This connector only supports Provisioning.

The Duo Security connector enables the exporting and importing of user accounts on a Duo Security System.

Functionalities

The basic functionalities that can be done via this connector are listed below.

Provisioning Integration

Data Format	Export	Create	Modify	Delete	Trigger
User	Yes	Yes	Yes	Yes	No
Group	Yes	Yes	Yes	Yes	No
Administrator	Yes	Yes	Yes	Yes	No

Prerequisites

Ensure that these prerequisites are satisfied:

Create an Administrator account on the Duo Security system.
Create an Admin API integration in the Duo account that has an:
- Integration Key
- Secret key
- API Host Name
Note: Refer to the Auth API documentation for instructions on how to integrate Duo into your custom application.

Creating the Connected System in the Admin UI

The connected systems details page is shown below. Only configurations which are specific to Duo will be documented below.
For an overview of the configurations which are common to all connectors, please refer to our Connected System guide.

Connection Information
API Host Name	Duo Web SDK API hostname.
Admin API Integration key	The integration key assigned to the Duo Web SDK integration.
Admin API secret key	The secret key associated with the Duo Web SDK integration.

Creating the Connected System in the Studio

Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
Select the Duo Security connected system from the Type drop-down list. The default values display.

Enter the desired information. Only configurations which are specific to Duo will be documented below.
For an overview of the configurations which are common to all connectors, please refer to our Connected System guide.

Connection Information
API Host Name	Duo Web SDK API hostname.
Admin API integration key	The integration key assigned to the Duo Web SDK integration.
Admin API secret key	The secret key assigned to the Duo Web SDK integration.

Using the Connected System for Provisioning

Perform these procedures to configure the connector:

Configuring for Export
Configuring for Import
Connector Details for Provisioning
Lookup Data

Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.

Configuring for Export

Perform these procedures to configure the connector for data export:

"Configuring the Export Connector
"Configuring the Export Link"

From the Workflow and Connectivity Studio, select the Duo Security UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio for details on creating export workflows.

Configuring the Export Connector

In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:

From the Configure Plug-in tab, set these properties as required:

Associated Connected System	Select the connected system from the list. The export operation will be done from this connected system.
Data Formats	Select the type of data format to use: User (default), Groups, Administrator.
DeltaExportMode	Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected): OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run. ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not. AllAttributes - Performs a full export of all attributes that contain a value.
DynamicConnectedSystem	Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.
DynamicConnectedSystemOption	Select how to control Dynamic System Support (DSS): None - There will not be any Dynamic System Support. Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail. GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
ExportMode	Select the type of data to export: FullExport - Exports all attributes. DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.
Filter	Specify a filter to return only those entries that match the search criteria. Use the Set Filter button that becomes active to create a filter. (See "Set Filter" below for additional information).
FoldSubRecords	If set to TRUE, sub records are folded and returned as attributes. This property is available only for User and Group data formats.
GetAdministratorByID	Specify the ID of an administrator to fetch the details. This property is only available for Administrator data format.
MaxResults	Select the maximum number of results to be returned (this works in conjunction with ExportMode when FullExport is selected). If this is 0, all entries matching the search criteria are returned. This property is only available for Administrator data format.
ResultsPerPage	Configuration to control the items to be fetched per page.

Set Filter

Setting the filter is a means to narrow the search scope and return specific results.

Element	Description
Search Operation	Select the operation of the filter. This represents the attribute name for searching the Duo directory.
Search	The elements that display depend upon the Search operation selected: User Id - Enter a User Id to search a specific user.
Filter Syntax	Displays the filter syntax used to retrieve entries from the Duo Security Server and to build the export list.
Edit Filter Manually	Check this box to manually edit the filter in the Filter Syntax to build complex filters.

(Optional) Select the Attributes tab Only standard attributes display:

Modify schema attributes using these buttons.

Element	Description
Add	Adds additional attributes to the list. The Add New Attribute dialog displays.
Remove	Removes additional attributes from the list.
Remove All	Removes all additional attributes from the list.
Export	Exports the schema list to an XML file.
Import	Imports the schema list from an XML file.
Refresh Schema	Dynamically discovers the schema from the connected system. It also includes local as well as global attributes added in the Studio.
Reset Schema	Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added.

Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.

Click OK to save any changes and return to the Workflow and Connectivity Studio window.

Configuring the Export Link

1.In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:

Description
Source Attributes	Select the attributes to export.
Selected Attributes	Displays default attributes and those attributes that have been selected from the Source Attributes. Note: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not.
Format	Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information. Notes: The Format button is only enabled for date attributes. The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
Advanced Settings	Displays the Configure Attributes window for configuring advanced settings for attributes. See the Configure Attributes window on page 39 for additional information.

