2FA with Duo

Integrating Duo with Keeper Connection Manager for MFA

Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. This integration utilizes the Duo Web SDK V4.

Duo Setup

From the DUO Security Admin portal:

  • Select "Protect an Application"

  • Search for "Web SDK" (Do NOT select Keeper Security - this is for the Vault only)

  • Select Web SDK and click "Protect"

  • Capture the Client ID, Client Secret, and API Hostname

  • Provide these 3 configuration options as DUO_* environment variables in the keeper/guacamole Docker image.

Docker Environment Variables

The image keeper/guacamole section in the docker-compose.yaml file can be modified to support Duo using environment variables.

Environment Variable
Description

DUO_API_HOSTNAME

REQUIRED. The hostname of the Duo API endpoint that will be used to verify user identities, assigned by Duo when Guacamole was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.

DUO_AUTH_TIMEOUT

The timeout, in minutes, for in-progress Duo authentication attempts. Authentication attempts exceeding this duration will be invalidated. By default, Duo authentication attempts will time out after 5 minutes.

DUO_CLIENT_ID

REQUIRED. The client ID provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.

DUO_CLIENT_SECRET

REQUIRED. The client secret provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.

DUO_REDIRECT_URI

REQUIRED. The user-facing URI that the Duo service can use to redirect an authenticated user's browser back to KCM. This is the URI that you use for the KCM deployment, e.g. https://kcm.company.com

Last updated