IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ISVA & Cisco DUO Universal Prompt

  • 1.  ISVA & Cisco DUO Universal Prompt

    Posted Mon March 14, 2022 11:26 AM
    Hello,

    is there a way to integrate the Duo Universal Prompt into ISVA for 2FA only after login?


    thanks

    ------------------------------
    Patrizio
    ------------------------------


  • 2.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Mon March 14, 2022 12:27 PM
    Hi Patrizio,

    DUO has a REST interface so it's likely that you *could* integrate it using a custom JavaScript module in AAC.  However, it's not something that's provided out of the box and I'm not aware of anyone who has actually done this.  I'd love to hear if anyone in the community has looked at this integration.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Tue March 15, 2022 01:14 PM
    Thanks Jon for the reply,

    some time ago we already implemented a custom solution using the DUO Auth API and a custom AAC Mapping rule.

    Now this new service is out which is called Universal Prompt and it needs a user side browser redirect on DUO systems for MFA and back.

    Do you have any idea how to implement what is described in the DUO documentation of this service?
    https://duo.com/docs/oauthapi

    Thanks in advance.

    ------------------------------
    Patrizio
    ------------------------------

    Original Message


  • 4.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Mon March 21, 2022 06:46 AM
    Hi Patrizio,

    Looking at the documentation link, it appears that DUO have implemented a standard OpenID Connect (OIDC) provider based on Authorization Code flow.  The flow required appears to be:
      1. Call "health-check API" to ensure DUO is available (this isn't part of OIDC spec)
      2. Perform standard OIDC redirect to DUO's Authorization endpoint
      ... DUO authentication is completed and authorization code returned to configured redirect URI
      3. Call token endpoint with received authorization code and get back an OIDC JWT
      4. Validate JWT (signature etc.)
      5. Pull out claims from JWT to determine result of the DUO authentication.

    There are 3 ways you could integrate with this OIDC endpoint:

    1. The Verify Access reverse proxy can natively act as an OIDC Relying Party.
    You could trigger this authentication method when DUO MFA required.  After OIDC complete, claims from DUO would be in user's credential and could be checked with attribute authorization in Reverse Proxy or via Context-based Access.

    2. Use OIDC RP in Federation add-on.
    You would trigger appropriate OIDC RP when DUO MFA required.  You could process the claims from DUO in mapping rule to set authentication level or change group memberships etc. based on MFA completion.

    3. Implement the OIDC flow in a custom authentication flow.
    This would be closest to what you are doing today.  You'd also have the ability to do the health check here - which wouldn't be possible with the other approaches above.  If you have federation add-on you could make call to STS to offload the validation of JWT from DUO.  My concern with this approach would be around the redirect.  For OIDC, the provider (DUO) would need to be configured with a redirect URL.  Our redirect URL would need to include (dynamic) stateId in the query string so that authentication flow is reengaged.  Not sure if DUO would allow this custom component in the redirect URL.  You could potentially do something with 2 authentication flows and link together with DMAP - but starting to get complicated.

    Perhaps someone else can suggest other approaches or comment on my ideas above.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 5.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Mon March 21, 2022 09:16 AM
    Thank you very much Jon for your analysis,

    point 1 is not feasible because this type of authentication should be used only for some resources and not for the whole webseal, I need a method that can be managed with a policy.
    Point 2 is the one I started with, creating a federation with ISVA OIDC-RP but I immediately ran into a flow that is not exactly OIDC standard.
    This leads me to the current development I'm doing, which is to integrate non-standard fields using a mapping rule in point 2 (not exactly an entirely custom development as per point 3).
    1- If you think redirect-url is a problem to handle that makes me very worried.
    2- Do you have a suggestion on how to create a longer "state" value?

    Thanks again

    ------------------------------
    Patrizio
    ------------------------------

    Original Message


  • 6.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Thu July 21, 2022 12:17 PM
    Hi Jon,

    I made what you indicated in point 2 an OIDC-RP Federation.
    To trigger the federation inside a policy, I created an obligation that starts the kickoff address.
    If with this policy I protect local resources to the webseal (test page in the management root) everything works fine.

