This connector only supports Provisioning.
The Duo Security connector enables the exporting and importing of user accounts on a Duo Security System.
Functionalities
The basic functionalities that can be done via this connector are listed below.
Provisioning Integration
Data Format |
Export |
Create |
Modify |
Delete |
Trigger |
---|---|---|---|---|---|
User | Yes |
Yes | Yes | Yes | No |
Group | Yes |
Yes | Yes | Yes | No |
Administrator | Yes | Yes | Yes | Yes | No |
Prerequisites
Ensure that these prerequisites are satisfied:
Create an Administrator account on the Duo Security system.
Create an Admin API integration in the Duo account that has an:
Integration Key
- Secret key
- API Host Name
Creating the Connected System in the Admin UI
The connected systems details page is shown below. Only configurations which are specific to Duo will be documented below.
For an overview of the configurations which are common to all connectors, please refer to our Connected System guide.
Connection Information | |
API Host Name | Duo Web SDK API hostname. |
Admin API Integration key | The integration key assigned to the Duo Web SDK integration. |
Admin API secret key | The secret key associated with the Duo Web SDK integration. |
Creating the Connected System in the Studio
- Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.
- Select the Duo Security connected system from the Type drop-down list. The default values display.
Enter the desired information. Only configurations which are specific to Duo will be documented below.
For an overview of the configurations which are common to all connectors, please refer to our Connected System guide.Connection Information API Host Name Duo Web SDK API hostname. Admin API integration key The integration key assigned to the Duo Web SDK integration.
Admin API secret key The secret key assigned to the Duo Web SDK integration.
Using the Connected System for Provisioning
Perform these procedures to configure the connector:
- Configuring for Export
- Configuring for Import
- Connector Details for Provisioning
- Lookup Data
Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.
Configuring for Export
Perform these procedures to configure the connector for data export:
- "Configuring the Export Connector
- "Configuring the Export Link"
From the Workflow and Connectivity Studio, select the Duo Security UserExport workflow listed under the projects folder.
If a workflow does not already exist, create an export workflow. See Workflow and Connectivity Studio for details on creating export workflows.
Configuring the Export Connector
- In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:
From the Configure Plug-in tab, set these properties as required:
Associated Connected System Select the connected system from the list. The export operation will be done from this connected system. Data Formats Select the type of data format to use: User (default), Groups, Administrator. DeltaExportMode Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):
- OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.
- ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.
- AllAttributes - Performs a full export of all attributes that contain a value.
DynamicConnectedSystem Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected. DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS): - None - There will not be any Dynamic System Support.
- Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
- GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.
ExportMode Select the type of data to export:
- FullExport - Exports all attributes.
- DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.
Filter Specify a filter to return only those entries that match the search criteria. Use the Set Filter button that becomes active to create a filter. (See "Set Filter" below for additional information). FoldSubRecords If set to TRUE, sub records are folded and returned as attributes. This property is available only for User and Group data formats. GetAdministratorByID Specify the ID of an administrator to fetch the details. This property is only available for Administrator data format. MaxResults Select the maximum number of results to be returned (this works in conjunction with ExportMode when FullExport is selected). If this is 0, all entries matching the search criteria are returned. This property is only available for Administrator data format. ResultsPerPage Configuration to control the items to be fetched per page. Set Filter
Setting the filter is a means to narrow the search scope and return specific results.
Element Description Search Operation Select the operation of the filter. This represents the attribute name for searching the Duo directory. Search The elements that display depend upon the Search operation selected:
- User Id - Enter a User Id to search a specific user.
Filter Syntax Displays the filter syntax used to retrieve entries from the Duo Security Server and to build the export list. Edit Filter Manually Check this box to manually edit the filter in the Filter Syntax to build complex filters. (Optional) Select the Attributes tab Only standard attributes display:
Modify schema attributes using these buttons.
Element Description Add Adds additional attributes to the list. The Add New Attribute dialog displays. Remove Removes additional attributes from the list. Remove All Removes all additional attributes from the list. Export Exports the schema list to an XML file. Import Imports the schema list from an XML file. Refresh Schema Dynamically discovers the schema from the connected system. It also includes local as well as global attributes added in the Studio. Reset Schema Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added. - Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.
Click OK to save any changes and return to the Workflow and Connectivity Studio window.
