Duo Security two-factor authentication

Duo Security is a multifactor authentication (MFA) provider that confirms the identity of users and the health of their devices before the user connects to your applications. Duo supports push notifications, TOTP (time-based one-time password), SMS (text message), voice calls, and emails as second factor authentication (2FA) features as a service.

To learn more about EAA MFA, see Multi-factor authentication.

To learn more about Duo 2FA, visit their web help at https://duo.com/docs/akamai-eaa.

Enterprise Application Access (EAA) provides remote access and MFA for on premise applications and also integrates with Duo’s 2FA services. If you are currently using Duo as a 2FA solution for access to your applications, you simply need to provide some Duo-specific information in EAA to allow the products to communicate and verify identity and access privileges.

Within the Duo application, a Duo administrator can generate a unique set of configuration parameters that the applications use to authenticate 2FA. These configuration parameters are then entered into the EAA Management Portal’s corresponding MFA fields. The configuration parameters are as follows,
  • Integration key or ikey: A unique identifier that allows you to retrieve users' API keys based on email and password.
  • Secret key or skey: A unique identifier used for encryption of data.
  • API hostname: Your API hostname used for all API interactions with Duo. For example, api-XXXXXXXX.duosecurity.com

The ikey and skey uniquely identify a specific application to Duo. The API hostname is unique to your account, but shared by all of your applications. You'll need these keys and hostname when configuring your system to work with Duo.

  • Duo UserID attribute: The Duo user ID attribute selected in EAA determines how the usernames listed in Duo appear. Choose one of the following,
    • Email
    • sAMAaccountName
    • User Principal Name (UPN)
    • Domain/sAMAaccountName
Note:
A few directory-specific considerations between the authentication source and the Duo UserID attributes,
  • When using the EAA cloud directory or Open LDAP to authenticate users in the Login Portal, EAA supports only email as the Duo UserID attribute.
  • When using the Active Directory (AD) to authenticate users in the Login Portal, EAA supports all Duo UserID attributes.

All communication between EAA’s Login Portal and Duo is secured with TLS. EAA validates the server certificate before sending any information or data to the Duo service.

Next, Retrieve information from Duo Security and Configure Duo Security in EAA.