Duo Security

Cloud CMS supports [https://duo.com/](Duo Security) for Multifactor Authentication.

Cloud CMS is not a listed in the Duo Admin Console when "Protecting" an application. Instead, use the "Auth API" type.

To configure Duo Security, you will need to supply the following from the Duo "Auth API" "Details":

  • integrationKey
  • secretKey
  • apiHost

These values are available from your Duo Security Settings page.

Service Descriptor

If you're adding an Authenticator via a Service Descriptor:

  • the Descriptor Type should be duo.
  • the Descriptor Configuration should look like this:
{
    "enabled": true,
    "providerType": "duo",
    "providerConfig": {
        "integrationKey": "MY_INTEGRATION_KEY",
        "secretKey": "MY_SECRET_KEY",
        "apiHost": "MY_API_HOST"
    }
}

Where

  • MY_INTEGRATION_KEY (required) is your Duo Integration Key
  • MY_SECRET_KEY (required) is your Duo Secret Key
  • MY_API_HOST (required) is your Duo API Host name (not URL)

Global Settings

You can set up system-wide Duo Security configuration by adjusting the following in your docker.properties file:

org.gitana.platform.services.authenticator.duo.integrationKey=
org.gitana.platform.services.authenticator.duo.secretKey=
org.gitana.platform.services.authenticator.duo.apiHost=

These settings will be used for any system-defined or service descriptor-defined Authenticators that do not provide these values.

System Authenticator

You can also instantiate system Authenticators like this:

<bean id="duoAuthenticatorRegistrar" class="org.gitana.platform.services.authenticator.DuoAuthenticatorRegistrar">
    <property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
    <property name="integrationKey"><value>MY_INTEGRATION_KEY</value></property>
    <property name="secretKey"><value>MY_SECRET_KEY</value></property>
    <property name="apiHost"><value>MY_API_HOST</value></property>
</bean>

Where

  • MY_INTEGRATION_KEY (required) is your Duo Integration Key
  • MY_SECRET_KEY (required) is your Duo Secret Key
  • MY_API_HOST (required) is your Duo Api Host

The MY_AUTHENTICATOR_ID value must be unique across all Authenticator instances for a given type.

These Authenticators will be available to your platform and can defined and maintained within your Spring config.

Duo Binding Properties Factory

Use the DuoAuthenticatorBindingPropertiesBeanFactory bean to create Duo-specific binding properties.

Like this:

<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
    <property name="userId"><value>DUO_USER_ID</value></property>
    <property name="username"><value>DUO_USER_NAME</value></property>
</bean>

Duo Descriptor Factory

Use the DuoAuthenticatorDescriptorBeanFactory bean to create Duo-specific descriptors.

Like this:

<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
    <property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
</bean>

Example: Configure the Admin User to use Duo Security

Start by defining an authenticator called test:

<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorRegistrar">
    <property name="id"><value>test</value></property>
    <property name="integrationKey"><value>INTEGRATION_KEY</value></property>
    <property name="secretKey"><value>SECRET_KEY</value></property>
    <property name="apiHost"><value>API_HOST</value></property>
</bean>

Then bind the admin user to the authenticator using our factories from above:

<bean class="org.gitana.platform.services.authenticator.BindAdminUserSystemAuthenticator">
    <property name="bindingProperties">
        <bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
            <property name="userId"><value>DUO_USER_ID</value></property>
            <property name="username"><value>DUO_USER_NAME</value></property>
        </bean>
    </property>
    <property name="descriptor">
        <bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
            <property name="id"><value>test</value></property>
        </bean>
    </property>
</bean>