Configuring DUO Security as an external MFA provider
Before you begin
- Have administrator access to the DUO tenant
- Have administrator access to the ISV tenant
- Users enrolled with DUO Mobile Authenticator
- IBM® Security Verify user account to Duo account mapping
Users who are challenged for MFA by using DUO factors must have a regular or federated account in
ISV. The users can be federated
accounts or regular Cloud
Directory
users. User accounts can be created and managed in ISV by using tools and
features such as
- ISV UI and API
- Just-in-time provisioning during federated SSO or OnPrem authentication bridge logins
- Directory synchronization
Whatever user management approach is used, it must address how one or more ISV user account
attributes are mapped to a unique DUO username. The Directory Attributes
features
in ISV are supported by the DUO integration for this purpose. For example, one solution might be
that the ISV user email
directory attribute maps to a DUO username. If this is a
solution, then every user account in ISV must have a value set for email
when the
account is created.
About this task
IBM Security Verify supports DUO as an external MFA provider. You can use Verify for SSO and other features combined with DUO MFA without the need to drive your users through an ISV specific MFA enrollment process. Users who are already using DUO mobile authenticator can continue to use it for MFA while performing application SSO through Verify.
The DUO MFA integration supports runtime MFA challenge and verification only. The integration does not support or facilitate enrollment of users with DUO MFA Authenticator. Users must enroll their DUO Authenticator by using the DUO supplied interfaces and interactions. The Verify integration with DUO references a user’s existing DUO enrollments for the purpose of providing runtime MFA challenge and verification.
- Duo Push
- Duo Mobile passcodes
- SMS passcodes
The integration is based on https://duo.com/docs/authapi.
Procedure
- Configure a Duo Security tenant. See Configuring a DUO tenant.
- Configure an IBM Security Verify tenant. See Configuring the IBM Security Verify tenant.