paste your Integration Key, Secret Key, and API Hostname values into a file. You will need this information to complete the integration with SaaS Management.

b.

Enable the following Admin API permissions:

•

Grant applications: permit this Admin API application to add, modify, and delete applications.

•

Grant read log: permit this Admin API application to read logs.

•

Grant read resource: permit this Admin API application to read resources such as users, phones, and hardware tokens.

5.

Proceed to Integrating Duo Security With SaaS Management.

Integrating Duo Security With SaaS Management

Complete the following steps to integrate Duo Security with SaaS Management.

To integrate Duo Security with SaaS Management:

1.

Complete the prerequisite steps in Adding the Admin API Application in the Duo Admin Panel.

2.

Add the Duo Security application in SaaS Management. For more information, see Adding an Application.

3.

Copy and paste the following Duo Security information into SaaS Management:

•

Integration Key

•

Secret Key

•

API Hostname of the Admin APIs’ API endpoints.

4.

Click Authorize.

Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Duo Security API Endpoints

Application Roster and Application Access

https://api-XXXXXXXX.duosecurity.com/admin/v1/users

Application Discovery

https://api-XXXXXXXX.duosecurity.com/admin/v1/integrations

SSO Application Roster

•

https://api-XXXXXXXX.duosecurity.com/admin/v1/users

•

https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication

SSO Application Access

https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication