Configuring DUO Security as an external MFA provider

Before you begin

You must meet the following conditions.
  • Have administrator access to the DUO tenant
  • Have administrator access to the ISV tenant
  • Users enrolled with DUO Mobile Authenticator
  • IBM® Security Verify user account to Duo account mapping

Users who are challenged for MFA by using DUO factors must have a regular or federated account in ISV. The users can be federated accounts or regular Cloud Directory users. User accounts can be created and managed in ISV by using tools and features such as

  • ISV UI and API
  • Just-in-time provisioning during federated SSO or OnPrem authentication bridge logins
  • Directory synchronization

Whatever user management approach is used, it must address how one or more ISV user account attributes are mapped to a unique DUO username. The Directory Attributes features in ISV are supported by the DUO integration for this purpose. For example, one solution might be that the ISV user email directory attribute maps to a DUO username. If this is a solution, then every user account in ISV must have a value set for email when the account is created.

About this task

IBM Security Verify supports DUO as an external MFA provider. You can use Verify for SSO and other features combined with DUO MFA without the need to drive your users through an ISV specific MFA enrollment process. Users who are already using DUO mobile authenticator can continue to use it for MFA while performing application SSO through Verify.

The DUO MFA integration supports runtime MFA challenge and verification only. The integration does not support or facilitate enrollment of users with DUO MFA Authenticator. Users must enroll their DUO Authenticator by using the DUO supplied interfaces and interactions. The Verify integration with DUO references a user’s existing DUO enrollments for the purpose of providing runtime MFA challenge and verification.

These DUO MFA factors that are supported by this integration.
  • Duo Push
  • Duo Mobile passcodes
  • SMS passcodes
The other DUO factors are not supported.

The integration is based on https://duo.com/docs/authapi.

Procedure

  1. Configure a Duo Security tenant. See Configuring a DUO tenant.
  2. Configure an IBM Security Verify tenant. See Configuring the IBM Security Verify tenant.