Duo Security
Cloud CMS supports [https://duo.com/](Duo Security) for Multifactor Authentication.
Cloud CMS is not a listed in the Duo Admin Console when "Protecting" an application. Instead, use the "Auth API" type.
To configure Duo Security, you will need to supply the following from the Duo "Auth API" "Details":
integrationKeysecretKeyapiHost
These values are available from your Duo Security Settings page.
Service Descriptor
If you're adding an Authenticator via a Service Descriptor:
- the Descriptor Type should be
duo. - the Descriptor Configuration should look like this:
{
"enabled": true,
"providerType": "duo",
"providerConfig": {
"integrationKey": "MY_INTEGRATION_KEY",
"secretKey": "MY_SECRET_KEY",
"apiHost": "MY_API_HOST"
}
}
Where
MY_INTEGRATION_KEY(required) is your Duo Integration KeyMY_SECRET_KEY(required) is your Duo Secret KeyMY_API_HOST(required) is your Duo API Host name (not URL)
![[object Object]](/documentation/gitana/4.0/engine/authentication/mfa/providers/duo/duo1.png)
Global Settings
You can set up system-wide Duo Security configuration by adjusting the following in your docker.properties file:
org.gitana.platform.services.authenticator.duo.integrationKey=
org.gitana.platform.services.authenticator.duo.secretKey=
org.gitana.platform.services.authenticator.duo.apiHost=
These settings will be used for any system-defined or service descriptor-defined Authenticators that do not provide these values.
System Authenticator
You can also instantiate system Authenticators like this:
<bean id="duoAuthenticatorRegistrar" class="org.gitana.platform.services.authenticator.DuoAuthenticatorRegistrar">
<property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
<property name="integrationKey"><value>MY_INTEGRATION_KEY</value></property>
<property name="secretKey"><value>MY_SECRET_KEY</value></property>
<property name="apiHost"><value>MY_API_HOST</value></property>
</bean>
Where
MY_INTEGRATION_KEY(required) is your Duo Integration KeyMY_SECRET_KEY(required) is your Duo Secret KeyMY_API_HOST(required) is your Duo Api Host
The MY_AUTHENTICATOR_ID value must be unique across all Authenticator instances for a given type.
These Authenticators will be available to your platform and can defined and maintained within your Spring config.
Duo Binding Properties Factory
Use the DuoAuthenticatorBindingPropertiesBeanFactory bean to create Duo-specific binding properties.
Like this:
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
<property name="userId"><value>DUO_USER_ID</value></property>
<property name="username"><value>DUO_USER_NAME</value></property>
</bean>
Duo Descriptor Factory
Use the DuoAuthenticatorDescriptorBeanFactory bean to create Duo-specific descriptors.
Like this:
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
<property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
</bean>
Example: Configure the Admin User to use Duo Security
Start by defining an authenticator called test:
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorRegistrar">
<property name="id"><value>test</value></property>
<property name="integrationKey"><value>INTEGRATION_KEY</value></property>
<property name="secretKey"><value>SECRET_KEY</value></property>
<property name="apiHost"><value>API_HOST</value></property>
</bean>
Then bind the admin user to the authenticator using our factories from above:
<bean class="org.gitana.platform.services.authenticator.BindAdminUserSystemAuthenticator">
<property name="bindingProperties">
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
<property name="userId"><value>DUO_USER_ID</value></property>
<property name="username"><value>DUO_USER_NAME</value></property>
</bean>
</property>
<property name="descriptor">
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
<property name="id"><value>test</value></property>
</bean>
</property>
</bean>