Duo Security

This topic describes how to configure the Duo Security administration panel to integrate with the Aisera Gen AI platform.

The screenshots from the Duo Admin Panel come from the official Duo Documentation page. Please refer to the Duo Documentation for the latest information.

Prerequisite

Create a Duo Account so that you have an email address with a corresponding password that allows you to access the Admin Panel via Admin Login - Duo. The account must be one of the following types : Duo Beyond, Duo Access, or Duo MFA plan. If this is the first time someone in your organization has set up an admin account, follow the instructions here : First-Time Administrator Account Setup.

Access the Duo Admin Panel

Login to Duo Admin panel via Admin Login - Duo using the administration account email address.

Depending on the configuration of the account it will require:

1. Password or

2. Single-sign on (SSO) or

3. One of the two options above

Use-cases

If you only need the Duo Security software for authentication, like sending and checking push notifications, you only need the Duo Auth API integration.

If you also need administrative actions, like enrolling new users and heir devices, integrate with Duo Admin API also.

Protect an Application

To protect the Duo Admin API and/or Duo Auth API:

1. Navigate to the Duo Admin Panel.

2. Click Applications in the left sidebar.

1. Click Protect an Application in the left sidebar or choose the Protect an Application button in the upper right corner of the page.

1. Search/select the Duo Auth API/Duo Admin API from the available applications and click the protect button. A new application is created with the name Duo Auth API/Duo Admin API.

1. After creating the Duo Auth API/Duo Admin API application, you are re-directed to the application’s Properties page. The integration details are in the Details section at the top of the page.

The Integration key, Secret key and API hostname information are needed to connect with Aisera side.

Policies

It is needed to enable the New User Policy in order to enroll new users properly for Duo Admin API. To do so :

1. Navigate to Duo Admin Panel

2. Click Policies in the left sidebar:

1. Scroll down to Global Policy and click the Edit Global Policy button.

1. Enable the New User Policy. We need this to enroll the new users using the Admin API remotely.

Connect with Aisera

To connect with the Aisera Gen AI platform, create a new integration with Duo:

1. Navigate to the Settings > Integrations window in the Aisera Admin UI.

1. Click the + New Integration button on the upper right corner.

1. Find Duo Security by searching for the word duo in the search bar.

2. Select the Duo Security icon and click Next (lower right corner).

1. Add a preferred name for the integration (such as, Duo Auth API/Duo Admin API) in the Name field and https://API hostname in the Endpoint field (such as, https://api-myhostname.duosecurity.com). The API hostname can be found in the Applications section of the Duo Admin Panel (see Protect an Application, above).

2. Click Next button.

1. As a final step, choose the Basic Auth Type and fill in the Integration key and the Secret key of the protected application from the Duo Admin Panel (see Protect an Application, above).

2. Click the OK button.

1. Create two different integrations if you're using both API’s, one for Auth and one for Admin.

Duo Flows - Description

Several Duo flows have been implemented for sending and checking the status of push notifications, and for administrative purposes.

Duo Flows - Push Notifications

For sending push notifications via Duo, you need two things:

1. Correct Duo Auth integration (described above).

2. Flows from the Flow Catalog.

3. There exist five distinct flows for Duo Admin purposes :

   • Subflow: Duo Admin Enroll User

   • Subflow: Duo Admin Associate Phone to a User

   • Subflow: Duo - Remove an existing device for a specific user

   • Subflow: Duo Admin Retrieve userId

   • Subflow : Duo Admin Dublicate Phone

   The first three flows are the ones that allow enrolling users/modifying devices, and the other two are subflows needed for the first three to be functional.

   The only configuration needed for these flows to be functional is the host, which is the endpoint mentioned at Duo Admin integration, and don’t forget to link every Execute Rest Call action node with the existing Duo Admin Integration:

Double click these variables and fill them with the information from the Duo Auth integration.

NOTE: The host is the Endpoint field from the Duo Auth Integration.

To send Duo Push notifications, the only thing you need is the Username of the user who will receive the push notification.

If this is not your use case (ex user needs to be identified with Email rather than Username), please refer to your Aisera team for more options.

Duo Flows - Enroll Users/Modify Devices

You need two things to use Duo’s administrative functionality :

1. Correct Duo Admin integration (described above).

2. Flows from Flow Catalog.

There are five distinct flows for Duo Admin purposes :

• Subflow: Duo Admin Enroll User

• Subflow: Duo Admin Associate Phone to a User

• Subflow: Duo - Remove an existing device for a specific user

• Subflow: Duo Admin Retrieve userId

• Subflow : Duo Admin Duplicate Phone

The first three flows allow enrolling users/modifying devices, and the other two are subflows needed for the first three to be functional.

The only configuration needed for these flows to be functional is the host, which is the endpoint mentioned at Duo Admin integration, and don’t forget to link every Execute Rest Call action node with the existing Duo Admin Integration:

You can implement more functions for Duo administration purposes, as long as they are available at Duo Admin API documentation (Duo Admin API).