IBM Security Verify

Introduction

Securing enterprise applications with second factor authentication is a common practice across the various organizations. IBM Security Verify provides variety of 2^nd factor authentication channels for user verification such as Passkey, Email OTP, SMS OTP, Push notification etc. It also supports to integrate with external MFA providers such as DUO. This help organizations to leverage already enrolled factors and ease the user experience. This integration is achieved using Webhooks interface and helps organizational users to continue using existing enrolled DUO factors while accessing 2nd factor protected applications. The DUO MFA factors that are supported by this integration are Duo Push, Duo Mobile passcode and SMS passcode. Follow the details below to configure DUO authenticator with your Verify SaaS tenant.

Configure DUO tenant

The integration between Security Verify and DUO is based on auth APIs and need access token for communication. In order to get the token perform the following steps:

• Log in to DUO tenant as an administrator.
• Navigate to Applications and Click “Protect an Application”
• Find “Auth API” in the list.
• Click Protect.

• Take note of the generated values for Integration key, Secret key, and API hostname.
• Set the name under the Settings section.
• Click Save.

Validate users in DUO tenant

• Log in to DUO tenant as an administrator.
• Navigate to Users
• Click on username who has DUO enrollments

• Validate that user has phone details where DUO authentication has been configured

Configure Verify tenant

• Log in to Verify tenant as an administrator. 
• Navigate to Integrations > Real-time webhooks
• Click on “Create webhook”

• Select Purpose as “External MFA” and Provider as “Duo”

• Provide 6 character “Credential prefix”

• Provide “Webhook name” and Contact details (Optional)

• Provide the DUO URL and “Integration key” and “Secret key” which was created from DUO tenant

• Click “Send test” to verify the connection to DUO is working fine

• If the connection is verified then click “Create”

• This will create the webhook connection with DUO

• Now, configure the “Unique identifier” which is by default set as “Username”. Admin can change it to the user attribute which will be used for searching user record with DUO

• Review the configuration and if required do required changes.

Create or Validate users in Verify tenant

Need to make sure that Verify does has the user record which will be challenged for MFA by using DUO factors. The users in Verify can be a regular or federated account. Users can be created or federated in Verify via various means either from UI or using API. To validate users in Verify perform following steps:

• Log in to Verify tenant as an administrator.
• Navigate to Directory >Users & groups
• Search for User who should match with DUO user. If not available then need to create one

• Make sure that the “Unique identifier” attribute matches with the DUO user details.

Validate DUO challenge while accessing MFA protected resource

• Access the protected Single Sign-on application which is configured in Verify
• Validate that user gets redirected to Verify for authentication

• Once the user is authenticated it will be presented with the DUO options for second factor challenge

• Now user can select anyone of available channel and complete the challenge

• After successful verification, user will be allowed to access the protected resource

Validate MFA report by Verify admin

• Verify admin can view the MFA report for external MFA performed.
• Log in to Verify tenant as an administrator. 
• Navigate to Reports
• Click “View Report” from “MFA activity” report type
• Report can be filtered for Username so get precise records