Duo Security Integration
04/2024
Overview
Oortβs platform can analyze authentication events in Duo Security to give insights into how users are accessing your applications and using MFA. In order to provide Insights, you have to set up an integration between Duo Security and Oort for analysis. This document will walk you through the process of setting up API access to Duo and will also walk you through the complementary setup inside of the Oort console.
Duo Security Integration
Understanding Oort admin API permissions
There are different types of API types of permissions sets that can be used with your Oort tenant and Duo.
Read-only admin API - this is generated using a read-only permissions (shown below) and used for data ingestion and analysis only
Read/write admin API permissions - this adds the
Grant write resource
permission in order to take advantage of the defined list of Oort Remediation Actions.Auth API permissions - one of the Actions available for an individual user is to send a push notification to the user's Duo enrolled mobile device. The Duo Auth API requires a separate auth key, as outlined below.
Remediation actions can only be taken by administrator or help desk roles in Oort and are limited to the list in the above article.
Oort recommends configuring all of the APIs documented below for full functionality and the best experience.
Duo Admin API Configuration
To add the necessary configuration, you need to have admin access in Duo Security.
From the Duo admin console, select Applications.
Select Admin API.
Note the integration key and API hostname.
For read-only functionality, the API Permissions required are:
For read/write capabilities associated with Oort Remediation Actions, add the Grant Write resource
to the list of permissions.
Click Save Changes.
Duo Auth API Configuration
A Duo Auth API key is required for the Send Push Notification functionality mentioned above.
In the Duo Admin panel, select Applications -> Protect Auth API.
Copy the Integration key and secret key for use in the Oort dashboard configuration.
Scroll down and give the Auth API a name that will indicate to end users that the push is from your company.
Oort Configuration
Navigate to Integrations -> New Integration -> Duo
Give the integration a display name.
Enter the API hostname, Integration key, and secret key into the Oort console.
NOTE - the API hostname must not contain a prefix like https://
- it should only be of the form
api-xxxxxxx.duosecurity.com
Slide the button to enable Support Push Verification.
Enter the Auth API Integration Key and Secret Key.
On the Advanced Settings tab, enable the checkbox for Endpoints if your Duo Security subscription is Advanced or above.
Click Save.
Test Connectivity and Start Collection
On the Integrations page, click the bar for the new Duo integration and select Test Connectivity from the menu.
After testing successfully, click the Collect Now button to begin initial data collection immediately.
Last updated