Configure your Duo account for SPS
Configure SPS to use Duo multi-factor authentication
To configure SPS to use Duo multi-factor authentication
-
Download the SPS Duo plugin
SPS customers can download the official plugin from GitHub.
-
Upload the plugin to SPS
Upload the plugin to SPS. For details, see "Using a custom Authentication and Authorization plugin to authenticate on the target hosts" in the Administration Guide.
-
Configure the plugin on SPS
The plugin includes a default configuration file, which is an ini-style configuration file with sections and name=value pairs. You can edit it on the Policies > AA Plugin Configurations page of the SPS web interface.
-
Configure the usermapping settings if needed. SPS must find out which Duo user belongs to the username of the authenticated connection. For that, it can query your LDAP/Microsoft Active Directory server. For details, see Mapping SPS usernames to Duo identities.
-
Configure other parameters of your plugin as needed for your environment. For details, see SPS Duo plugin parameter reference.
-
Configure a Connection policy and test it
Configure a Connection policy on SPS. In the AA plugin field of the Connection policy, select the SPS Duo plugin you configured in the previous step, then start a session to test it. For details on how a user can perform multi-factor authentication, see Perform multi-factor authentication with the SPS Duo plugin in terminal connections and Perform multi-factor authentication with the SPS Duo plugin in Remote Desktop connections.
|
Caution:
According to the current Duo policies, your API token expires if it is not used for 30 days. Make sure that you use it regularly, because SPS will reject your sessions if the API token is expired. |
SPS Duo plugin parameter reference
This section describes the available options of the SPS Duo plugin.
The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).
[section name]
dirname=%(dir)s/mydirectory
dir=/var
All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.
You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.
[duo]
ikey=$
skey=$
host=<API-hostname>
timeout=60
ignore_conn_err=no
[auth]
prompt=Press Enter for push notification or type one-time password:
disable_echo=yes
[connection_limit by=client_ip_gateway_user]
limit=0
[authentication_cache]
soft_timeout=15
hard_timeout=90
conn_limit=5
######[WHITELIST]######
[whitelist source=user_list]
name=<name-of-user-list-policy>
[whitelist source=ldap_server_group]
allow=no_user
except=<group-1>,<group-2>
######[USERMAPPING]######
[usermapping source=explicit]
<user-name-1>=<id-1>
<user-name-2>=<id-2>
[usermapping source=ldap_server]
user_attribute=description
[username_transform]
append_domain=<domain-without-@-character>
[ldap_server]
name=<name-of-LDAP-server-policy>
[credential_store]
name=<name-of-credential-store-policy-that-hosts-sensitive-data>
[logging]
log_level=info
[https_proxy]
server=<proxy-server-name-or-ip>
port=3128
[question_1]
key=<name-of-name-value-pair>
prompt=<the-question-itself-in-text>
disable_echo=no
[question_2]...
This section contains the options related to your Duo account.
[duo]
# Do NOT use ikey and skey in production
; ikey=<API-integration-key>
; skey=<API-security-key>
host=<API-hostname>
timeout=60
ignore_conn_err=no
ikey
Type: |
string |
Required: |
yes |
Default: |
N/A |
|
Caution:
This parameter contains sensitive data. Make sure to store this data in your local Credential Store. Type the $ value for this parameter in production.
For details, see "Store sensitive plugin data securely".
Only enter a value different than $ for this parameter in the configuration for testing purposes in a secure, non-production environment. |
Description: The API integration key.
skey
Type: |
string |
Required: |
yes |
Default: |
N/A |
|
Caution:
This parameter contains sensitive data. Make sure to store this data in your local Credential Store. Type the $ value for this parameter in production.
For details, see "Store sensitive plugin data securely".
Only enter a value different than $ for this parameter in the configuration for testing purposes in a secure, non-production environment. |
Description: The API security key.
host
Type: |
string |
Required: |
yes |
Default: |
N/A |
Description: The API host name.
timeout
Type: |
integer [seconds] |
Required: |
no |
Default: |
60 |
Description: How long an HTTP request can take during the communication with the Duo server.
ignore_conn_err
Type: |
yes | no |
Required: |
no |
Default: |
no |
Description: Determines how to handle the sessions if the Duo service is not available. If set to yes, the plugin assumes that the user successfully authenticated even if the plugin cannot access Duo to verify this.
|
Caution:
Enabling this option allows the users to bypass multi-factor authentication if SPS cannot access the Duo service for any reason, for example, a network configuration error in your environment. |