2FA with Duo
Integrating Duo with Keeper Connection Manager for MFA
Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. This integration utilizes the Duo Web SDK V4.
Duo Setup
From the DUO Security Admin portal:
Select "Protect an Application"
Search for "Web SDK" (Do NOT select Keeper Security - this is for the Vault only)
Select Web SDK and click "Protect"
Capture the Client ID, Client Secret, and API Hostname
Provide these 3 configuration options as DUO_* environment variables in the
keeper/guacamole
Docker image.
Docker Environment Variables
The image keeper/guacamole
section in the docker-compose.yaml file can be modified to support Duo using environment variables.
DUO_API_HOSTNAME
REQUIRED. The hostname of the Duo API endpoint that will be used to verify user identities, assigned by Duo when Guacamole was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
DUO_AUTH_TIMEOUT
The timeout, in minutes, for in-progress Duo authentication attempts. Authentication attempts exceeding this duration will be invalidated. By default, Duo authentication attempts will time out after 5 minutes.
DUO_CLIENT_ID
REQUIRED. The client ID provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
DUO_CLIENT_SECRET
REQUIRED. The client secret provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.
DUO_REDIRECT_URI
REQUIRED. The user-facing URI that the Duo service can use to redirect an authenticated user's browser back to KCM. This is the URI that you use for the KCM deployment, e.g. https://kcm.company.com
Last updated