# 2FA with Duo

Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. This integration utilizes the [Duo Web SDK](https://duo.com/docs/duoweb) V4.

### Duo Setup

From the DUO Security Admin portal:

* Select "Protect an Application"
* Search for "Web SDK" (Do NOT select Keeper Security - this is for the Vault only)
* Select Web SDK and click "Protect"
* Capture the Client ID, Client Secret, and API Hostname
* Provide these 3 configuration options as DUO\_\* environment variables in the `keeper/guacamole` Docker image.

### Docker Environment Variables

The image `keeper/guacamole` section in the docker-compose.yaml file can be modified to support Duo using environment variables.

| Environment Variable | Description                                                                                                                                                                                                                                         |
| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `DUO_API_HOSTNAME`   | **REQUIRED.** The hostname of the Duo API endpoint that will be used to verify user identities, assigned by Duo when Guacamole was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel. |
| `DUO_AUTH_TIMEOUT`   | The timeout, in minutes, for in-progress Duo authentication attempts. Authentication attempts exceeding this duration will be invalidated. By default, Duo authentication attempts will time out after 5 minutes.                                   |
| `DUO_CLIENT_ID`      | **REQUIRED.** The client ID provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.                                                                   |
| `DUO_CLIENT_SECRET`  | **REQUIRED.** The client secret provided for you by Duo when KCM was added as a "Web SDK" application. This value can be found within the application details in Duo's "Admin" panel.                                                               |
| `DUO_REDIRECT_URI`   | **REQUIRED.** The user-facing URI that the Duo service can use to redirect an authenticated user's browser back to KCM. This is the URI that you use for the KCM deployment, e.g. `https://kcm.company.com`                                         |