2. From the Attribute Selection tab, select attributes to export.
3. (Optional) Select the Appearance tab to change how the link displays in the Design pane.
4. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
5. Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.
6. Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.

Connector Details for Provisioning

Configuration import properties Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.

Configuration Import Properties

Identity Property	System Attribute
id	userId
login id	username

Duo Security Connector Attributes

The items in the Export, Create, Modify, and Delete columns have these meanings:

Y = Yes (attribute is supported for this operation)
N = No (attribute is not supported for this operation)

User Data Format

This table outlines the supported User attributes. Attributes that are mandatory (M) are required for user creation. For attributes such as enrollment->courseId or logins->loginId, mandatory applies only for the sub attributes, for example, a user can be created without an additional login.

Name	MV	Add	Modify	Delete	Export	Mandatory	Description
userId	N	Y	Y	Y	Y	Y	User's Id . Note: This attribute is mandatory for user modify and user delete.
username	N	Y	Y	Y	Y	Y	The name of the user to create.
realname	N	Y	Y	Y	Y	N	The real name of this user.
email	N	Y	Y	Y	Y	N	Email address of this user.
notes	N	Y	Y	Y	Y	N	A user description or notes field which can be viewed from admin interface.
status	N	Y	N	N	Y	N	This attribute presents user's status. Values can be: active: The user must complete secondary authentication.(default value). bypass: User will bypass secondary authentication after completing primary authentication. disabled: User will not be able to log in.
lastLogin	N	N	N	N	Y	N	The last time this user has logged in.
groups->groupId	Y	Y	Y	Y	Y	N*	The ID of the group to associate with the user. Note:This attribute is mandatory when: associating a user to a group on user add modifying associated user group on user modify deleting a group associated with a user on user delete. The name of the group.
groups->groupName	Y	N	N	N	Y	N	The name of the group.
groups->groupDescription	Y	N	N	N	Y	N	The description of the group.
groups->groupPushEnabled	Y	N	N	N	Y	N	If true, users in the group will be able to use Duo Push to authenticate. If false, users in the group will not be able to use Duo Push to authenticate. Note: This setting as no effect if Duo Push is disabled globally.
groups->groupSmsEnabled	Y	N	N	N	Y	N	If true, users in the group will be able to use SMSpasscodes to authenticate. If false, users in the group will not be able to use SMS passcodes to authenticate. Note: This setting has no effect if SMS passcodes are disabled globally.
groups->groupStatus	Y	N	N	N	Y	N	The authentication status of the group. The list of possible values are: active: The users in the group must complete secondary authentication. bypass: The users in the group will bypass secondary authentication after completing primary authentication. disabled: The users in the group will not be able to authenticate.
groups->groupVoiceEnabled	Y	N	N	N	Y	N	If true, users in the group will be able to authenticate with a voice callback. If false, users in the group will not be able to authenticate with a voice callback. Note: This setting has no effect if voice callback is disabled globally.
phones->phoneActivated	Y	N	N	N	Y	N	Has this phone been activated for Duo Mobile yet? Either “true” or “false”.
phones->phoneCapabilities	Y	N	N	N	Y	N	List of strings, each a factor that can be used with the device. Each string will be separated from each other with a pipe “\|”. Example: “sms \| push”. push: The device is activated for Duo Push. phone: The device can receive phone calls. sms: The dev
Phones->phoneExtension	Y	Y	Y	Y	Y	N	An extension, if necessary.
phones->phoneId	Y	N	N	N	Y	N*	The ID of the phone to associate with the user. Note:This attribute is mandatory when: associating a phone with user on user add modifying associated user phone on user modify deleting a phone associated with a user on user delete.
phones->phoneName	Y	Y	Y	Y	Y	N	Free-form label for the phone.
phones->phoneNumber	Y	Y	Y	Y	Y	N	The phone number.
phones->phonePlatform	Y	Y	Y	Y	Y	N	The phone platform. The phone platform. One of: “unknown”, “google android”, “apple ios”, “windows phone 7”, “rim blackberry”, “java j2me”, “palm webos”, “symbian os”, “windows mobile”, or “generic smartphone”. “windows phone” is accepted as a synonym for “windows phone 7”. This includes devices running Windows Phone 8. If a smartphone’s exact platform is unknown but it will have Duo Mobile installed, use “generic smartphone” and generate an activation code. When the phone is activated its platform will be automatically detected.
phones->phonePostdelay	Y	Y	Y	Y	Y	N	The time (in seconds) to wait after the extension is dialed and before the speaking prompt.
phones->phonePredelay	Y	Y	Y	Y	Y	N	The time (in seconds) to wait after the number picks up and before dialing the extension.
Phones-> phoneSmsPasscodesSent	Y	N	N	N	Y	N	Have SMS passcodes been sent to this phone? Either “true” or “false”.
phones->phoneType	Y	Y	Y	N	Y	N	The type of phone. One of: “unknown”, “mobile”, or “landline”.
alias1	N	Y	Y	Y	Y	N	user's alias attribute
alias2	N	Y	Y	Y	Y	N	user's alias attribute
alias3	N	Y	Y	Y	Y	N	user's alias attribute
alias4	N	Y	Y	Y	Y	N	user's alias attribute
firstname	N	Y	Y	Y	Y	N	The first name of the user
lastname	N	Y	Y	Y	Y	N	The first name of the user