    My aim, however, is to use this 2FA method on a SAML federation access policy.
    I have not found any method to invoke the obligation urn directly, so I tried various ways of invoking ODIC/2FA but the flow stops after authentication and I am redirected to the index.html of the webseal instead of continuing with the SAML assertion forwarding.

    I would like to understand if it is possible to use this OIDC-RP Federation as a verification method for all resources (especially in Fed Access Policiies)  as it is possible to do with normal authentication policies.


    Thanks

    ------------------------------
    Patrizio
    ------------------------------

    Original Message


  • 7.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Fri July 22, 2022 08:28 AM
    Hi @Patrizio,

    IBM needs better documentation on this, but if Verify SaaS is ever an option for you, IBM now has support for DUO MFA on that platform.

    https://www.ibm.com/docs/en/security-verify?topic=factors-configuring-duo-security-as-external-mfa-provider

    Once enabled, the DUO MFA options are shown instead of the OOB Verify native MFA options (e.g. SMS, OTP, Verify App). I've viewed this as an excellent way to onboard MFA for clients that already have a DUO deployment. When you later want to roll out Verify, you'd just disable DUO as an external MFA provider, which will then prompt the Verify 2FA registration allowing end-users to download and install the IBM Verify 2FA app on their mobile devices.

    One thing of note, however, is that the DUO HMAC OTP does not appear to work.

    ------------------------------
    Timothy
    ------------------------------

    Original Message


  • 8.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Fri July 22, 2022 10:21 AM
    Hi,

    I found here https://www.ibm.com/docs/en/sva/9.0.5?topic=party-relying-authentication-flow in step 3

    "If a target query parameter was provided, it is stored in the user's session."

    I finally found the correct way to call the oidc flow from an access policy and then then return to the saml call.


    @Timothy Dilbert
    thanks for your answer but the link you provided indicates that the integration was made using the DUO Auth API https://duo.com/docs/authapi .

    As I wrote above, that integration we have with Duo Auth API has already been in place for some time but does not provide the new features available in Duo Universal Prompt.
    This new mode is only accessible with these specifications available here https://duo.com/docs/oauthapi

    Anyway, thanks again.



    Regards​

    ------------------------------
    Patrizio
    ------------------------------

    Original Message


  • 9.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Fri July 22, 2022 10:35 AM
    Hi @Patrizio

    Admittedly I'm not as familiar with the Duo Universal Prompt.

    The Verify SaaS Duo integration offers 2FA via Duo's SMS OTP and Push notification. Just for my own education, what other Duo 2FA features were you looking for that the Duo universal prompt provided?

    ------------------------------
    Timothy
    ------------------------------

    Original Message


  • 10.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Fri July 22, 2022 10:48 AM
    Hi @Timothy Dilbert,

    here you can find some details https://duo.com/docs/universal-prompt-update-guide#available-now

    Best Regards

    ------------------------------
    Patrizio
    ------------------------------

    Original Message


  • 11.  RE: ISVA & Cisco DUO Universal Prompt

    Posted Fri July 22, 2022 11:06 AM
    Hi Patrizio,

    This makes more sense now.

    I am looking at this from the perspective of clients that have MaaS360 and Verify SaaS alongside a lingering Duo MFA subscription. Since Verify has a 2FA mobile app included in the subscription, enabling the Duo integration would be a <12month stop-gap solution so that the client utilises their existing Duo MFA subscription with Verify until such time that they are ready to move over to Verify only. With that in mind, the Duo Push Notification and SMS OTP (and a separate Duo enrolment process) works well enough for the client for the time being.

    It seems like you want to continue to invest in your Duo subscription. Ergo, you're looking to access the additional features available via the OIDC API.

    I'll stop "helping" now. :P

    Well wishes.

    ------------------------------
    Timothy
    ------------------------------

    Original Message


Related Content