Configuring the Export Link
1.In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:
Description Source Attributes Select the attributes to export. Selected Attributes
Displays default attributes and those attributes that have been selected from the Source Attributes.
Note: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not.
Format Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information.
Notes:- The Format button is only enabled for date attributes.
- The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
Advanced Settings Displays the Configure Attributes window for configuring advanced settings for attributes. See the Configure Attributes window on page 39 for additional information.
3. (Optional) Select the Appearance tab to change how the link displays in the Design pane.
4. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
5. Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.
6. Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.
Connector Details for Provisioning
Configuration import properties Id and loginId are used by the Provisioning Policy and IdentityHub features to populate the ACCOUNT_DN, ACCOUNT_ID, and ACCOUNT_USERNAME columns of the FISC_USER_ACCOUNT table of the Product database. See the ‘Provisioning Policy’ and ‘Provisioning Using the IdentityHub’ chapters of the Identity Suite Administration Guide for details.
Configuration Import Properties
Identity Property |
System Attribute |
---|---|
id | userId |
login id | username |
Duo Security Connector Attributes
The items in the Export, Create, Modify, and Delete columns have these meanings:
- Y = Yes (attribute is supported for this operation)
- N = No (attribute is not supported for this operation)
User Data Format
This table outlines the supported User attributes. Attributes that are mandatory (M) are required for user creation. For attributes such as enrollment->courseId or logins->loginId, mandatory applies only for the sub attributes, for example, a user can be created without an additional login.
Name |
MV |
Add |
Modify |
Delete |
Export |
Mandatory | Description |
---|---|---|---|---|---|---|---|
userId | N | Y | Y | Y | Y | Y | User's Id . |
username | N | Y | Y | Y | Y | Y | The name of the user to create. |
realname | N | Y | Y | Y | Y | N | The real name of this user. |
N | Y | Y | Y | Y | N | Email address of this user. | |
notes | N | Y | Y | Y | Y | N | A user description or notes field which can be viewed from admin interface. |
status | N | Y | N | N | Y | N | This attribute presents user's status. Values can be:
|
lastLogin | N | N | N | N | Y | N | The last time this user has logged in. |
groups->groupId | Y | Y | Y | Y | Y | N* | The ID of the group to associate with the user.
|
groups->groupName | Y | N | N | N | Y | N | The name of the group. |
groups->groupDescription | Y | N | N | N | Y | N | The description of the group. |
groups->groupPushEnabled | Y | N | N | N | Y | N | If true, users in the group will be able to use Duo Push to authenticate. If false, users in the group will not be able to use Duo Push to authenticate. |
groups->groupSmsEnabled | Y | N | N | N | Y | N | If true, users in the group will be able to use SMSpasscodes to authenticate. If false, users in the group will not be able to use SMS passcodes to authenticate. |
groups->groupStatus | Y | N | N | N | Y | N | The authentication status of the group. The list of possible values are:
|
groups->groupVoiceEnabled | Y | N | N | N | Y | N | If true, users in the group will be able to authenticate with a voice callback. If false, users in the group will not be able to authenticate with a voice callback. |
phones->phoneActivated | Y | N | N | N | Y | N | Has this phone been activated for Duo Mobile yet? Either “true” or “false”. |
phones->phoneCapabilities | Y | N | N | N | Y | N | List of strings, each a factor that can be used with the device. Each string will be separated from each other with a pipe “|”.
|
Phones->phoneExtension | Y | Y | Y | Y | Y | N | An extension, if necessary. |
phones->phoneId | Y | N | N | N | Y | N* | The ID of the phone to associate with the user.
|
phones->phoneName | Y | Y | Y | Y | Y | N | Free-form label for the phone. |
phones->phoneNumber | Y | Y | Y | Y | Y | N | The phone number. |
phones->phonePlatform | Y | Y | Y | Y | Y | N | The phone platform. The phone platform. One of: “unknown”, “google android”, “apple ios”, “windows phone 7”, “rim blackberry”, “java j2me”, “palm webos”, “symbian os”, “windows mobile”, or “generic smartphone”. |
phones->phonePostdelay | Y | Y | Y | Y | Y | N | The time (in seconds) to wait after the extension is dialed and before the speaking prompt. |
phones->phonePredelay | Y | Y | Y | Y | Y | N | The time (in seconds) to wait after the number picks up and before dialing the extension. |
Phones-> phoneSmsPasscodesSent | Y | N | N | N | Y | N | Have SMS passcodes been sent to this phone? Either “true” or “false”. |
phones->phoneType | Y | Y | Y | N | Y | N | The type of phone. One of: “unknown”, “mobile”, or “landline”. |
alias1 | N | Y | Y | Y | Y | N | user's alias attribute |
alias2 | N | Y | Y | Y | Y | N | user's alias attribute |
alias3 | N | Y | Y | Y | Y | N | user's alias attribute |
alias4 | N | Y | Y | Y | Y | N | user's alias attribute |
firstname | N | Y | Y | Y | Y | N | The first name of the user |
lastname | N | Y | Y | Y | Y | N | The first name of the user |
*Note: Not mandatory when creating a user. Mandatory when associating a user with a group.