*Note: Not mandatory when creating a user. Mandatory when associating a user with a group.

Group Data Format

This table outlines the supported Group attributes. This connector supports creation, modification, deletion, and export of Groups. Enrollments represent the link between a user and a Group. Mandatory attributes are required for group creation.

Name	MV	Add	Modify	Delete	Export	Mandatory	Description
groupName	N	Y	Y	Y*	Y	Y	Name of the group
groupId	N	Y	Y	Y	Y	Y	Id associated with each group. Note: This attribute is mandatory for a group update or group delete.
description	N	Y	Y	Y	Y	N	The description of the group.
status	N	Y	Y	N	Y	N	The authentication status of the group. The list of possible values are: active: The users in the group must complete secondary authentication. bypass: The users in the group will bypass secondary authentication after completing primary authentication. disabled: The users in the group will not be able to authenticate.
pushEnabled	N	Y	Y	N	Y	N	If true, users in the group will be able to use Duo Push to authenticate. If false, users in the group will not be able to use Duo Push to authenticate. Note: This setting as no effect if Duo Push is disabled globally.
smsEnabled	N	Y	Y	N	Y	N	If true, users in the group will be able to use SMS passcodes to authenticate. If false, users in the group will not be able to use SMS passcodes to authenticate. Note: This setting has no effect if SMS passcodes are disabled globally.
voiceEnabled	N	Y	Y	N	Y	N	If true, users in the group will be able to authenticate with a voice callback. If false, users in the group will not be able to authenticate with a voice callback. Note: This setting has no effect if voice callback is disabled globally.

*Note: no error message will be displayed when trying to delete a group that does not exist.

Administrator Data Format

This table outlines the supported Administrator attributes.

Name	Export	Import	Description
adminId	Y	Y	Administrator's ID. Either adminId or email is mandatory for administrator modify and administrator delete.
email	Y	Y	Email address of administrator. This attribute is mandatory for administrator add. Either adminId or email is mandatory for administrator modify and administrator delete.
lastLogin	Y	N	Last login time of administrator.
name	Y	Y	Administrator's name. This attribute is mandatory for administrator add.
password	N	Y	This attribute is mandatory for administrator add.
phone	Y	Y	This attribute is mandatory for administrator add.
role	Y	Y	Roles of administrator.

Lookup Data

To find existing users and return specific attribute values for users, use the Data Mapper rule Lookup Data.

Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays.
Select the Lookup Data rule under the Mapping Rule column, and then click the Source Value. The Configure Lookup window displays.
Select the Duo Security system from the Select System drop-down list:
In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
Click the Filter Build button to select the attributes to be fetched after a successful lookup. The Lookup Configuration window displays

See "Set Filter" for a description of this window.
Click the Fields Pick button to select the attributes to be fetched after a successful lookup. The Lookup Configuration dialog displays:
1. Select the attribute(s) from the Selected Attributes list that require a date and/or time format and click the Format button. The Format Date window displays.
2. Select the Include Time check box to use a date and time format. Select the required date/time format for your target database (shown above) and then click OK.
Select the Lookup Type from the drop-down list. The updated Configure Lookup window displays, for example:

User lookup will not fetch the accountId value where the user belongs. Administrator lookup supports lookup by ID and lookup by Filter.
Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.
Click OK.

Handling Multiple Sub Records on Import and Export

A user can also have multiple attributes.

Setting multiple sub records on import in the Configure Data Mapper window

From the Workflow and Connectivity Studio, double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays:
For setting the index on the Target Value, click the attribute under Target Value. The Select Data Elements window displays the attribute selected:
Click the Sub Entr... (Sub Entry Index) button. The Set Data Index / Select Condition Attributes window displays. Click the Literal option and enter the index value:
Click OK.

Setting multiple sub records on export in the Configure Data Mapper window

From the Workflow and Connectivity Studio, double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays:

The multi-valued attribute is converted to single-valued separated by a designated delimiter, for example, the multi-valued attribute groups->groupId is provided the delimiter "*".
Click OK.