Add Duo for MFA
Integrating Duo with Keeper Connection Manager for 2FA/MFA
Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. To make use of Duo support, some other authentication mechanism will need be configured, as well, such as MySQL, PostgreSQL, or LDAP. Only once authentication has succeeded through another installed method will Duo be used to verify the identity of the user.
Keeper Connection Manager packages Guacamole’s Duo support within the kcm-guacamole-auth-duo package:
$ sudo yum install kcm-guacamole-auth-duo
The Guacamole-side installation of Duo support within Keeper Connection Manager consists solely of the kcm-guacamole-auth-duo package. Nothing else needs to be installed except for Guacamole itself and some other means of authentication. If Guacamole has not yet been installed and confirmed to work with some other authentication method, that should be done first before attempting to set up Duo.
For Duo to be integrated with any application, that specific instance of the application must first be registered with the Duo service. Duo does not provide a specific integration option for Guacamole, but Guacamole’s Duo support uses Duo’s generic authentication API which they refer to as the “Web SDK”. To use your Guacamole deployment with Duo, you will need to add it to your Duo account as a new “Web SDK” application from within the “Applications” tab of the admin panel.
Once this has been done, Duo will expose several properties specific to your Guacamole deployment: the integration key, secret key, and API hostname. These values can be found within the application’s “Details” section in your Duo account, and will need to be copied into
$ sudo vi /etc/guacamole/guacamole.properties
The relevant properties can be found in the “DUO-1” section:
## [DUO-1] Duo application integration details
## The API hostname, integration key, and secret key provided for you by Duo
## when you registered Guacamole in Duo's "Admin" panel. Each of these values
## is required and is generated by Duo.
The Duo “Web SDK” requires that an arbitrary and random key be generated for each application. This key resides strictly on the side of the application, and is not registered with Duo.
Any random value containing at least 40 characters will suffice. To quickly grab 40 random characters from
$ tr -dc 'a-zA-Z0-9' < /dev/random | head -c40; echo
This value must then be copied within the duo-application-key property, which can be found in the "DUO-2" section of
## [DUO-2] Duo application key
## An arbitrary and random key to use when communicating with the Duo service.
## This key MUST be manually generated, and MUST BE AT LEAST 40 CHARACTERS.
Guacamole will generally only load new extensions and reread
guacamole.propertiesduring the startup process. To apply the configuration changes, Guacamole must be restarted:
$ sudo systemctl restart guacamole