Duo Security
Cloud CMS supports https://duo.com/ for Multifactor Authentication.
To configure Duo Security, you will need to supply the following:
integrationKeysecretKeyapiHost
These values are available from your Duo Security Settings page.
Service Descriptor
If you're adding an Authenticator via a Service Descriptor:
- the Descriptor Type should be
DUO_AUTH. - the Descriptor Configuration should look like this:
{
"enabled": true,
"providerType": "duo",
"providerConfig": {
"integrationKey": "MY_INTEGRATION_KEY",
"secretKey": "MY_SECRET_KEY",
"apiHost": "MY_API_HOST"
}
}
Where
MY_INTEGRATION_KEY(required) is your Duo Integration KeyMY_SECRET_KEY(required) is your Duo Secret KeyMY_API_HOST(required) is your Duo API Host
Global Settings
You can set up system-wide Duo Security configuration by adjusting the following in your docker.properties file:
org.gitana.platform.services.authenticator.duo.integrationKey=
org.gitana.platform.services.authenticator.duo.secretKey=
org.gitana.platform.services.authenticator.duo.apiHost=
These settings will be used for any system-defined or service descriptor-defined Authenticators that do not provide these values.
System Authenticator
You can also instantiate system Authenticators like this:
<bean id="duoAuthenticatorRegistrar" class="org.gitana.platform.services.authenticator.DuoAuthenticatorRegistrar">
<property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
<property name="integrationKey"><value>MY_INTEGRATION_KEY</value></property>
<property name="secretKey"><value>MY_SECRET_KEY</value></property>
<property name="apiHost"><value>MY_API_HOST</value></property>
</bean>
Where
MY_INTEGRATION_KEY(required) is your Duo Integration KeyMY_SECRET_KEY(required) is your Duo Secret KeyMY_API_HOST(required) is your Duo Api Host
The MY_AUTHENTICATOR_ID value must be unique across all Authenticator instances for a given type.
These Authenticators will be available to your platform and can defined and maintained within your Spring config.
Duo Binding Properties Factory
Use the DuoAuthenticatorBindingPropertiesBeanFactory bean to create Duo-specific binding properties.
Like this:
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
<property name="userId"><value>DUO_USER_ID</value></property>
<property name="username"><value>DUO_USER_NAME</value></property>
</bean>
Duo Descriptor Factory
Use the DuoAuthenticatorDescriptorBeanFactory bean to create Duo-specific descriptors.
Like this:
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
<property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
</bean>
Example: Configure the Admin User to use Duo Security
Start by defining an authenticator called test:
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorRegistrar">
<property name="id"><value>test</value></property>
<property name="integrationKey"><value>INTEGRATION_KEY</value></property>
<property name="secretKey"><value>SECRET_KEY</value></property>
<property name="apiHost"><value>API_HOST</value></property>
</bean>
Then bind the admin user to the authenticator using our factories from above:
<bean class="org.gitana.platform.services.authenticator.BindAdminUserSystemAuthenticator">
<property name="bindingProperties">
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
<property name="userId"><value>DUO_USER_ID</value></property>
<property name="username"><value>DUO_USER_NAME</value></property>
</bean>
</property>
<property name="descriptor">
<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
<property name="id"><value>test</value></property>
</bean>
</property>
</bean>