Group Data Format
This table outlines the supported Group attributes. This connector supports creation, modification, deletion, and export of Groups. Enrollments represent the link between a user and a Group. Mandatory attributes are required for group creation.
Name |
MV |
Add |
Modify |
Delete |
Export |
Mandatory | Description |
---|---|---|---|---|---|---|---|
groupName | N | Y | Y | Y* | Y | Y | Name of the group |
groupId | N | Y | Y | Y | Y | Y | Id associated with each group. |
description | N | Y | Y | Y | Y | N | The description of the group. |
status | N | Y | Y | N | Y | N | The authentication status of the group. The list of possible values are:
|
pushEnabled | N | Y | Y | N | Y | N | If true, users in the group will be able to use Duo Push to authenticate. If false, users in the group will not be able to use Duo Push to authenticate. |
smsEnabled | N | Y | Y | N | Y | N | If true, users in the group will be able to use SMS passcodes to authenticate. If false, users in the group will not be able to use SMS passcodes to authenticate. |
voiceEnabled | N | Y | Y | N | Y | N | If true, users in the group will be able to authenticate with a voice callback. If false, users in the group will not be able to authenticate with a voice callback. |
*Note: no error message will be displayed when trying to delete a group that does not exist.
Administrator Data Format
This table outlines the supported Administrator attributes.
Name |
Export |
Import | Description |
---|---|---|---|
adminId | Y | Y | Administrator's ID. Either adminId or email is mandatory for administrator modify and administrator delete. |
Y | Y | Email address of administrator. This attribute is mandatory for administrator add. Either adminId or |
|
lastLogin | Y | N | Last login time of administrator. |
name | Y | Y | Administrator's name. This attribute is mandatory for administrator add. |
password | N | Y | This attribute is mandatory for administrator add. |
phone | Y | Y | This attribute is mandatory for administrator add. |
role | Y | Y | Roles of administrator. |
Lookup Data
To find existing users and return specific attribute values for users, use the Data Mapper rule Lookup Data.
- Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays.
- Select the Lookup Data rule under the Mapping Rule column, and then click the Source Value. The Configure Lookup window displays.
- Select the Duo Security system from the Select System drop-down list:
- In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.
- Click the Filter Build button to select the attributes to be fetched after a successful lookup. The Lookup Configuration window displays
See "Set Filter" for a description of this window. Click the Fields Pick button to select the attributes to be fetched after a successful lookup. The Lookup Configuration dialog displays:
Select the attribute(s) from the Selected Attributes list that require a date and/or time format and click the Format button. The Format Date window displays.
Select the Include Time check box to use a date and time format. Select the required date/time format for your target database (shown above) and then click OK.
Select the Lookup Type from the drop-down list. The updated Configure Lookup window displays, for example:
User lookup will not fetch the accountId value where the user belongs. Administrator lookup supports lookup by ID and lookup by Filter.Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.
Click OK.
Handling Multiple Sub Records on Import and Export
A user can also have multiple attributes.
Setting multiple sub records on import in the Configure Data Mapper window
- From the Workflow and Connectivity Studio, double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays:
- For setting the index on the Target Value, click the attribute under Target Value. The Select Data Elements window displays the attribute selected:
- Click the Sub Entr... (Sub Entry Index) button. The Set Data Index / Select Condition Attributes window displays. Click the Literal option and enter the index value:
- Click OK.
Setting multiple sub records on export in the Configure Data Mapper window
- From the Workflow and Connectivity Studio, double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays:
The multi-valued attribute is converted to single-valued separated by a designated delimiter, for example, the multi-valued attribute groups->groupId is provided the delimiter "*". - Click OK.