Skip to main content

Duo Security

Duo Security is a cloud-hosted SAML Identity Provider (IdP) that adds two-factor authentication, complete with inline self-service enrollment and Duo Prompt, to popular cloud services like Salesforce and Amazon Web Services using SAML 2.0 federation.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Duo Security Information

The following table describes the available integration tasks and stored data within SaaS Management.

Available Integration TasksInformation Stored
Application RosterUser ID
Email
Real Name
Active Date
Application AccessUser ID
Last Login
Application DiscoverySSO Application ID
SSO Name
SSO Application RosterUser ID
Email
Real Name
Active Date
SSO Application ID
SSO Name
SSO Application AccessUser ID
Occurred Event Type
SSO Application ID
SSO Name
note

Consider the following:

  • The information stored is subject to change as enhancements are made to the SaaS application.

  • For Single Sign-On (SSO) information, the SSO Name is the name of the application managed by the SSO provider. The SSO Display Name is the display name of the application managed by the SSO provider. Depending on the application, these two names may appear the same or different. Therefore, both SSO Name and SSO Display Name are stored in SaaS Management.

Required Minimum Permissions for Duo Security

The required minimum permissions are Administrator with the Owner role. For more information, see the Duo Admin API documentation topic, First Steps.

Duo Security Authentication Method

The Basic authentication method is required.

Required Duo Security Credentials

The following credentials are required:

  • Integration Key

  • Secret Key

  • API Hostname.

Integrating Duo Security With SaaS Management

To integrate Duo Security with SaaS Management, perform the following tasks.

Adding the Admin API Application in the Duo Admin Panel

Administrators with the Owner role perform the following steps to add the Admin API application in the Duo Admin Panel. You need to obtain the Integration Key, Secret Key, and API Hostname values from the Duo Admin Panel before Integrating Duo Security With SaaS Management.

note

This API is automatically available to paying Duo Beyond, Duo Access, and Duo MFA plan customers. New customers with an Access or Beyond trial account may contact Duo Support to request Admin API access.

  1. Sign in to the Duo Admin Panel and go to Applications.
  2. On the Applications page, click Protect an Application and locate the entry for Admin API in the applications list.
  3. On the far-right of the Applications page, click Protect to configure the application. The Admin API page opens.
  4. On the Admin API page:
    1. In the Details section, copy and paste your Integration Key, Secret Key, and API Hostname values into a file. You will need this information to complete the integration with SaaS Management.
    2. Enable the following Admin API permissions:

      • Grant applications: permit this Admin API application to add, modify, and delete applications.

      • Grant read log: permit this Admin API application to read logs.

      • Grant read resource: permit this Admin API application to read resources such as users, phones, and hardware tokens.

  5. Proceed to Integrating Duo Security With SaaS Management.

Integrating Duo Security With SaaS Management

Complete the following steps to integrate Duo Security with SaaS Management.

To integrate Duo Security with SaaS Management:

  1. Complete the prerequisite steps in Adding the Admin API Application in the Duo Admin Panel.
  2. Add the Duo Security application in SaaS Management. For more information, see Adding an Application.
  3. Copy and paste the following Duo Security information into SaaS Management:

    • Integration Key

    • Secret Key

    • API Hostname of the Admin APIs’ API endpoints.

  4. Click Authorize.
tip

After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Duo Security API Endpoints

Application Roster and Application Access

https://api-XXXXXXXX.duosecurity.com/admin/v1/users

Application Discovery

https://api-XXXXXXXX.duosecurity.com/admin/v1/integrations

SSO Application Roster

  • https://api-XXXXXXXX.duosecurity.com/admin/v1/users

  • https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication

SSO Application Access

https://api-XXXXXXXX.duosecurity.com/admin/v2/logs/authentication