Add Duo for MFA

Integrating Duo with Keeper Connection Manager for 2FA/MFA
Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. To make use of Duo support, some other authentication mechanism will need be configured, as well, such as MySQL, PostgreSQL, or LDAP. Only once authentication has succeeded through another installed method will Duo be used to verify the identity of the user.

Installing Duo support for Guacamole

Keeper Connection Manager packages Guacamole’s Duo support within the kcm-guacamole-auth-duo package:
$ sudo yum install kcm-guacamole-auth-duo
The Guacamole-side installation of Duo support within Keeper Connection Manager consists solely of the kcm-guacamole-auth-duo package. Nothing else needs to be installed except for Guacamole itself and some other means of authentication. If Guacamole has not yet been installed and confirmed to work with some other authentication method, that should be done first before attempting to set up Duo.

Registering Guacamole with Duo

For Duo to be integrated with any application, that specific instance of the application must first be registered with the Duo service. Duo does not provide a specific integration option for Guacamole, but Guacamole’s Duo support uses Duo’s generic authentication API which they refer to as the “Web SDK”. To use your Guacamole deployment with Duo, you will need to add it to your Duo account as a new “Web SDK” application from within the “Applications” tab of the admin panel.
Once this has been done, Duo will expose several properties specific to your Guacamole deployment: the integration key, secret key, and API hostname. These values can be found within the application’s “Details” section in your Duo account, and will need to be copied into /etc/guacamole/
$ sudo vi /etc/guacamole/
The relevant properties can be found in the “DUO-1” section:
## [DUO-1] Duo application integration details
## The API hostname, integration key, and secret key provided for you by Duo
## when you registered Guacamole in Duo's "Admin" panel. Each of these values
## is required and is generated by Duo.
#duo-integration-key: 0123456789ABCDEF0123
#duo-secret-key: 0123456789ABCDEF0123

Generating the application key

The Duo “Web SDK” requires that an arbitrary and random key be generated for each application. This key resides strictly on the side of the application, and is not registered with Duo.
Any random value containing at least 40 characters will suffice. To quickly grab 40 random characters from /dev/random:
$ tr -dc 'a-zA-Z0-9' < /dev/random | head -c40; echo
This value must then be copied within the duo-application-key property, which can be found in the "DUO-2" section of
## [DUO-2] Duo application key
## An arbitrary and random key to use when communicating with the Duo service.
## This key MUST be manually generated, and MUST BE AT LEAST 40 CHARACTERS.
#duo-application-key: abcdefghijklmnopqrstuvwxyz0123456789ABCD

Completing installation

Guacamole will generally only load new extensions and reread during the startup process. To apply the configuration changes, Guacamole must be restarted:
$ sudo systemctl restart guacamole
If you do not have a standalone "guacamole" service You will not have a standalone "guacamole" service if you have not deployed Guacamole automatically with the "kcm-guacamole-standalone" package. This will be the case if:
  • You have chosen to manually deploy Guacamole under your own install of Apache Tomcat or JBoss, rather than use the provided version of Tomcat.
  • You are maintaining a deployment of Glyptodon Enterprise that was originally installed before the 2.5 release (2021-09-16).
You will instead need to manually restart your install of Tomcat:
$ sudo systemctl restart tomcat