MFA for Application Developers and Administrators

Introduction

Multi-factor authentication (MFA) from Duo protects your privileged (or user) login accounts to devices and servers by using a second source of validation, like a smartphone or token, to verify user identity before granting access.

For Duo to work your user names must match UCSBNetIDs as their primary Duo user account. There are four additional aliases in Duo that we recommend you use for privileged accounts. Alternately your application might be restructured to point to our campus identity. We are cognizant that your user names matching their UCSBNetIDs is a great endeavor ETS is working through the renaming challenges, too. However, this consolidation provides additional future benefits for all of us at UCSB.

Note: When setting up your application or appliance, there might be a setting to have “fail open” or “fail closed” you get to decide which one to use. You should know that SSO is configured to “fail open.” An application protected with Duo MFA having the application “fail open” will mean that the application will only be protected by the application’s original authentication credentials.

Onboarding an application

Where to start?

Whereas our team can get you the ikey, skey, and API hostname it is up to you to set up your application. The best way to obtain help in setting up an application is to consult Duo’s documentation at duo.com/docs/. Please read the documentation for your application first and then “Request MFA Service Configuration” from the Information Technology Service portal.

Requesting Duo Keys 

Requesting MFA Duo for Applications or Appliances

Multi-factor authentication (MFA) from Duo protects your applications by using a second source of validation, like a phone or token, to verify user identity before granting access.

Administrators of applications adding multi-factor authentication using Duo at UCSB need an Integration key [ikey], Secret key [skey], and the API hostname. To obtain these three values the Administrator places a request at our Information Technology Service portal.

  1. Go to ithelp.ucsb.edu
  2. Type the acronym MFA on the search field
  3. Wait a few seconds and you will see three options.
  4. Click on the “Request MFA Service Configuration” option.
  5. Enter the information in the required fields (denoted by asterisks).
  6. Make sure to enter the application, or server you would like us to set up, adding as much detail as possible in the “Description” field.
  7. Our team will reply to the request including the appropriate information you need to set up Duo with your application or contact you for additional details.

Related Duo links

Samples

Microsoft RDP and Windows Logon

  1. Read the Duo documentation.
  2. Request the integration key (ikey), secret key (skey), and API hostname using the “Request MFA Service Configuration” option from the Information Technology Service portal (ithelp.ucsb.edu).
  3. Download the Duo Authentication for Windows Logon installer package.
  4. Run the installer.
  5. Use the API hostname, ikey, and skey.
  6. Select your integration options (FailOpen or FailClose).
  7. Test your setup.
     

Duo Unix - Two-Factor Authentication for SSH with PAM Support (pam_duo)

  1. Read the Duo documentation.
  2. Request the integration key (ikey), secret key (skey), and API hostname using the “Request MFA Service Configuration” option from the Information Technology Service portal (ithelp.ucsb.edu).
  3. Install pam_duo.
  4. Download and extract the latest version of duo_unix (checksum).
  5. Build and install duo_unix with PAM support (pam_duo) $ ./configure --with-pam --prefix=/usr && make && sudo make install
  6. Once duo_unix is installed, edit /etc/duo/pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.
  7. Modify your system PAM configuration (see Linux systems PAM Examples).
  8. Test pam_duo.

Duo Authentication for MacOS

  1. Read the Duo documentation, pay particular attention to the “Important Notes” section.
  2. Request the integration key (ikey), secret key (skey), and API hostname using the “Request MFA Service Configuration” option from the Information Technology Service portal (ithelp.ucsb.edu).
  3. Download and uncompress the Duo macOS plugin installer package and scripts zip archive. This zip file contains the configuration script for the Duo installer package (configure_maclogon.sh) and the Duo plugin installer and uninstaller .pkg package files.
  4. Ensure your Mac system's time is correct. You can set your Mac to obtain the correct time automatically. Open "System Preferences" and then click "Date & Time". On the "Date & Time" tab, check the box next to "Set date and time automatically" and pick a time server for your region from the drop-down list.
  5. Click save when done.
  6. Enroll a user, run the installer package, verify Duo configuration, and test your setup

 

Duo Unix - Two-Factor Authentication for SSH (login_duo)

Duo Web SDK