Duo Security

Cloud CMS supports [https://duo.com/](Duo Security) for Multifactor Authentication.

To configure Duo Security, you will need to supply the following:

  • integrationKey
  • secretKey
  • apiHost

These values are available from your Duo Security Settings page.

Service Descriptor

If you're adding an Authenticator via a Service Descriptor:

  • the Descriptor Type should be DUO_AUTH.
  • the Descriptor Configuration should look like this:
{
    "enabled": true,
    "providerType": "duo",
    "providerConfig": {
        "integrationKey": "MY_INTEGRATION_KEY",
        "secretKey": "MY_SECRET_KEY",
        "apiHost": "MY_API_HOST"
    }
}

Where

  • MY_INTEGRATION_KEY (required) is your Duo Integration Key
  • MY_SECRET_KEY (required) is your Duo Secret Key
  • MY_API_HOST (required) is your Duo API Host

Global Settings

You can set up system-wide Duo Security configuration by adjusting the following in your docker.properties file:

org.gitana.platform.services.authenticator.duo.integrationKey=
org.gitana.platform.services.authenticator.duo.secretKey=
org.gitana.platform.services.authenticator.duo.apiHost=

These settings will be used for any system-defined or service descriptor-defined Authenticators that do not provide these values.

System Authenticator

You can also instantiate system Authenticators like this:

<bean id="duoAuthenticatorRegistrar" class="org.gitana.platform.services.authenticator.DuoAuthenticatorRegistrar">
    <property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
    <property name="integrationKey"><value>MY_INTEGRATION_KEY</value></property>
    <property name="secretKey"><value>MY_SECRET_KEY</value></property>
    <property name="apiHost"><value>MY_API_HOST</value></property>
</bean>

Where

  • MY_INTEGRATION_KEY (required) is your Duo Integration Key
  • MY_SECRET_KEY (required) is your Duo Secret Key
  • MY_API_HOST (required) is your Duo Api Host

The MY_AUTHENTICATOR_ID value must be unique across all Authenticator instances for a given type.

These Authenticators will be available to your platform and can defined and maintained within your Spring config.

Duo Binding Properties Factory

Use the DuoAuthenticatorBindingPropertiesBeanFactory bean to create Duo-specific binding properties.

Like this:

<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
    <property name="userId"><value>DUO_USER_ID</value></property>
    <property name="username"><value>DUO_USER_NAME</value></property>
</bean>

Duo Descriptor Factory

Use the DuoAuthenticatorDescriptorBeanFactory bean to create Duo-specific descriptors.

Like this:

<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
    <property name="id"><value>MY_AUTHENTICATOR_ID</value></property>
</bean>

Example: Configure the Admin User to use Duo Security

Start by defining an authenticator called test:

<bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorRegistrar">
    <property name="id"><value>test</value></property>
    <property name="integrationKey"><value>INTEGRATION_KEY</value></property>
    <property name="secretKey"><value>SECRET_KEY</value></property>
    <property name="apiHost"><value>API_HOST</value></property>
</bean>

Then bind the admin user to the authenticator using our factories from above:

<bean class="org.gitana.platform.services.authenticator.BindAdminUserSystemAuthenticator">
    <property name="bindingProperties">
        <bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorBindingPropertiesBeanFactory">
            <property name="userId"><value>DUO_USER_ID</value></property>
            <property name="username"><value>DUO_USER_NAME</value></property>
        </bean>
    </property>
    <property name="descriptor">
        <bean class="org.gitana.platform.services.authenticator.duo.DuoAuthenticatorDescriptorBeanFactory">
            <property name="id"><value>test</value></property>
        </bean>
    </property>
</bean>